Disclosure: I’m the author/maintainer of Kingfisher.

Kingfisher is an Apache-2.0 OSS secret scanner built in Rust that combines Hyperscan (SIMD regex) with tree-sitter parsing to improve context/accuracy, and it can validate detected creds in real time against provider APIs so you can prioritize active leaks. It’s designed to run entirely on-prem so secrets don’t get shipped to a third-party service.

Core Features

• Hundreds of built-in rules (AI APIs, cloud providers, databases, DevOps tools)
• Live validation against third-party APIs confirms credentials are active
• Direct revocation of leaked creds: kingfisher revoke --rule github "ghp_..."
• Can scan for secrets locally, github, gitlab, azure repos, bitbucket, gitea, hugging face, s3, gcs, docker, jira, confluence, slack
• Built-in local-only HTML findings viewer kingfisher scan /tmp --view-report
• Blast Radius mapping to show what a credential could actually access: kingfisher scan /tmp --access-map --view-report

Scan Targets

• Git repos (full history), GitHub/GitLab/Azure Repos/Bitbucket/Gitea/Hugging Face orgs
• AWS S3, GCS, Docker images, Jira, Confluence, Slack

Try It

• brew install kingfisher or uv tool install kingfisher-bin
• github.com/mongodb/kingfisher

Apache 2 Open-Source