Introducing Kingfisher: Real-Time Secret Detection and Validation
Foreword from Kingfisher’s developer
As a Staff Security Engineer at MongoDB, I spend a lot of time thinking about how to further harden the environments that our customers rely on to protect their data. Central to that is detecting and managing exposed secrets before they turn into security risks. My role involves using an array of tools, from static code analyzers
1
to secrets managers.
2
However, I have never been fully satisfied with the tools at my disposal. Frustrated by the performance issues, limited flexibility, and high false positive rates of existing open source secret scanners, I started building my own tool in July 2024. Ten months later, that project became
Kingfisher
, an open-source secret scanner that goes beyond detection. It also verifies the validity of the secrets it detects.
What began as a pet project has grown into a core component of MongoDB’s internal security workflows. Kingfisher now helps MongoDB’s engineering teams rapidly scan and verify secrets across Git repositories, directories, and more. Kingfisher, along with moving to short-term credentials, is our answer to the growing challenges of stolen credentials and credential-stuffing attacks.
I am happy to announce that we are now releasing Kingfisher to the broader community so all developers and security teams can benefit from it.
And by releasing Kingfisher as open source, we’re continuing a tradition that goes back to MongoDB’s roots—empowering developers through open, accessible tools.
What is Kingfisher?
Kingfisher
is a high-performance, open-source secret scanning tool that combs through code repositories, Git commit histories, and file systems. Kingfisher performs this to rapidly uncover hard-coded credentials, API keys, and other sensitive data. It can be used seamlessly across GitHub and GitLab repositories, both remote and local, as well as files and directories on disk, helping security teams quickly catch exposed secrets wherever they live. However, Kingfisher goes a step beyond traditional secret scanners.
Most tools simply flag anything that may look like a secret, which means engineers need to sift through false positives. Kingfisher is different. It actively validates the secrets it detects by testing them against external systems, such as the relevant cloud services or API endpoints. This dynamic approach helps identify which secrets are truly active and, thus, high-risk.
Figure 1.
An example of an active AWS secret access key detected and validated by Kingfisher.
Figure 2.
An example of an inactive Slack app token discovered and validated by Kingfisher.
Figure 3.
An example scan summary produced by Kingfisher showing one active secret and four inactive secrets detected.
Kingfisher is designed for on-premises use, running entirely within the user’s own infrastructure. As a result, discovered secrets never leave the environment or pass through a third-party service. This ensures that developers and security teams retain full control over sensitive data without inheriting a third party’s security posture or introducing yet another external store of credentials. Kingfisher is also cloud-agnostic: It verifies credentials from AWS, Azure, Google Cloud, and any other platform in use. Unlike cloud provider-specific tools that overlook cross-cloud risks, Kingfisher supports security teams’ unified visibility and control, no matter where secrets live.
Built with both performance and security in mind, Kingfisher combines extremely fast pattern matching, source code parsing, entropy analysis, and real-time validation. This all reduces noise to surface only what actually matters. It is designed for practical, real-world use, whether scanning a single repo or integrating it into a larger CI/CD pipeline.
Why MongoDB built Kingfisher
The threat landscape is constantly evolving, and credential-related attacks are on the rise. Stolen credentials are frequently sold on underground markets. Attackers use automated tools to launch credential-stuffing attacks that can lead to unauthorized access and serious data breaches. Traditional secret-scanning tools have not kept up. Such tools often flood teams with false positives, are slow to run, and do not confirm whether a detected secret remains active or dangerous. This means developers and security teams waste time and effort chasing down dead ends while missing actual threats.
Kingfisher was built to solve this challenge. It is fast, lightweight, and designed to detect exposed secrets. It then validates them in real time by checking whether the secret remains active. By cutting through the noise and focusing on active risks, Kingfisher enables teams to respond faster and protect systems effectively.
Kingfisher also helps security teams progress toward higher
Supply-chain Levels for Software Artifacts
(SLSA) compliance. It does this by supporting secure configuration management through proactive detection and verification of exposed secrets across codebases and repositories. At the foundational level, it supports SLSA’s core requirement of preventing secrets from being embedded in source code. This is one of the most common and critical vulnerabilities in the software supply chain. For organizations targeting SLSA Levels 2 and above, Kingfisher also helps strengthen source code integrity by reducing the risk of malicious or accidental secret exposure, which could compromise the trustworthiness of builds. Secure configuration management is a critical part of achieving higher SLSA levels. Kingfisher helps teams adopt these best practices by helping keep secrets out of source code and managing them securely throughout the development lifecycle.
