kingfisher/docs-site/docs/features/revocation.md

---
title: "Secret Revocation"
description: "Revoke compromised credentials directly from the CLI using built-in provider-specific revocation flows."
---

# Revocation Support Matrix

Kingfisher supports direct secret revocation through rule-level `revocation:` blocks.

Current coverage in built-in rules:
- `34` provider families
- `53` revocation-enabled rules

Use `kingfisher revoke --rule <rule-id> <secret>` to invoke these flows. See [USAGE.md](../usage/basic-scanning.md#direct-secret-revocation-with-kingfisher-revoke) for command details.

## Supported Providers

| Provider | Revocation Rule Count | Rule IDs |
|---|---:|---|
| `aws` | 1 | `kingfisher.aws.2` |
| `browserstack` | 1 | `kingfisher.browserstack.1` |
| `buildkite` | 1 | `kingfisher.buildkite.1` |
| `cloudflare` | 1 | `kingfisher.cloudflare.1` |
| `confluent` | 2 | `kingfisher.confluent.2`, `kingfisher.confluent.3` |
| `cratesio` | 1 | `kingfisher.cratesio.1` |
| `deviantart` | 1 | `kingfisher.deviantart.1` |
| `digitalocean` | 1 | `kingfisher.digitalocean.1` |
| `discord` | 1 | `kingfisher.discord.1` |
| `doppler` | 6 | `kingfisher.doppler.1`, `kingfisher.doppler.2`, `kingfisher.doppler.3`, `kingfisher.doppler.4`, `kingfisher.doppler.5`, `kingfisher.doppler.6` |
| `gcp` | 1 | `kingfisher.gcp.1` |
| `github` | 3 | `kingfisher.github.1`, `kingfisher.github.2`, `kingfisher.github.5` |
| `gitlab` | 2 | `kingfisher.gitlab.1`, `kingfisher.gitlab.4` |
| `google` | 2 | `kingfisher.google.4`, `kingfisher.google.oauth2.1` |
| `harness` | 1 | `kingfisher.harness.pat.1` |
| `heroku` | 2 | `kingfisher.heroku.1`, `kingfisher.heroku.2` |
| `launchdarkly` | 1 | `kingfisher.launchdarkly.1` |
| `linode` | 1 | `kingfisher.linode.1` |
| `mapbox` | 1 | `kingfisher.mapbox.2` |
| `mongodb` | 1 | `kingfisher.mongodb.1` |
| `netlify` | 2 | `kingfisher.netlify.1`, `kingfisher.netlify.2` |
| `npm` | 2 | `kingfisher.npm.1`, `kingfisher.npm.2` |
| `particle.io` | 2 | `kingfisher.particleio.1`, `kingfisher.particleio.2` |
| `resend` | 1 | `kingfisher.resend.api_key.1` |
| `sendgrid` | 1 | `kingfisher.sendgrid.1` |
| `slack` | 2 | `kingfisher.slack.1`, `kingfisher.slack.2` |
| `sumologic` | 1 | `kingfisher.sumologic.2` |
| `tailscale` | 1 | `kingfisher.tailscale.1` |
| `twilio` | 1 | `kingfisher.twilio.2` |
| `twitch` | 1 | `kingfisher.twitch.1` |
| `unkey` | 1 | `kingfisher.unkey.2` |
| `vercel` | 5 | `kingfisher.vercel.1`, `kingfisher.vercel.2`, `kingfisher.vercel.3`, `kingfisher.vercel.4`, `kingfisher.vercel.5` |
| `vonage` | 1 | `kingfisher.vonage.2` |
| `vultr` | 1 | `kingfisher.vultr.1` |

## Notes

- Coverage above is derived from built-in YAML rules under `crates/kingfisher-rules/data/rules/` that currently define a `revocation:` block.
- A provider may have additional detection/validation rules that do not yet support revocation.
fixed failing windows test setup 2026-04-05 10:38:20 -07:00			`---`
			`title: "Secret Revocation"`
fixed performance regression 2026-04-09 22:21:02 -07:00			`description: "Revoke compromised credentials directly from the CLI using built-in provider-specific revocation flows."`
fixed failing windows test setup 2026-04-05 10:38:20 -07:00			`---`

			`# Revocation Support Matrix`

			Kingfisher supports direct secret revocation through rule-level `revocation:` blocks.

			`Current coverage in built-in rules:`
cleaned up dependency tree 2026-04-13 21:44:45 -07:00			- `34` provider families
			- `53` revocation-enabled rules
fixed failing windows test setup 2026-04-05 10:38:20 -07:00
			Use `kingfisher revoke --rule <rule-id> <secret>` to invoke these flows. See [USAGE.md](../usage/basic-scanning.md#direct-secret-revocation-with-kingfisher-revoke) for command details.

