kingfisher
kingfisher is a blazingly fast secret-scanning and live validation tool built in Rust. It combines Intel's SIMD-accelerated regex engine (Hyperscan) with language-aware parsing to achieve high accuracy at massive scale, and ships with hundreds of built-in rules to detect, validate, and triage secrets before they ever reach production.
Key Features:
- Performance: multithreaded, Hyperscan-powered scanning built for huge codebases
- Extensible rules: hundreds of built-in detectors plus YAML-defined custom rules (docs/RULES.md)
- Blast Radius Mapping: instantly map leaked keys to their effective cloud identities and exposed resources with --access-map
- Broad AI SaaS coverage: finds and validates tokens for OpenAI, Anthropic, Google Gemini, Cohere, AWS Bedrock, Voyage AI, Mistral, Stability AI, Replicate, xAI (Grok), Ollama, Langchain, Perplexity, Weights & Biases, Cerebras, Friendli, Fireworks.ai, NVIDIA NIM, Together.ai, Zhipu, and many more
- Compressed Files: Supports extracting and scanning compressed files for secrets
- Baseline management: generate and track baselines to suppress known secrets (docs/BASELINE.md)
- Checksum-aware detection: verifies tokens with built-in checksums (e.g., GitHub, Confluent, Zuplo) — no API calls required
- Built-in Report Viewer: Visualize and triage findings locally with kingfisher view ./report-file.json
kingfisher documentation
- Version in MegaLinter: 1.72.0
- Visit Official Web Site
- See How to disable kingfisher rules in files
- See Index of problems detected by kingfisher
Configuration in MegaLinter
- Enable kingfisher by adding
REPOSITORY_KINGFISHERin ENABLE_LINTERS variable - Disable kingfisher by adding
REPOSITORY_KINGFISHERin DISABLE_LINTERS variable
| Variable | Description | Default value |
|---|---|---|
| REPOSITORY_KINGFISHER_ARGUMENTS | User custom arguments to add in linter CLI call Ex: -s --foo "bar" |
|
| REPOSITORY_KINGFISHER_COMMAND_REMOVE_ARGUMENTS | User custom arguments to remove from command line before calling the linter Ex: -s --foo "bar" |
|
| REPOSITORY_KINGFISHER_CLI_LINT_MODE | Override default CLI lint mode ⚠️ As default value is project, overriding might not work - file: Calls the linter for each file- list_of_files: Call the linter with the list of files as argument- project: Call the linter from the root of the project |
project |
| REPOSITORY_KINGFISHER_PRE_COMMANDS | List of bash commands to run before the linter | None |
| REPOSITORY_KINGFISHER_POST_COMMANDS | List of bash commands to run after the linter | None |
| REPOSITORY_KINGFISHER_UNSECURED_ENV_VARIABLES | List of env variables explicitly not filtered before calling REPOSITORY_KINGFISHER and its pre/post commands | None |
| REPOSITORY_KINGFISHER_DISABLE_ERRORS | Run linter but consider errors as warnings | false |
| REPOSITORY_KINGFISHER_DISABLE_ERRORS_IF_LESS_THAN | Maximum number of errors allowed | 0 |
| REPOSITORY_KINGFISHER_CLI_EXECUTABLE | Override CLI executable | ['kingfisher'] |
MegaLinter Flavors
This linter is available in the following flavors
| Flavor | Description | Embedded linters | Info | |
|---|---|---|---|---|
 |
all | Default MegaLinter Flavor | 133 |   |
| security | Optimized for security | 25 |   |
Behind the scenes
How are identified applicable files
- If this linter is active, all files will always be linted
How the linting is performed
kingfisher is called once on the whole project directory (project CLI lint mode)
- filtering can not be done using MegaLinter configuration variables,it must be done using kingfisher configuration or ignore file (if existing)
VALIDATE_ALL_CODEBASE: falsedoesn't make kingfisher analyze only updated files
Example calls
kingfisher scan .
Help content
Kingfisher - Detect and validate secrets across files and full Git history
Usage: kingfisher [OPTIONS] <COMMAND>
Commands:
scan Scan content for secrets and sensitive information
rules Manage rules
access-map Map a cloud credential to its identity, permissions, and blast radius
view View Kingfisher JSON/JSONL reports in a local web UI
self-update Update the Kingfisher binary
help Print this message or the help of the given subcommand(s)
Options:
-h, --help Print help
-V, --version Print version
Global Options:
-v, --verbose... Enable verbose output (up to 3 times for more detail)
-q, --quiet Suppress non-error messages and disable progress bars
--ignore-certs Ignore TLS certificate validation
--self-update Update the Kingfisher binary to the latest release
--no-update-check Disable automatic update checks
--user-agent-suffix <SUFFIX> Append a custom suffix to the default Kingfisher user-agent
string
Installation on mega-linter Docker image
- Dockerfile commands :
# renovate: datasource=github-tags depName=mongodb/kingfisher
ARG REPOSITORY_KINGFISHER_VERSION=1.72.0
RUN curl --silent --location https://raw.githubusercontent.com/mongodb/kingfisher/main/scripts/install-kingfisher.sh | bash -s -- /usr/local/bin --tag "v${REPOSITORY_KINGFISHER_VERSION}"