View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0009517Kali LinuxNew Tool Requestspublic2026-01-22 06:442026-01-22 09:12
Reportermicksmix Assigned To 
PrioritynormalSeverityminorReproducibilityhave not tried
Status newResolutionopen 
Summary0009517: Kingfisher - blazingly fast and highly accurate tool for secret detection
Description

[Name]
Kingfisher

[Version]
v1.75.0

[Homepage]
https://github.com/mongodb/kingfisher

[Download]
https://github.com/mongodb/kingfisher/releases/latest

[Author]
Mick Grove, [email protected]

[Licence]
Apache-2.0

[Description]
Kingfisher is a fast secret‑scanning and live‑validation tool built in Rust, using SIMD‑accelerated regex and language‑aware parsing, with hundreds of built‑in rules and access‑map analysis for exposed credentials. Includes a local-only web-based finding triage and report viewer.

[Dependencies]

git is required to clone and scan repositories. ca-certificates is required for HTTPS/TLS certificate validation.

The Kingfisher binary is statically linked (MUSL) and has no other runtime dependencies.

[Similar tools]
TruffleHog and Gitleaks are comparable scanners, but Kingfisher is Apache-2.0, MongoDB-supported OSS (no commercial tier), and is optimized for speed with Rust + Intel Hyperscan’s SIMD-accelerated regex engine, while also adding live validation, blast-radius access mapping (--access-map), and a local web UI findings viewer and triager (kingfisher view)

[Activity]
Development began in June 2024, and Kingfisher was open-source on June 16, 2025 on MongoDB's public blog: https://www.mongodb.com/company/blog/product-release-announcements/introducing-kingfisher-real-time-secret-detection-validation

As of Jan 2025, it has ~3.3 million docker pulls (about a million pulls a month now), 35k downloads from GitHub, and 0000513:0000780 stars on GitHub.

It is actively updated by MongoDB and has 1,064 commits over the past 0000009:0000006 months. New releases occur every 5-10 days.

[How to install] - How do you compile it

Build on Kali/Debian (arm64), and optionally x64

VERSION=1.75.0
URL="https://github.com/mongodb/kingfisher/archive/refs/tags/v${VERSION}.tar.gz"

apt update
DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends curl make ca-certificates xz-utils build-essential
update-ca-certificates --fresh
curl -L -o kingfisher_${VERSION}.orig.tar.gz "$URL"
tar -xf kingfisher_${VERSION}.orig.tar.gz
cd kingfisher-${VERSION}
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y; \
        . $$HOME/.cargo/env; \
            rustup toolchain install 1.90.0; \
            rustup default 1.90.0;
make ubuntu-arm64
# make ubuntu-x64

[How to use]
Basic usage examples from the README include:

kingfisher scan /path/to/code

kingfisher scan ~/src/myrepo --no-validate

kingfisher --version

[Packaged]
Yes, this is already packaged for debian and included as an artifact in every release on GitHub.

https://github.com/mongodb/kingfisher/releases/latest/download/kingfisher-linux-x64.deb

https://github.com/mongodb/kingfisher/releases/latest/download/kingfisher-linux-arm64.deb

Activities

micksmix

micksmix

2026-01-22 06:59

reporter   ~0021286

Note: the easiest way to compile Kingfisher is actually by using Docker and running the Makefile command:

apt update
apt install -y docker.io make
make linux-arm64
#make linux-x64

Issue History

Date Modified Username Field Change
2026-01-22 06:44 micksmix New Issue
2026-01-22 06:59 micksmix Note Added: 0021286
2026-01-22 09:12 daniruiz Summary New Tool - MongoDB Kingfisher => Kingfisher - blazingly fast and highly accurate tool for secret detection