JS-Sentinel is a high-precision security auditing tool that scans JavaScript files for exposed secrets, credentials, tokens, and sensitive data using a carefully curated set of advanced regular expressions.
Built for pentesters, bug hunters, security engineers, developers, DevOps teams, and auditors, JS-Sentinel helps prevent credential leaks before they reach production or public repositories.
Secret leaks are one of the most common and dangerous security failures in modern applications. JS-Sentinel helps you:
- Detect leaked secrets before attackers do
- Audit legacy JavaScript codebases
- Secure frontend bundles and backend scripts
- Enforce secret hygiene in CI/CD pipelines
🔐 This tool performs static analysis only — it does NOT exploit, brute-force, or bypass security controls.
- 🔍 Recursive scanning of
.jsfiles - 🔐 Detection of 40+ secret types
- ☁️ Cloud & SaaS provider coverage
- 🧠 Smart regex patterns with low false positives
- 🧾 Clean, structured, audit-ready reports
- ⚡ Fast, lightweight, zero dependencies
- API keys, access tokens, client secrets
- Usernames & passwords
- Nonces and auth tokens
- AWS (Access Key, Secret Key, Session Token)
- Google API Keys
- Firebase database URLs
- Vercel secrets
- GitHub, GitLab, Bitbucket tokens
- Slack & Discord tokens
- JWTs
- Bearer & Basic Auth headers
- Stripe (live keys)
- Square access tokens
- Mailgun API keys
- Heroku API keys
- SSH private keys
- PEM private keys
- Emails
- URLs & subdomains
- Tokens embedded in URLs
- Python 3.8 or higher
- No external dependencies
git clone https://github.com/the-shadow-0/JS-Sentinel.git
cd JS-Sentinelpython JS-Sentinel.py <js_folder> [-o output_file]CLI Arguments
| Argument | Description |
|---|---|
js_folder |
Path to the directory containing .js files to scan |
-o, --output |
Output file name (default: js_secrets.txt) |
Example :
python JS-Sentinel.py ./build -o audit-report.txtThis tool is intended only for:
Codebases you own
Applications you are authorized to test
Legitimate security audits and reviews
❌ Do NOT use this tool to:
Scan systems without permission
Harvest or misuse credentials
Exploit discovered secrets
If secrets are discovered:
Rotate them immediately
Remove them from the source code
Store secrets using environment variables or secret managers
Contributions are welcome!
You can help by:
-
Adding new regex patterns
-
Improving detection accuracy
-
Reducing false positives
-
Adding JSON or CSV output support
Please open an issue or submit a pull request.
MIT License You are free to use, modify, and distribute this project under the terms of the license.