MongoDB Launches an Open Source Real-Time Secret Scanner

Accidentally exposing secrets like API keys, tokens, or credentials in your code opens the door for threat actors to exploit your systems. Such attackers don't stop at one breach; they automate their attacks, move fast, and can potentially compromise entire infrastructure within minutes.

To tackle such scenarios, MongoDB has come up with an open source solution called "Kingfisher".

What's Happening: Launched as an open source tool for detecting secrets in code, file systems, and Git history, Kingfisher was born out of MongoDB's need for a fast, reliable way to identify exposed credentials and prevent security risks before they spiral out of control.

The tool doesn’t just stop there; it can also validate any secrets it finds, as long as they are from supported services, so developers know which keys are still active and risky.

MongoDB has been using Kingfisher internally throughout its development and deployment processes, helping them detect and fix exposed secrets early.

What to Expect: As for how it works, Kingfisher scans code, files, and Git history using various techniques like entropy analysis, real-time validation, pattern matching, and source code parsing for or accurate detection of exposed secrets.

It’s written in Rust and has many handy features like multi-language source parsing with Tree-sitter, high-speed regex matching with Hyperscan, extensible rulesets, cross-platform support, and over 700 built-in detection rules that cover a wide range of cloud services and secret types.

All of this runs on the user’s own systems or infrastructure, ensuring no sensitive data is sent to third-party servers, and there's cross-platform support for Linux, Windows, and macOS. Using Kingfisher also helps security teams stay aligned with SLSA compliance standards.

If you are up for a longer read, then MongoDB has published a detailed blog post explaining how they built Kingfisher.