Disclosure: I’m the author/maintainer of Kingfisher. Kingfisher is an Apache-2.0 OSS secret scanner built in Rust that combines Hyperscan (SIMD regex) with tree-sitter parsing to improve context/accuracy, and it can validate detected creds in real time against provider APIs so you can prioritize active leaks. It’s designed to run entirely on-prem so secrets don’t get shipped to a third-party service. Core Features Hundreds of built-in rules (AI APIs, cloud providers, databases, DevOps tools) Live validation against third-party APIs confirms credentials are active Direct revocation of leaked creds: kingfisher revoke --rule github "ghp_..." Can scan for secrets locally, github, gitlab, azure repos, bitbucket, gitea, hugging face, s3, gcs, docker, jira, confluence, slack Built-in local-only HTML findings viewer kingfisher scan /tmp --view-report Blast Radius mapping to show what a credential could actually access: kingfisher scan /tmp --access-map --view-report Scan Targets Git repos (full history), GitHub/GitLab/Azure Repos/Bitbucket/Gitea/Hugging Face orgs AWS S3, GCS, Docker images, Jira, Confluence, Slack Try It brew install kingfisher or uv tool install kingfisher-bin github.com/mongodb/kingfisher Apache 2 Open-Source submitted by /u/micksmix [link] [comments]