loading
loading
Static Code Analysis
Python tool that discovers API keys, tokens, and other secrets inside JavaScript files.
overview
SecretFinder digs through JavaScript files for sensitive data: API keys, access tokens, authorization values, JWTs, and similar secrets that developers leave in client-side code. Built on LinkFinder, it runs the Python jsbeautifier over a script and then applies a large regular expression to surface anything that looks like a credential.
It accepts a single file, a folder, or a remote URL, and it can extract every JavaScript link on a page and process each one. Cookies and headers let it reach authenticated scripts, a filtering regex narrows which endpoints count, and include and ignore string filters decide which JS URLs to process. It also reads Burp-exported files for offline review of captured traffic.
On Trickest, SecretFinder is a Static Code Analysis node that takes a file, folder, or URL and writes a file and a folder of findings. Run it after a crawler harvests JavaScript so the script surface of an app gets a dedicated secret sweep.
use cases
Scan an app's JavaScript for API keys, tokens, JWTs, and authorization values that were shipped to the browser by mistake.
Point -e at a page so SecretFinder finds each JavaScript link and runs the secret scan on every one, instead of a single script at a time.
Pass cookies with -c and headers with -H so scripts that only load for a logged-in session are fetched and scanned for secrets.
Feed a Burp-exported file with -b so JavaScript captured during a proxied session is scanned offline for leaked credentials.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| input-string | STRING | -i | Input a URL to scan. |
| input-file | FILE | -i | Input a file to scan. |
| input-folder | FOLDER | -i | Input a folder of JavaScript to scan. |
| extract-all-js-links | BOOLEAN | -e | Extract all JavaScript links on a page and process them. |
| cookie | STRING | -c | Add cookies for authenticated JS files. |
| headers | STRING | -H | Set headers ("Name:Value\nName:Value"). |
| filtering-regex | STRING | -r | RegEx to filter found endpoints (e.g. ^/api/). |
| support-burp-exported-file | BOOLEAN | -b | Support a Burp-exported file as input. |
Showing key inputs. secretfinder exposes 11 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| proxy | STRING | -p | Set proxy (host:port). |
| cookie | STRING | -c | Add cookies for authenticated JS files. |
| headers | STRING | -H | Set headers ("Name:Value\nName:Value"). |
| input-file | FILE | -i | Input a file to scan. |
| input-folder | FOLDER | -i | Input a folder to scan. |
| input-string | STRING | -i | Input a URL to scan. |
| filtering-regex | STRING | -r | RegEx for filtering purposes against found endpoints (e.g. ^/api/). |
| only-process-this | STRING | -n | Process a JS URL only if it contains the provided string (string;string2..). |
| ignore-if-contains | STRING | -g | Ignore a JS URL if it contains the provided string (string;string2..). |
| extract-all-js-links | BOOLEAN | -e | Extract all JavaScript links located in a page and process them. |
| support-burp-exported-file | BOOLEAN | -b | Support a Burp-exported file as input. |
example
# scan every JS link on a page, print findings to the terminalpython3 SecretFinder.py -i https://example.com/ -e -o cli[ + ] URL: https://example.com/static/app.min.jsgoogle_api -> ['AIzaSyD-EXAMPLE0000000000000000000000000']aws_access_key -> ['AKIAEXAMPLE0000000000']authorization_bearer -> ['Bearer eyJhbGciOiJIUzI1NiEXAMPLE.payload.sig'][ + ] URL: https://example.com/static/vendor.jsheroku_api_key -> ['00000000-0000-0000-0000-000000000000']slack_token -> ['xoxb-000000000000-EXAMPLE00000000000000']possible_creds -> ['password = "changeme-example"']guidance
Reach for SecretFinder when the secrets you care about live in JavaScript files served to the browser. For secrets across Git history use reposcanner or gitleaks; for vulnerable JS library versions rather than leaked keys, Retire.js is the right tool.
The base project SecretFinder extends, focused on extracting endpoints from JS.
Runs custom regex rules across a directory or repository rather than JS specifically.
Finds vulnerable JavaScript library versions instead of leaked secrets in JS.
faq
related
Find common security issues in Python code.
A source code scanner that reviews Ruby code for security issues.
Analyze big volumes of data in search of hardcoded secrets like keys and passwords.
Git ripper that can rip repositories even when directory browsing is turned off.
Check whether a Git repository pulls in Log4J, and list the files that use it.
Detect hardcoded secrets like passwords, API keys, and tokens in git repos.
A set of JavaScript URLs feeds SecretFinder, which beautifies and regex-scans each one and writes any leaked secrets as a queryable output.
Facts on this page come from the live Trickest tool library.