23-06-2025
Swift Scanner Kingfisher Exposes Active Code Secrets
A high‑performance tool named Kingfisher, developed by MongoDB, now enables developers and security teams to detect and validate active secrets—such as API keys and credentials—in codebases in real time. Its release addresses shortcomings in existing scanners by verifying through live checks against cloud services.
Kingfisher began as a personal project in July 2024 by MongoDB security engineer Mick Grove, who was dissatisfied with current open‑source secret scanners. Internal testing confirmed that by April 2025 it had become a core part of MongoDB's internal security workflows—scanning pre‑commit code, CI/CD pipelines, Git histories and on‑premise files to identify active secrets. The tool has now been made publicly available under the Apache 2.0 licence.
Introducing Kingfisher: The Open Source Secret Scanner that Finds and Validates Leaked Secrets Fast
ADVERTISEMENT
Crafted in Rust, Kingfisher employs Intel's Hyperscan for high‑speed regex matching and Tree‑sitter for language‑aware source parsing across more than 20 languages. It runs multi‑threaded scans on repositories and file systems and adds entropy‑based rules to filter high‑confidence detections. The standout feature is active validation: when a potential secret is found, the tool attempts to authenticate against external APIs—such as AWS, Azure, GCP or Stripe—to determine if it remains functional.
This real‑time validation sharply reduces false positives. For example, Kingfisher identified one active AWS secret and four inactive Slack tokens in illustrative internal tests. The tool ships with over 700 built‑in detection rules and supports custom configurations via YAML, making it extensible to new credential types.
Performance benchmarking shows Kingfisher outpaces popular tools such as TruffleHog and Gitleaks in terms of runtime, offering a faster, more efficient scanning solution. Its cloud‑agnostic validation ensures organisations obtain unified visibility over secrets, irrespective of the cloud provider in use.
Using Kingfisher aligns with compliance demands, particularly those of the Supply‑chain Levels for Software Artifacts. It aids organisations working toward SLSA Level 2 and beyond by preventing embedded credentials in source code and safeguarding build integrity during the software supply chain lifecycle.
Unlike cloud‑hosted secret scanning, Kingfisher operates entirely on‑premise or within authorised infrastructure. This ensures that detected secrets do not leave the user's environment, addressing data privacy and sovereignty concerns.
Kingfisher is accessible across major operating systems, including Linux, macOS and Windows. Installation options range from pre‑built binaries to source compilation via Docker. It also integrates seamlessly with GitHub, GitLab, and CI/CD systems, enabling detection at pre‑commit, pull‑request and post‑merge stages.
Given the surge in credential‑related breaches and the market's growing concern over hidden, hard‑coded secrets, Kingfisher directly responds to a critical need. Credential exposure remains a leading cause of data breaches, with stolen secrets frequently exploited by automated botnets and sold on underground markets.
By combining live validation, speed, and extensibility, Kingfisher represents a meaningful shift in the secret‑scanning ecosystem. It not only identifies potential security issues, but confirms those that pose genuine risk—allowing developers and security engineers to focus remediation efforts on threats that truly matter.
Its release as open‑source ensures broader access: security teams, DevOps practitioners and smaller organisations can now employ an enterprise‑grade scanner without incurring licensing fees or relying on proprietary systems. MongoDB's publication of Kingfisher thus reinforces its commitment to open‑source solutions that empower the wider tech community.
