Quick Start¶

Get scanning in under a minute.

1. Install Kingfisher¶

HomebrewPyPIDockerScript (Linux/macOS)PowerShell (Windows)

brew install kingfisher

uv tool install kingfisher-bin

docker run --rm -v "$PWD":/src ghcr.io/mongodb/kingfisher:latest scan /src

curl -sSL https://raw.githubusercontent.com/mongodb/kingfisher/main/scripts/install-kingfisher.sh | bash

Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass -Force
Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/mongodb/kingfisher/main/scripts/install-kingfisher.ps1' -OutFile install-kingfisher.ps1
./install-kingfisher.ps1

For all installation options, see the Installation Guide.

2. Scan a Directory¶

kingfisher scan /path/to/code

Kingfisher automatically detects whether the path is a Git repo or plain directory.

3. View Results in Your Browser¶

kingfisher scan /path/to/code --view-report

4. Show Only Live Secrets¶

Filter to only secrets confirmed active by provider APIs:

kingfisher scan /path/to/code --only-valid

5. Map the Blast Radius¶

See exactly what resources a leaked credential can access:

kingfisher scan /path/to/code --access-map --view-report

6. Revoke a Compromised Secret¶

# Revoke a GitHub token
kingfisher revoke --rule github "ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"

# Revoke AWS credentials
kingfisher revoke --rule aws --arg "AKIAIOSFODNN7EXAMPLE" "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"

7. Scan a GitHub Organization¶

KF_GITHUB_TOKEN="ghp_..." kingfisher scan github --organization my-org

8. Output JSON for CI/CD¶

kingfisher scan /path/to/code --format json --output findings.json

What's Next?¶

Basic Scanning — full scanning guide with all options
Platform Integrations — GitHub, GitLab, S3, Docker, Slack, and more
Writing Custom Rules — create detection rules for your own patterns
Access Map — blast radius mapping for 39 providers