Skip to content

Quick Start

Get scanning in under a minute.

1. Install Kingfisher

brew install kingfisher

uv tool install kingfisher-bin

docker run --rm -v "$PWD":/src ghcr.io/mongodb/kingfisher:latest scan /src

curl -sSL https://raw.githubusercontent.com/mongodb/kingfisher/main/scripts/install-kingfisher.sh | bash

Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass -Force
Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/mongodb/kingfisher/main/scripts/install-kingfisher.ps1' -OutFile install-kingfisher.ps1
./install-kingfisher.ps1

For all installation options, see the Installation Guide.

2. Scan a Directory

kingfisher scan /path/to/code

Kingfisher automatically detects whether the path is a Git repo or plain directory.

3. View Results in Your Browser

kingfisher scan /path/to/code --view-report

You can also open existing Kingfisher, Gitleaks, or TruffleHog JSON reports with kingfisher view <report.json>.

If you want a shareable upload-based version, the docs site also hosts the report viewer.

4. Show Only Live Secrets

Filter to only secrets confirmed active by provider APIs:

kingfisher scan /path/to/code --only-valid

5. Map the Blast Radius

See exactly what resources a leaked credential can access:

kingfisher scan /path/to/code --access-map --view-report

6. Revoke a Compromised Secret

# Revoke a GitHub token
kingfisher revoke --rule github "ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"

# Revoke AWS credentials
kingfisher revoke --rule aws --arg "AKIAIOSFODNN7EXAMPLE" "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"

7. Scan a GitHub Organization

KF_GITHUB_TOKEN="ghp_..." kingfisher scan github --organization my-org

8. Output JSON for CI/CD

kingfisher scan /path/to/code --format json --output findings.json

What's Next?