Foreword from Kingfisher’s developer As a Staff Security Engineer at MongoDB, I spend a lot of time thinking about how to further harden the environments that our customers rely on to protect their data. Central to that is detecting and managing exposed secrets before they turn into security risks. My role involves using an array of tools, from static code analyzers 1 to secrets managers. 2 However, I have never been fully satisfied with the tools at my disposal. Frustrated by the performance issues, limited flexibility, and high false positive rates of existing open source secret scanners, I started building my own tool in July 2024. Ten months later, that project became Kingfisher , an open-source secret scanner that goes beyond detection. It also verifies the validity of the secrets it detects. What began as a pet project has grown into a core component of MongoDB’s internal security workflows. Kingfisher now helps MongoDB’s engineering teams rapidly scan and verify secrets across Git repositories, directories, and more. Kingfisher, along with moving to short-term credentials, is our answer to the growing challenges of stolen credentials and credential-stuffing attacks. I am happy to announce that we are now releasing Kingfisher to the broader community so all developers and security teams can benefit from it. And by releasing Kingfisher as open source, we’re continuing a tradition that goes back to MongoDB’s roots—empowering developers through open, accessible tools. What is Kingfisher? Kingfisher is a high-performance, open-source secret scanning tool that combs through code repositories, Git commit histories, and file systems. Kingfisher performs this to rapidly uncover hard-coded credentials, API keys, and other sensitive data. It can be used seamlessly across GitHub and GitLab repositories, both remote and local, as well as files and directories on disk, helping security teams quickly catch exposed secrets wherever they live. However, Kingfisher goes a step beyond traditional secret scanners. Most tools simply flag anything that may look like a secret, which means engineers need to sift through false positives. Kingfisher is different. It actively validates the secrets it detects by testing them against external systems, such as the relevant cloud services or API endpoints. This dynamic approach helps identify which secrets are truly active and, thus, high-risk. Figure 1. An example of an active AWS secret access key detected and validated by Kingfisher. Figure 2. An example of an inactive Slack app token discovered and validated by Kingfisher. Figure 3. An example scan summary produced by Kingfisher showing one active secret and four inactive secrets detected. Kingfisher is designed for on-premises use, running entirely within the user’s own infrastructure. As a result, discovered secrets never leave the environment or pass through a third-party service. This ensures that developers and security teams retain full control over sensitive data without inheriting a third party’s security posture or introducing yet another external store of credentials. Kingfisher is also cloud-agnostic: It verifies credentials from AWS, Azure, Google Cloud, and any other platform in use. Unlike cloud provider-specific tools that overlook cross-cloud risks, Kingfisher supports security teams’ unified visibility and control, no matter where secrets live. Built with both performance and security in mind, Kingfisher combines extremely fast pattern matching, source code parsing, entropy analysis, and real-time validation. This all reduces noise to surface only what actually matters. It is designed for practical, real-world use, whether scanning a single repo or integrating it into a larger CI/CD pipeline. Why MongoDB built Kingfisher The threat landscape is constantly evolving, and credential-related attacks are on the rise. Stolen credentials are frequently sold on underground markets. Attackers use automated tools to launch credential-stuffing attacks that can lead to unauthorized access and serious data breaches. Traditional secret-scanning tools have not kept up. Such tools often flood teams with false positives, are slow to run, and do not confirm whether a detected secret remains active or dangerous. This means developers and security teams waste time and effort chasing down dead ends while missing actual threats. Kingfisher was built to solve this challenge. It is fast, lightweight, and designed to detect exposed secrets. It then validates them in real time by checking whether the secret remains active. By cutting through the noise and focusing on active risks, Kingfisher enables teams to respond faster and protect systems effectively. Kingfisher also helps security teams progress toward higher Supply-chain Levels for Software Artifacts (SLSA) compliance. It does this by supporting secure configuration management through proactive detection and verification of exposed secrets across codebases and repositories. At the...