Skip to content

Report Viewer & Triager

Kingfisher ships a browser-based report viewer and triager for three formats:

  • Kingfisher JSON / JSONL — with full access_map blast-radius data when available
  • Gitleaks JSON
  • TruffleHog JSON / JSONL — verified findings are surfaced as active credentials

The same UI is available two ways:

Both render reports entirely client-side. Nothing about the uploaded report leaves the browser.

Why a visual viewer/triager matters

Gitleaks and TruffleHog are great at emitting candidate matches; Kingfisher goes further by live-validating and mapping blast radius. But all three produce JSON, and raw JSON is not how a human decides which finding to rotate first. The viewer turns that output into a triage workflow:

  • Skim at a glance — findings are grouped by detector, rule, file, and repository with counts and validation state, instead of one JSON object per line in a terminal.
  • Cross-tool triage in one place — import a Gitleaks scan, a TruffleHog scan, and a Kingfisher scan of the same codebase and look at them side-by-side with deduplication, rather than reconciling three different schemas by hand.
  • Rotate real secrets first — validated Kingfisher findings and TruffleHog-verified findings are surfaced as active credentials; unverified/static matches are marked as not attempted.
  • Dedup automatically — the same secret appearing across multiple reports, directories, or scan runs collapses to one entry by fingerprint / secret identity.
  • See blast radius — when a Kingfisher report was generated with --access-map, the viewer renders the identity, permissions, and resources the credential can reach, so you can tell apart a dev token from a production admin key.
  • Share and archive — export filtered subsets for tickets, rotation runbooks, or audit reviewers.

Tools like Gitleaks and TruffleHog surface candidates. Kingfisher's viewer helps you decide which ones matter — and it works with their output, not just its own.

Using the local viewer via the kingfisher CLI

The local viewer is part of the kingfisher binary — no separate install, no network calls.

# Open a Kingfisher scan report
kingfisher view kingfisher.json

# Import a Gitleaks JSON report
kingfisher view gitleaks-report.json

# Import a TruffleHog JSON or JSONL report
kingfisher view trufflehog-report.jsonl

# Combine multiple reports — deduplicated by fingerprint / secret identity
kingfisher view kingfisher.json gitleaks.json trufflehog.jsonl

# Or load every JSON/JSONL report in a directory (non-recursive)
kingfisher view ./reports/

kingfisher view starts a tiny local web server on 127.0.0.1:7890 and opens the browser automatically. Use --port to pick another port and --address 0.0.0.0 to expose the viewer from a container or remote host.

You can also chain scanning and viewing in a single step:

# Scan and open the report in the browser when it finishes
kingfisher scan /path/to/code --view-report

# Same, but bind to all interfaces and a specific port (useful in Docker)
kingfisher scan /path/to/code \
  --view-report \
  --view-report-address 0.0.0.0 \
  --view-report-port 7891

Using the hosted viewer

The docs site publishes a static, upload-based copy of the viewer at:

https://mongodb.github.io/kingfisher/viewer/

Drag a Kingfisher, Gitleaks, or TruffleHog JSON report into the page (or use the file picker) to triage it in your browser. You can also merge multiple reports in one session by uploading them one after another — duplicates collapse automatically. It's useful when you want to:

  • Triage a report on a machine that doesn't have Kingfisher installed
  • Show a finding with its blast-radius context without shipping the raw JSON around

Sample data

You can test the hosted page with a bundled sample report:

Caveats for imported Gitleaks / TruffleHog reports

  • Imported reports are display-oriented. They do not carry Kingfisher-native access_map data or drive kingfisher validate / kingfisher revoke.
  • Fingerprints on imported findings use the importer's normalization, not Kingfisher's native fingerprinting.
  • TruffleHog findings marked as verified are shown as active credentials; all other imported findings are treated as not attempted rather than inactive.
  • For full validation and blast-radius mapping, re-scan the source with Kingfisher and (when authorized) add --access-map.

Gitleaks and TruffleHog are both widely used open-source secret scanners with their own strengths; Kingfisher's viewer reads their standard JSON output so teams that already run them can pull those findings into the same triage workflow. Kingfisher is not affiliated with or endorsed by the Gitleaks project or Truffle Security Co.; TruffleHog and Gitleaks are trademarks of their respective owners.