Kingfisher is an open-source secret scanning utility for identifying exposed credentials, API keys, access tokens, and other sensitive information in source code and Git repositories. It supports validation of detected secrets to help distinguish active credentials from inactive ones. This tutorial explains how to install Kingfisher secret scanner on Ubuntu 26.04.
Install Kingfisher
Download the latest Kingfisher release and extract the executable directly into /usr/local/bin:
curl -sSL https://github.com/mongodb/kingfisher/releases/latest/download/kingfisher-linux-x64.tgz \
| sudo tar xz -C /usr/local/bin kingfisher
Confirm that the installation completed successfully by checking Kingfisher version:
kingfisher --version
Testing Kingfisher
Download the repository for testing purposes:
curl -sSLo kingfisher-main.tar.gz https://github.com/mongodb/kingfisher/archive/main.tar.gz
tar xf kingfisher-main.tar.gz
Run a scan against the source code directory:
kingfisher scan ./kingfisher-main/src --confidence high
Example output:
INFO kingfisher::scanner::runner: Starting secret validation phase...
Scanning files and git repository content... 2.43 MiB [00:00:00]
\ Validating secrets… [========================================] 1/1 (100%) [00:00:00]
CIRCLECI API PERSONAL ACCESS TOKEN => [KINGFISHER.CIRCLECI.1]
|Finding.......: CCIPAT_FERZR...
|Fingerprint...: 14639650960374872153
|Confidence....: high
|Entropy.......: 4.83
|Validation....: Inactive Credential
|__Response....: {"message":"Invalid token provided."}
|Validate Cmd..: kingfisher validate --rule kingfisher.circleci.1 'CCIPAT_FERZR...'
|Language......: Rust
|Line Num......: 1309
|Path..........: ./kingfisher-main/src/matcher/mod.rs
==========================================
Scan Summary:
==========================================
|Findings....................: 1
|__Successful Validations....: 0
|__Failed Validations........: 1
|__Skipped Validations.......: 0
|Rules Applied...............: 86
|__Blobs Scanned.............: 159
|Bytes Scanned...............: 2.43 MiB
|Scan Duration...............: 523ms 720us 396ns
|Scan Date...................: 2026-07-16 14:56:27 +00:00
|Kingfisher Version..........: 1.107.0
|__Latest Version............: 1.107.0
The scan reviews the selected files, detects potential secrets, and attempts to validate supported credential types. A summary at the end provides the total findings, validation results, scanned data size, and execution time.
Uninstall Kingfisher
If Kingfisher is no longer needed, delete the installed binary:
sudo rm -rf /usr/local/bin/kingfisher
Remove the local cache created during scans:
rm -rf ~/.cache/kingfisher
Leave a Comment
Cancel reply