secretfinder

Find secrets (API keys, tokens) in JavaScript files.

Quickstart

# Analyze JS file
secretfinder -i https://target.com/app.js -o cli

# Analyze webpage
secretfinder -i https://target.com -o cli

# HTML report
secretfinder -i https://target.com -o results.html

Core Concepts

Syntax

secretfinder -i <input> -o <output> [options]

Options

Recipes

Basic Usage

# Single JS file
secretfinder -i https://target.com/static/js/main.js -o cli

# Full webpage
secretfinder -i https://target.com -o cli

# HTML report
secretfinder -i https://target.com -o secrets.html

Multiple Files

# Loop through JS files
for js in $(cat js_files.txt); do
  echo "=== $js ===" 
  secretfinder -i "$js" -o cli
done

# Pipeline
cat js_urls.txt | while read url; do
  secretfinder -i "$url" -o cli 2>/dev/null
done | sort -u

Custom Patterns

# Custom regex
secretfinder -i https://target.com -o cli -r "password['\"]?\s*[:=]\s*['\"][^'\"]+['\"]"

# Grep specific pattern
secretfinder -i https://target.com -o cli -g "api_key"

Pipeline

# Find JS → extract secrets
katana -u https://target.com -silent | grep "\.js$" | while read js; do
  secretfinder -i "$js" -o cli 2>/dev/null
done | sort -u

# Subfinder → httpx → secretfinder
subfinder -d target.com -silent | httpx -silent | while read url; do
  secretfinder -i "$url" -o cli 2>/dev/null
done

What It Finds

Output & Parsing

# CLI output
secretfinder -i https://target.com -o cli

# Filter by type
secretfinder -i https://target.com -o cli | grep -i "api"

# HTML for review
secretfinder -i https://target.com -o report.html

Troubleshooting

References

• SecretFinder GitHub