This is also a good reminder to scan CI logs, not just source code.
Shameless plug: I work on Kingfisher, an Apache 2.0 OSS secret scanner and validator written in Rust, that can also map blast radius and revoke many creds:
It can scan repos, history, and artifacts and validate many findings against provider APIs, as well as revoke many exposed tokens directly from the CLI. Also generates a blast-radius/access-map view so you can see what a leaked credential could reach.
Install:
brew install kingfisher
# or
uv tool install kingfisher-bin
Loved this “lead bullets” framing, especially the parts on taint checking, scanners, and pre-processing/sampling logs. One practical add-on to the "Sensitive data scanners" section is verification: can you tell which candidates are actually live creds?
We’ve been working on an open source tool, Kingfisher, that pairs fast detection (Hyperscan + Tree-Sitter) with live validation for a bunch of providers (cloud + common SaaS) so you can down-rank false positives and focus on the secrets that really matter. It plugs in at the chokepoints this post suggests: CI, repo/org sweeps, and sampled log archives (stdin/S3) after a Vector/rsyslog hop.
Shameless plug: I work on Kingfisher, an Apache 2.0 OSS secret scanner and validator written in Rust, that can also map blast radius and revoke many creds:
<https://github.com/mongodb/kingfisher>
It can scan repos, history, and artifacts and validate many findings against provider APIs, as well as revoke many exposed tokens directly from the CLI. Also generates a blast-radius/access-map view so you can see what a leaked credential could reach.
Install:
Scan a local path:
Or scan a GitHub/GitLab repo directly: