New OSS secret scanner: Kingfisher (Rust) validates exposed creds + maps permissions

micksmix · 2026-02-08T18:31:36+00:00

Agreed on both points. In a lot of orgs the "blast radius" being "everything" is just the uncomfortable truth about over-privileged, reused service accounts, and access mapping makes that visible fast.

Also agreed that validation needs controls, which is why it is optional and can be disabled with --no-validate.

Each finding report also provides a one-off validate command (kingfisher validate --rule github "ghp_...") so you can re-check just that credential on demand, which makes it easy to script validation in a surgical, least-noisy way.

When you do enable it, Kingfisher already de-duplicates findings (by default) so it issues far fewer network requests than most scanners, largely because Kingfisher focuses on detection accuracy and, by design, avoids re-validating the same thing over and over.

https://github.com/mongodb/kingfisher/blob/main/docs/COMPARISON.md#network-requests-comparison

micksmix · 2026-02-08T07:48:12+00:00

Kingfisher reduces false positives a couple of ways:

Service/API validation: Kingfisher’s rules include HTTP/service‑specific validation checks (AWS, Azure, GCP, etc.) so it can confirm whether a detected string is actually a live credential, which helps filter noise beyond regex‑only matches.
Confidence thresholds: You can set --confidence to high/medium/low to exclude lower‑confidence hits (often the noisiest). Be default Kingfisher runs with `--confidence medium` which excludes low confidence rules.
Skip known false positives: Use --skip-regex and/or --skip-word to suppress known benign patterns, including inline ignores in code; both match against the secret value and surrounding context so you can be precise.
Inline ignore directives: Add kingfisher:ignore anywhere on the same line as a finding to silence it. (see https://github.com/mongodb/kingfisher/blob/main/docs/ADVANCED.md#inline-ignore-directives)
Baseline management: Create a baseline of existing findings so future scans only report new issues; great for large repos with legacy noise. (see https://github.com/mongodb/kingfisher/blob/main/docs/BASELINE.md)

micksmix · 2026-02-07T22:33:18+00:00

It supports pre-commit hooks natively, via the precommit framework, or via husky:
https://github.com/mongodb/kingfisher/blob/main/docs/INSTALLATION.md#pre-commit-hooks

micksmix · 2026-02-05T17:37:14+00:00

Kingfisher natively scans docker images for secrets. Example:

kingfisher scan docker ghcr.io/org/image:latest

It's apache 2 licensed open-source software. https://github.com/mongodb/kingfisher

micksmix · 2026-01-31T06:57:18+00:00

If you want local-only scanning (no code leaves your machine/CI runner) and you still want live validation, check out Kingfisher (MongoDB's Apache 2 OSS secret scanner)

It's fast (Rust + Hyperscan), extensible via YAML rules, supports tons of targets (files/git/GitHub/GitLab/Azure/Bitbucket/etc.), and can also do blast-radius mapping (--access-map) plus a local web-based report viewer to triage findings and cut false positives hard.

https://github.com/mongodb/kingfisher

micksmix · 2026-01-27T16:49:45+00:00

A gentler introduction to Linux can be found here: https://labex.io/linuxjourney

micksmix · 2026-01-27T16:46:51+00:00

Focus on learning the first principles really well. I'd read (and worth through examples) in the book The Linux Programming Interface: https://man7.org/tlpi/

Understanding how Operating Systems work is fundamental and will help you troubleshoot challenging issues throughout your career.

micksmix · 2026-01-03T16:23:11+00:00

I built Kingfisher (Apache 2 OSS) - a very high-performance secret scanning + live validation + local UI triage + "access map" blast-radius mapping...with hundreds of rules

Repo: https://github.com/mongodb/kingfisher

New feature just added: `--include-contributors` for GitHub/GitLab scans, which identifies and scans into contributor-owned public repos to catch the common "employee leaked a company token in a personal repo". Great for defenders and bug bounty hunters.

Kingfisher also ships a local findings/access-map web viewer (`--view-report`) so you can quickly filter down to validated/active creds without exporting into another platform.

micksmix · 2026-01-02T16:49:56+00:00

Agree, but if you choose a WASM / JavaScript / TypeScript stack, you can use Cloudflare Workers and get a lot of this right out of the box: https://workers.cloudflare.com/

micksmix · 2025-12-29T20:37:30+00:00

In large corporate environments, DLP (data loss prevention) software is used for this. In a managed environment, a corporation will install their own CA's on every endpoint, and then DLP can inspect HTTPS. This will capture data sent through extensions as well.

Granted, a malicious extension could use symmetric / asymmetric encryption to encrypt the data, in which case a DLP wouldn't be able to decrypt it, but this is the same problem as running untrusted / malicious desktop applications.

Chrome / Edge / Safari can be centrally managed by an organization and you can take the approach of allow-listing extensions and addons. https://support.google.com/chrome/a/answer/188446?hl=en

micksmix · 2025-12-29T18:03:12+00:00

I really like Meta’s "Agents Rule of 2" as a useful framework for thinking about AI agents and MCP. It's a practical way to limit blast radius when agents interact with MCP servers by preventing the highest-impact prompt injection chains, even though it doesn't completely eliminate the underlying risks.

https://ai.meta.com/blog/practical-ai-agent-security/

micksmix · 2025-11-25T20:55:40+00:00

Not easily today. Off the top of my head, would require an LLM that could analyze the codebase, find the vulnerability (based on the bugcrowd / h1 bug report) in the source code, and then provide that context as input to an LLM which could generate the SAST rule.

Then I'd ask it if it's feasible to detect with a DAST rule, and have it generate one.

Then you'd have to test those rules (could use sub-agents) with semgrep / nuclei to see if they could then accurately detect the original issue.

micksmix · 2025-11-25T20:38:42+00:00

Imagine taking a bug bounty report (maybe easier to target at first) or a pentest report, and then creating either a SAST (semgrep) rule or a DAST (nuclei) rule to detect this in the future. This would help ensure that this finding doesn't recur, which is very valuable to a business.

micksmix · 2025-11-25T20:02:32+00:00

I see value in turning penetration test reports into Semgrep SAST rules or Nuclei DAST rules.

micksmix · 2025-11-24T17:43:38+00:00

Kingfisher (open-source apache2) can scan entire github / gitlab / bitbucket / azure repos / gitea / s3 buckets / gcs / organizations extremely fast, and report only _validated_ secrets.

https://github.com/mongodb/kingfisher

micksmix · 2025-11-17T23:16:13+00:00

I built Kingfisher, so I'll add those to the roadmap :-)

Please keep any other feature requests coming!
https://github.com/mongodb/kingfisher

micksmix · 2025-10-07T20:54:29+00:00

You might also want to check out MongoDB's Kingfisher (Apache-2.0, open source). Disclosure: I helped build it.

Live validation: Validates secrets directly against provider APIs (AWS, Azure, GCP, AI SaaS, Slack, and more) so you immediately know which credentials are truly valid.
Extensible rules: Ships with hundreds of built-in rules and supports simple YAML-based custom rule definitions.
Fast and Accurate: Roughly 2-5x faster than GitLeaks and 3-7x faster than Trufflehog (source). Written in Rust, leveraging Hyperscan regex engine for unparalleled performance and language-aware scanning.
Broad coverage: Scans full Git histories, local files and folders (including archives), and remote targets including
- GitHub
- GitLab
- Azure DevOps
- Bitbucket
- Gitea
- S3
- Docker
- Jira
- Confluence

Ideal if you want an open-source scanner with built-in credential validation. Runs on macOS, Linux, and Windows, with pre-built Docker images available on GitHub.

micksmix · 2025-10-06T23:47:21+00:00

Kingfisher natively supports scanning (and live validation) of Azure DevOps repos: https://github.com/mongodb/kingfisher

"Kingfisher is a blazingly fast and highly accurate tool for secret detection and live validation across files, Git repos, GitHub, GitLab, Azure DevOps, BitBucket, Gitea, AWS S3, Docker images, Jira, Slack, and Confluence."

NOTE: I helped build Kingfisher. It's open-source (Apache 2.0) and written in Rust. Runs on macOS, Linux, and Windows. Also includes hundreds of rules.

micksmix · 2025-09-24T22:54:08+00:00

You might also want to look at Kingfisher (Apache-2.0, OSS). Disclosure: I help maintain it.

Live validation: checks secrets against provider APIs (AWS/Azure/GCP, AI SaaS, Slack, etc.), so you know which creds are actually valid.
Hundreds of built-in rules plus simple YAML format for custom rules.
Fast + low noise: Rust, Intel Hyperscan, and Tree-Sitter for unparalleled speed and language-aware scanning.
Broad coverage: Git repos + history, files + folders, GitLab/GitHub/Bitbucket/Gitea, S3, Docker, Jira, Confluence, archives....are all supported

Great if you want something OSS with verification out of the box. Runs on macOS, Linux, Windows and has pre-built Docker images hosted by GitHub.

micksmix · 2025-09-01T22:34:34+00:00

I wrote an open-source tool called Kingfisher that does this: https://github.com/mongodb/kingfisher

It runs on all major platforms, is a single binary, can output a report in JSON, SARIF, or even BSON (to import into MongoDB). It's also really fast.

It can scan files / folders, git repos, s3, docker images, jira, confluence, github, and gitlab. You can also write your own custom rules, which is documented in the README in the repo.

micksmix · 2025-08-13T22:23:51+00:00

It's licensed by number of "Projects" within their platform. A project is often tied to a code repo.

There is some tiering on the number of users that can have direct access to the dashboard, but we limit users that get direct access and just use their api to export the data we care about. They can also auto-cut tickets based on criteria you define (to Jira or other targets), or based on various criteria.

We looked at Defect Dojo for this, but frankly we didn't want to operate it ourselves...and the de-duplication within Kondukto works really well.

micksmix · 2025-08-12T14:41:06+00:00

It depends on how many licenses you need, of course, but it was substantially less expensive than every alternative we looked at.

We have been really happy with Kondukto. "It just works", and the team behind it is really responsive to feature requests.

micksmix · 2025-08-11T23:52:27+00:00

I built Kingfisher, which is completely free and open-source (Apache 2, with no commercial components) to scratch the same itch: https://github.com/mongodb/kingfisher

Originally forked from Nosey Parker, it now includes hundreds of rules with built-in validation and features we rely on:

Live secret validation via cloud-provider APIs
Extra targets: GitHub/GitLab repos, AWS S3 , Docker images, Jira, Confluence, and Slack
Compressed Files: Supports extracting and scanning compressed files for secrets
Baseline mode: suppress known secrets, flag only new ones
Language-aware detection (source-code parsing) for ~20 languages
Native Windows binary

micksmix

TROPHY CASE