kingfisher
kingfisher is a blazingly fast secret-scanning and live validation tool built in Rust. It combines Intel's SIMD-accelerated regex engine (Hyperscan) with language-aware parsing to achieve high accuracy at massive scale, and ships with hundreds of built-in rules to detect, validate, and triage secrets before they ever reach production.
Key Features:
- Performance: multithreaded, Hyperscan-powered scanning built for huge codebases
- Extensible rules: hundreds of built-in detectors plus YAML-defined custom rules (docs/RULES.md)
- Blast Radius Mapping: instantly map leaked keys to their effective cloud identities and exposed resources with --access-map
- Broad AI SaaS coverage: finds and validates tokens for OpenAI, Anthropic, Google Gemini, Cohere, AWS Bedrock, Voyage AI, Mistral, Stability AI, Replicate, xAI (Grok), Ollama, Langchain, Perplexity, Weights & Biases, Cerebras, Friendli, Fireworks.ai, NVIDIA NIM, Together.ai, Zhipu, and many more
- Compressed Files: Supports extracting and scanning compressed files for secrets
- Baseline management: generate and track baselines to suppress known secrets (docs/BASELINE.md)
- Checksum-aware detection: verifies tokens with built-in checksums (e.g., GitHub, Confluent, Zuplo) — no API calls required
- Built-in Report Viewer: Visualize and triage findings locally with kingfisher view ./report-file.json
kingfisher documentation
- Version in MegaLinter: 1.102.0
- Visit Official Web Site
- See How to disable kingfisher rules in files
- See Index of problems detected by kingfisher
Configuration in MegaLinter
- Enable kingfisher by adding
REPOSITORY_KINGFISHERin ENABLE_LINTERS variable - Disable kingfisher by adding
REPOSITORY_KINGFISHERin DISABLE_LINTERS variable
| Variable | Description | Default value |
|---|---|---|
| REPOSITORY_KINGFISHER_ARGUMENTS | User custom arguments to add in linter CLI call Ex: -s --foo "bar" |
|
| REPOSITORY_KINGFISHER_COMMAND_REMOVE_ARGUMENTS | User custom arguments to remove from command line before calling the linter Ex: -s --foo "bar" |
|
| REPOSITORY_KINGFISHER_CLI_LINT_MODE | Override default CLI lint mode ⚠️ As default value is project, overriding might not work - file: Calls the linter for each file- list_of_files: Call the linter with the list of files as argument- project: Call the linter from the root of the project |
project |
| REPOSITORY_KINGFISHER_PRE_COMMANDS | List of bash commands to run before the linter | None |
| REPOSITORY_KINGFISHER_POST_COMMANDS | List of bash commands to run after the linter | None |
| REPOSITORY_KINGFISHER_UNSECURED_ENV_VARIABLES | List of env variables explicitly not filtered before calling REPOSITORY_KINGFISHER and its pre/post commands | None |
| REPOSITORY_KINGFISHER_DISABLE_ERRORS | Run linter but consider errors as warnings | false |
| REPOSITORY_KINGFISHER_DISABLE_ERRORS_IF_LESS_THAN | Maximum number of errors allowed | 0 |
| REPOSITORY_KINGFISHER_CLI_EXECUTABLE | Override CLI executable | ['kingfisher'] |
MegaLinter Flavors
This linter is available in the following flavors
| Flavor | Description | Embedded linters | Info | |
|---|---|---|---|---|
 |
all | Default MegaLinter Flavor | 136 |   |
| security | Optimized for security | 25 |   |
Behind the scenes
How are identified applicable files
- If this linter is active, all files will always be linted
How the linting is performed
kingfisher is called once on the whole project directory (project CLI lint mode)
- filtering can not be done using MegaLinter configuration variables,it must be done using kingfisher configuration or ignore file (if existing)
VALIDATE_ALL_CODEBASE: falsedoesn't make kingfisher analyze only updated files
Example calls
kingfisher scan .
Help content
Kingfisher - Detect and validate secrets across files and full Git history
Usage: kingfisher [OPTIONS] <COMMAND>
Commands:
scan Scan content for secrets and sensitive information
rules Manage rules
validate Directly validate a known secret against a rule's validator (bypasses pattern
matching)
revoke Directly revoke a known secret against a rule's revocation config
access-map Map a cloud credential to its identity, permissions, and blast radius
view View Kingfisher JSON/JSONL reports in a local web UI
config Generate or inspect `kingfisher.yaml` project config files
update Update the Kingfisher binary
help Print this message or the help of the given subcommand(s)
Options:
-h, --help Print help (see more with '--help')
-V, --version Print version
Global Options:
-v, --verbose... Enable verbose output (up to 3 times for more detail)
-q, --quiet Suppress non-error messages and disable progress bars
--tls-mode <TLS_MODE> TLS certificate validation mode for secret validation requests
[default: strict] [possible values: strict, lax, off]
--allow-internal-ips Allow validation requests to internal/private IP addresses
--self-update Update the Kingfisher binary to the latest release
--no-update-check Disable automatic update checks
--user-agent-suffix <SUFFIX> Append a custom suffix to the default Kingfisher user-agent
string
--endpoint <PROVIDER=URL> Override provider API endpoints for validation/revocation
(PROVIDER=URL), repeatable
--endpoint-config <FILE> YAML file containing provider endpoint overrides
--config <FILE> Path to a `kingfisher.yaml` project config file
Installation on mega-linter Docker image
- Dockerfile commands :
# renovate: datasource=github-tags depName=mongodb/kingfisher
ARG REPOSITORY_KINGFISHER_VERSION=1.102.0
RUN curl --silent --location https://raw.githubusercontent.com/mongodb/kingfisher/main/scripts/install-kingfisher.sh | bash -s -- /usr/local/bin --tag "v${REPOSITORY_KINGFISHER_VERSION}"
Known errors and resolutions
When this linter fails for a known non-lint reason (remote service unavailable, malformed config, missing credentials, etc.), MegaLinter detects the pattern below in the linter output and surfaces the matching guidance.
REPOSITORY_KINGFISHER_ERROR_GITHUB_API_RATE_LIMIT
Detection pattern (regex):
(API rate limit exceeded|GitHub API.*rate limit|secondary rate limit)
Resolution guidance:
kingfisher hit the GitHub API rate limit while resolving or validating findings.
This is an API quota issue, not a code finding.
Resolutions:
- Provide a token via `KF_GITHUB_TOKEN` to raise the rate limit. Because MegaLinter strips token-like env vars by default, you must also whitelist it for this linter in your .mega-linter.yml:
REPOSITORY_KINGFISHER_UNSECURED_ENV_VARIABLES:
- KF_GITHUB_TOKEN
- Retry the run later once the quota resets.
- Temporarily mark the linter as non-blocking by adding to your .mega-linter.yml:
DISABLE_ERRORS_LINTERS:
- REPOSITORY_KINGFISHER
REPOSITORY_KINGFISHER_ERROR_GITHUB_TOKEN_UNAUTHORIZED
Detection pattern (regex):
(401 Unauthorized|Bad credentials)
Resolution guidance:
kingfisher could not authenticate to the GitHub API while validating a secret or fetching repo metadata.
Resolutions:
- Verify `KF_GITHUB_TOKEN` is set, is not expired, and is whitelisted for this linter (MegaLinter strips token-like env vars by default):
REPOSITORY_KINGFISHER_UNSECURED_ENV_VARIABLES:
- KF_GITHUB_TOKEN
- For org-scoped resources, ensure the token has the required scopes (e.g. `repo`, `read:org`).
REPOSITORY_KINGFISHER_ERROR_RULES_LOAD_FAILED
Detection pattern (regex):
(Failed to load (builtin )?rules|Failed to parse YAML from|Failed to build regex|Unknown rule:)
Resolution guidance:
kingfisher failed to load its detection rules. This typically means a custom YAML rules file passed via `--rules-path` is malformed.
Resolutions:
- Remove the custom rules path and rely on the built-in rules.
- Validate your custom YAML rules against `docs/RULES.md` in the kingfisher repo.