--- title: "Secret Revocation" description: "Revoke compromised credentials directly from the CLI using built-in provider-specific revocation flows." --- # Revocation Support Matrix Kingfisher supports direct secret revocation through rule-level `revocation:` blocks. Current coverage in built-in rules: - `34` provider families - `53` revocation-enabled rules Use `kingfisher revoke --rule ` to invoke these flows. See [USAGE.md](../usage/basic-scanning.md#direct-secret-revocation-with-kingfisher-revoke) for command details. ## Supported Providers | Provider | Revocation Rule Count | Rule IDs | |---|---:|---| | `aws` | 1 | `kingfisher.aws.2` | | `browserstack` | 1 | `kingfisher.browserstack.1` | | `buildkite` | 1 | `kingfisher.buildkite.1` | | `cloudflare` | 1 | `kingfisher.cloudflare.1` | | `confluent` | 2 | `kingfisher.confluent.2`, `kingfisher.confluent.3` | | `cratesio` | 1 | `kingfisher.cratesio.1` | | `deviantart` | 1 | `kingfisher.deviantart.1` | | `digitalocean` | 1 | `kingfisher.digitalocean.1` | | `discord` | 1 | `kingfisher.discord.1` | | `doppler` | 6 | `kingfisher.doppler.1`, `kingfisher.doppler.2`, `kingfisher.doppler.3`, `kingfisher.doppler.4`, `kingfisher.doppler.5`, `kingfisher.doppler.6` | | `gcp` | 1 | `kingfisher.gcp.1` | | `github` | 3 | `kingfisher.github.1`, `kingfisher.github.2`, `kingfisher.github.5` | | `gitlab` | 2 | `kingfisher.gitlab.1`, `kingfisher.gitlab.4` | | `google` | 2 | `kingfisher.google.4`, `kingfisher.google.oauth2.1` | | `harness` | 1 | `kingfisher.harness.pat.1` | | `heroku` | 2 | `kingfisher.heroku.1`, `kingfisher.heroku.2` | | `launchdarkly` | 1 | `kingfisher.launchdarkly.1` | | `linode` | 1 | `kingfisher.linode.1` | | `mapbox` | 1 | `kingfisher.mapbox.2` | | `mongodb` | 1 | `kingfisher.mongodb.1` | | `netlify` | 2 | `kingfisher.netlify.1`, `kingfisher.netlify.2` | | `npm` | 2 | `kingfisher.npm.1`, `kingfisher.npm.2` | | `particle.io` | 2 | `kingfisher.particleio.1`, `kingfisher.particleio.2` | | `resend` | 1 | `kingfisher.resend.api_key.1` | | `sendgrid` | 1 | `kingfisher.sendgrid.1` | | `slack` | 2 | `kingfisher.slack.1`, `kingfisher.slack.2` | | `sumologic` | 1 | `kingfisher.sumologic.2` | | `tailscale` | 1 | `kingfisher.tailscale.1` | | `twilio` | 1 | `kingfisher.twilio.2` | | `twitch` | 1 | `kingfisher.twitch.1` | | `unkey` | 1 | `kingfisher.unkey.2` | | `vercel` | 5 | `kingfisher.vercel.1`, `kingfisher.vercel.2`, `kingfisher.vercel.3`, `kingfisher.vercel.4`, `kingfisher.vercel.5` | | `vonage` | 1 | `kingfisher.vonage.2` | | `vultr` | 1 | `kingfisher.vultr.1` | ## Notes - Coverage above is derived from built-in YAML rules under `crates/kingfisher-rules/data/rules/` that currently define a `revocation:` block. - A provider may have additional detection/validation rules that do not yet support revocation.