Kingfisher: Find Every Leaked Secret in Your Stack and Revoke It Fast
Ever had that sinking feeling when you realize a secret key, API token, or database password got pushed to a public GitHub repo? You're not alone. Leaked credentials are one of the fastest ways to get pwned, and cleaning up after them is a nightmare if you don't know where they all ended up.
That's where Kingfisher comes in. It's a tool from MongoDB that hunts down leaked secrets across your entire stack—not just in source code, but in things like environment variables, logs, and container images. And it doesn't just find them; it helps you revoke them fast.
What It Does
Kingfisher is a command-line tool that scans multiple data sources for evidence of secret leaks. It works by:
- Searching through Git repositories (local history, branches, and even reflogs)
- Checking cloud storage like S3 buckets and GCS
- Looking at Docker images and container registries
- Scanning CI/CD logs and ticket systems (like Jira)
- Inspecting environment variables and config files
Once it finds a match, it tells you exactly where the secret lives, when it was exposed, and how to fix it. It even generates revocable credential refresh scripts for common services like AWS, Azure, and GitHub.
Why It's Cool
Most secret scanners are "find-only" tools. They dump a list of matches and leave you to figure out the cleanup. Kingfisher is different.
Here's what makes it stand out:
- Context-aware detection – It doesn't just regex for "AKIA" patterns. It understands the structure of different providers' secrets (e.g., AWS access keys have a specific checksum structure, GitHub tokens have a prefix pattern).
- Multiple data source support – You can point it at a GitHub repo, a local folder, a Docker image, or even a Slack archive.
- Revocation suggestions – For each leaked secret, Kingfisher shows the exact API call or UI steps to revoke it. No more Googling "how to rotate AWS key."
- Exportable reports – Output as JSON, CSV, or HTML for sharing with your team or compliance audits.
How to Try It
Getting started takes 30 seconds. You need Go 1.21+ and git installed.
# Install
go install github.com/mongodb/kingfisher@latest # Scan a local repo
kingfi