megalinter icon indicating copy to clipboard operation
megalinter copied to clipboard
verified publisher icon oxsecurity

Consider adding Kingfisher support

Open Pinguladora opened this issue 4 months ago • 5 comments

https://github.com/mongodb/kingfisher?tab=readme-ov-file#installation

A secret scanner and validator with lots of rules out of the box made by MongoDB.

Pinguladora avatar Oct 06 '25 22:10 Pinguladora

@Pinguladora Looks interesting, thanks for the suggestion ! :)

Does it have additional features than Gitleaks, secretlint or trufflehog ?

nvuillam avatar Oct 06 '25 23:10 nvuillam

Hi @nvuillam - I actually built Kingfisher. It's main features are:

  1. extremely fast. Written in Rust and uses the SIMD accelerated Hyperscan regex engine. Often an order of magnitude faster than comparable tools
  2. comes with hundreds of built-in rules, many which are not found in other open-source tools. Also supports easily adding custom rules via a simple yaml format.
  3. performs live-validation of secrets, by default (like trufflehog)
  4. supports many targets (files, git repos + history, gitlab, github, gitea, bitbucket, azure devops, slack, confluence, jira, docker images)
  5. supports a "baseline" file to prevent new secrets from getting in, while not alerting on known secrets
  6. apache 2.0 open-source with no commercial components

mickgmdb avatar Oct 06 '25 23:10 mickgmdb

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

If you think this issue should stay open, please remove the O: stale 🤖 label or comment on the issue.

github-actions[bot] avatar Nov 06 '25 01:11 github-actions[bot]

@mickgmdb thanks for the description, it looks great :)

Does it hides the found tokens by default ?

@Pinguladora > if you can make sure that found secrets won't appear in logs, you have my go to submit a pull request within Megaliner to add it :)

nvuillam avatar Nov 16 '25 08:11 nvuillam

@nvuillam, by default it will show the tokens. If you pass --redact when running Kingfisher, it replaces discovered secrets with a one-way hash for secure output.

example: kingfisher scan /path/to/dir/or/repo --redact

mickgmdb avatar Nov 16 '25 17:11 mickgmdb

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

If you think this issue should stay open, please remove the O: stale 🤖 label or comment on the issue.

github-actions[bot] avatar Dec 17 '25 01:12 github-actions[bot]