			`## Supported Providers`

			`\| Provider \| Revocation Rule Count \| Rule IDs \|`
			`\|---\|---:\|---\|`
			\| `aws` \| 1 \| `kingfisher.aws.2` \|
			\| `browserstack` \| 1 \| `kingfisher.browserstack.1` \|
			\| `buildkite` \| 1 \| `kingfisher.buildkite.1` \|
			\| `cloudflare` \| 1 \| `kingfisher.cloudflare.1` \|
			\| `confluent` \| 2 \| `kingfisher.confluent.2`, `kingfisher.confluent.3` \|
fixed performance regression 2026-04-09 22:21:02 -07:00			\| `cratesio` \| 1 \| `kingfisher.cratesio.1` \|
fixed failing windows test setup 2026-04-05 10:38:20 -07:00			\| `deviantart` \| 1 \| `kingfisher.deviantart.1` \|
cleaned up dependency tree 2026-04-13 21:44:45 -07:00			\| `digitalocean` \| 1 \| `kingfisher.digitalocean.1` \|
			\| `discord` \| 1 \| `kingfisher.discord.1` \|
fixed failing windows test setup 2026-04-05 10:38:20 -07:00			\| `doppler` \| 6 \| `kingfisher.doppler.1`, `kingfisher.doppler.2`, `kingfisher.doppler.3`, `kingfisher.doppler.4`, `kingfisher.doppler.5`, `kingfisher.doppler.6` \|
			\| `gcp` \| 1 \| `kingfisher.gcp.1` \|
			\| `github` \| 3 \| `kingfisher.github.1`, `kingfisher.github.2`, `kingfisher.github.5` \|
			\| `gitlab` \| 2 \| `kingfisher.gitlab.1`, `kingfisher.gitlab.4` \|
fixed performance regression 2026-04-09 22:21:02 -07:00			\| `google` \| 2 \| `kingfisher.google.4`, `kingfisher.google.oauth2.1` \|
fixed failing windows test setup 2026-04-05 10:38:20 -07:00			\| `harness` \| 1 \| `kingfisher.harness.pat.1` \|
fixed performance regression 2026-04-09 22:21:02 -07:00			\| `heroku` \| 2 \| `kingfisher.heroku.1`, `kingfisher.heroku.2` \|
cleaned up dependency tree 2026-04-13 21:44:45 -07:00			\| `launchdarkly` \| 1 \| `kingfisher.launchdarkly.1` \|
			\| `linode` \| 1 \| `kingfisher.linode.1` \|
fixed failing windows test setup 2026-04-05 10:38:20 -07:00			\| `mapbox` \| 1 \| `kingfisher.mapbox.2` \|
			\| `mongodb` \| 1 \| `kingfisher.mongodb.1` \|
cleaned up dependency tree 2026-04-13 21:44:45 -07:00			\| `netlify` \| 2 \| `kingfisher.netlify.1`, `kingfisher.netlify.2` \|
fixed failing windows test setup 2026-04-05 10:38:20 -07:00			\| `npm` \| 2 \| `kingfisher.npm.1`, `kingfisher.npm.2` \|
			\| `particle.io` \| 2 \| `kingfisher.particleio.1`, `kingfisher.particleio.2` \|
cleaned up dependency tree 2026-04-13 21:44:45 -07:00			\| `resend` \| 1 \| `kingfisher.resend.api_key.1` \|
fixed failing windows test setup 2026-04-05 10:38:20 -07:00			\| `sendgrid` \| 1 \| `kingfisher.sendgrid.1` \|
			\| `slack` \| 2 \| `kingfisher.slack.1`, `kingfisher.slack.2` \|
			\| `sumologic` \| 1 \| `kingfisher.sumologic.2` \|
			\| `tailscale` \| 1 \| `kingfisher.tailscale.1` \|
			\| `twilio` \| 1 \| `kingfisher.twilio.2` \|
			\| `twitch` \| 1 \| `kingfisher.twitch.1` \|
			\| `unkey` \| 1 \| `kingfisher.unkey.2` \|
			\| `vercel` \| 5 \| `kingfisher.vercel.1`, `kingfisher.vercel.2`, `kingfisher.vercel.3`, `kingfisher.vercel.4`, `kingfisher.vercel.5` \|
fixed performance regression 2026-04-09 22:21:02 -07:00			\| `vonage` \| 1 \| `kingfisher.vonage.2` \|
			\| `vultr` \| 1 \| `kingfisher.vultr.1` \|
fixed failing windows test setup 2026-04-05 10:38:20 -07:00
			`## Notes`

			- Coverage above is derived from built-in YAML rules under `crates/kingfisher-rules/data/rules/` that currently define a `revocation:` block.
			`- A provider may have additional detection/validation rules that do not yet support revocation.`