Kingfisher: Find Every Leaked Secret in Your Stack and Revoke It Fast

Ever had that sinking feeling when you realize a secret key, API token, or database password got pushed to a public GitHub repo? You're not alone. Leaked credentials are one of the fastest ways to get pwned, and cleaning up after them is a nightmare if you don't know where they all ended up.

That's where Kingfisher comes in. It's a tool from MongoDB that hunts down leaked secrets across your entire stack—not just in source code, but in things like environment variables, logs, and container images. And it doesn't just find them; it helps you revoke them fast.

What It Does

Kingfisher is a command-line tool that scans multiple data sources for evidence of secret leaks. It works by:

• Searching through Git repositories (local history, branches, and even reflogs)
• Checking cloud storage like S3 buckets and GCS
• Looking at Docker images and container registries
• Scanning CI/CD logs and ticket systems (like Jira)
• Inspecting environment variables and config files

Once it finds a match, it tells you exactly where the secret lives, when it was exposed, and how to fix it. It even generates revocable credential refresh scripts for common services like AWS, Azure, and GitHub.

Why It's Cool

Most secret scanners are "find-only" tools. They dump a list of matches and leave you to figure out the cleanup. Kingfisher is different.

Here's what makes it stand out:

• Context-aware detection – It doesn't just regex for "AKIA" patterns. It understands the structure of different providers' secrets (e.g., AWS access keys have a specific checksum structure, GitHub tokens have a prefix pattern).
• Multiple data source support – You can point it at a GitHub repo, a local folder, a Docker image, or even a Slack archive.
• Revocation suggestions – For each leaked secret, Kingfisher shows the exact API call or UI steps to revoke it. No more Googling "how to rotate AWS key."
• Exportable reports – Output as JSON, CSV, or HTML for sharing with your team or compliance audits.

How to Try It

Getting started takes 30 seconds. You need Go 1.21+ and git installed.

# Install
go install github.com/mongodb/kingfisher@latest

# Scan a local repo
kingfisher scan ./my-project

# Scan a Docker image
kingfisher scan --docker myapp:latest

# Scan environment variables
kingfisher scan --env

# Output a report
kingfisher scan ./my-project --format json > report.json

For full docs, check the GitHub README. It covers things like scanning GitHub orgs, S3 buckets, and even setting up scheduled scans in CI.

Final Thoughts

Kingfisher is not a silver bullet—no tool is. But it fills a real gap: finding secrets that have already leaked and helping you clean them up. If you've ever had to manually grep through 50 branches or scroll through CloudTrail logs to find a compromised key, you'll appreciate this.

I'd recommend adding it to your CI pipeline as a periodic scan (weekly, or after every major merge). It's also great for auditing third-party dependencies or vendor containers before you deploy them.

Try it out, and next time you accidentally push a .env file, you'll have a plan.

Follow us at @githubprojects for more developer tools and open source discoveries.