Skip to content

2026

Real-time Secret Alerts: Webhooks for Slack, Teams, Discord, Mattermost, and Google Chat

A scanner that finds secrets in CI is only useful if a human sees the result in time to act on it. The default outcome — a JSON file in an artifact bucket that nobody opens until the next incident — is roughly the same as not running the scanner at all.

Kingfisher now closes that gap with first-class webhook alerting for the five major team chat platforms plus a generic JSON sink, all configurable from a single CLI flag or a project-local kingfisher.yaml.

Scanning Postman for Leaked Secrets — Including the Ones the UI Hides

Postman is everywhere — across backend teams, mobile teams, partner integrations, and the public Postman API Network. It is also a quietly prolific leak surface. CloudSEK's December 2024 audit found over 30,000 public Postman workspaces leaking access tokens across GitHub, Slack, Salesforce, Stripe, and Razorpay, among others. Postman themselves now run server-side secret scans on public content, which tells you everything you need to know about how often this happens.

Kingfisher now scans Postman workspaces directly — and finds credentials that other scanners miss, because most other tools only scan collection exports a developer has dropped into a repo. They never see the live workspace.

Beyond Detection: Live Validation, Blast Radius, and One-Command Revocation

A regex hit is the easy part. Any scanner can tell you that a string looks like an AWS access key or a GitHub token. The harder question is what to do next, and that is usually what turns a scan result into either a routine cleanup task or a real incident.

Kingfisher answers the three questions that actually matter:

  1. Is this credential alive right now?
  2. What can it reach?
  3. Can we revoke it from here?

Scanning an Entire GitHub Organization for Leaked Secrets

Most organizations have more GitHub surface area than they think: active services, abandoned repositories, internal tooling, forks, experiments, and projects inherited through acquisitions. A credential leaked in a five-year-old archived repo can still be live today.

Kingfisher can enumerate every repository in a GitHub organization, scan the full git history, and then validate which credentials are still live so you can focus on what needs rotation first.