A fast JavaScript file hunter and secret scanner written in Rust. This tool crawls websites, extracts JavaScript files, and scans them for secrets and sensitive information using regex patterns.
This was fully "vibe coded" using claude-code. And all the patterns are taken from Reghex
- High Performance: Async/await with configurable concurrency
- Content Deduplication: Uses SHA-256 hashing to avoid processing duplicate files
- Comprehensive Scanning: Scans for API keys, tokens, credentials, and other secrets
- Detailed Reporting: CSV output with full metadata
- Extensible Patterns: JSON-based pattern configuration
- Progress Tracking: Real-time progress updates
cargo build --release./target/release/jsniper --urls urls.txt --output ./results --workers 100 --patterns patterns.json--urls: Text file containing URLs (one per line)--output: Output directory for results--workers: Number of concurrent workers (default: 50)--patterns: JSON file containing regex patterns
https://example.com
https://test.com/page
https://another-site.org
The tool includes a comprehensive patterns.json file with common secret patterns. You can customize it to add your own patterns:
{
"patterns": {
"custom_api_key": {
"regex": "CUSTOM_[0-9A-Z]{32}",
"description": "Custom API Key"
}
}
}results/
├── js_files/
│ ├── a1b2c3d4e5f6...js # Content-addressed JS files
│ └── f6e5d4c3b2a1...js
├── scan_results.csv # Main results
└── run_metadata.json # Run statistics
url: Original page URLjs_path: Full URL to the JS filefilename: Extracted filenamehash: SHA-256 hash of contentstatus: HTTP status codesecrets_found: Boolean indicating if secrets were foundregex_matches: Comma-separated list of matching pattern namesfile_size: Size in bytesfetch_time: ISO 8601 timestamp
This tool is designed for security research and authorized testing only. Ensure you have permission to scan target websites and handle any discovered secrets responsibly.