Figure 4.
Runtime chart comparing Kingfisher with two other popular open-source secrets scanning tools.
The runtime chart above presents the results of internal testing conducted by MongoDB engineers. It compares Kingfisher against two other popular open-source secret scanning tools:
TruffleHog
and
GitLeaks
. In this comparison, lower runtime values indicate superior performance. This underscores Kingfisher’s balance of speed and robust, real-time secret validation.
How Kingfisher works
Kingfisher is built in Rust, which was chosen for its speed, safety, and concurrency capabilities. Initially inspired by and built on top of a forked version of the Apache 2 licensed "
Nosey Parker
" code, Kingfisher re-engineers and extends its foundation with modern, high-performance technologies.
Kingfisher’s features include:
table,
th,
td {
border: 1px solid black;
border-collapse: collapse;
}
th,
td {
padding: 5px;
}
Feature
Description
Rust-powered performance
Writing Kingfisher in Rust maximizes performance while providing memory safety. This makes it ideal for scanning large codebases without sacrificing reliability.
High-speed regex matching with Hyperscan
Kingfisher uses Hyperscan to handle complex and high-volume pattern matching. This engine delivers high-speed regular expression matching that enables real-time scanning on the largest code repositories.
Multi-language source parsing with Tree-sitter
Kingfisher employs Tree-sitter to parse source code accurately across 20+ programming languages. This enables Kingfisher to understand language-specific syntax, reducing false positives and improving detection accuracy.
Efficient scanning engine
In addition to its advanced parsing and regex capabilities, Kingfisher uses multi-threaded scanning to traverse files, commit histories, and binary blobs. Custom-built rules combine pattern matching with Shannon entropy checks
3
, flagging only high-confidence secret exposures.
Dynamic validation
Once a potential secret is detected, Kingfisher validates it by performing external checks. This includes testing database connectivity and calling cloud service APIs to confirm whether the secret is active and poses an immediate risk.
Extensible rulesets
Kingfisher supports a rich set of rules defined in YAML files. These rules describe the patterns and metadata to look for. This includes confidence levels, examples, and dependency rules to provide nuanced secret detection and validation.
Integration ready
Kingfisher is designed to be easily integrated into automated CI/CD pipelines and be used in conjunction with GitHub’s secret scanning program. This enhances its role as part of a comprehensive security strategy.
How MongoDB uses Kingfisher internally
At MongoDB, Kingfisher plays a critical role in safeguarding code repositories and internal systems. As part of the company's comprehensive security strategy, Kingfisher is used across various stages of MongoDB’s development and deployment pipeline. This helps secure MongoDB’s codebase and complements our move away from long-lived secrets.
Below are four key ways Kingfisher is used at MongoDB:
Pre-commit scanning:
MongoDB developers run Kingfisher locally to catch accidentally hard-coded secrets before they commit code.
CI/CD integration:
Kingfisher is integrated into MongoDB’s continuous integration and deployment (CI/CD) pipelines. Thus, it automatically ensures that every build is scanned for potential secret exposure.
Historical code analysis:
Kingfisher scans Git commit histories to identify and remediate legacy exposures in MongoDB’s code repositories.
Cloud and database validation:
Kingfisher automatically tests whether a detected credential is still valid using its dynamic validation capabilities. This allows MongoDB engineers to take immediate action if a secret has been compromised.
Get started with Kingfisher
The development—and now release—of Kingfisher represents a major leap forward in MongoDB’s approach to securing code and infrastructure. More than a tool, it embodies our ongoing commitment to contribute open-source solutions that empower organizations to protect their critical assets against evolving cyber threats.
Kingfisher builds on a solid foundation and introduces significant improvements. This includes:
Real-time secret validation
Enhanced accuracy with source code parsing with Tree-sitter,
Over 700 rules for detecting and validating a broader range of secrets,
Cross-platform support for macOS, Linux, and Windows
To learn more about Kingfisher and start using it in your own workflows, visit our
GitHub repository
for detailed documentation and join the community discussions.
1
Tools that examine source code without executing it to identify potential errors, vulnerabilities, or code quality issues.
2
Tools used to securely store, manage, and access sensitive information like API keys, credentials, and tokens.
3
A method of measuring randomness in a string, often used to identify high-entropy values like passwords or API keys that may indicate a secret.
June 16, 2025