Kingfisher

Why Kingfisher?

Scan Everything

Files, Git repos, GitHub, GitLab, Azure Repos, Bitbucket, Gitea, Hugging Face, Docker images, AWS S3, Google Cloud Storage, Jira, Confluence, Slack, and Microsoft Teams.

Live Validation

Automatically validate discovered credentials against provider APIs. Eliminate false positives by confirming which secrets are actually live and active.

Blast Radius Mapping

Go beyond detection. Map leaked keys to their effective cloud identities and exposed resources with --access-map. See exactly what an attacker could access.

Direct Revocation

Revoke compromised credentials directly from the CLI for 20+ providers including GitHub, GitLab, Slack, AWS, GCP, Heroku, and Cloudflare.

Built for Accuracy

Tree-sitter language-aware parsing across 13+ languages reduces false positives at the detection layer. Combined with entropy filtering, checksum verification, and live validation, Kingfisher delivers high-signal results you can act on.

Built for AI

Detects and validates tokens for 35+ AI/ML providers including OpenAI, Anthropic, Google Gemini, Mistral, Cohere, and more. Purpose-built TOON output format for token-efficient LLM and agent workflows.

Built for Speed

Rust-powered with Intel Hyperscan SIMD-accelerated regex. Multithreaded scanning handles massive codebases while making minimal network requests through intelligent validation.

Install in Seconds

Homebrew

brew install kingfisher

PyPI

uv tool install kingfisher-bin

Docker

docker run --rm -v "$PWD":/src ghcr.io/mongodb/kingfisher:latest scan /src

Script

curl -sSL https://raw.githubusercontent.com/mongodb/kingfisher/main/scripts/install-kingfisher.sh | bash

Full Installation Guide