jspect formats JavaScript with syntax highlighting — including expanding minified/obfuscated bundles into readable code — and inspects JS for endpoints, secrets, and other recon findings using a configurable rule set. Pure Go, zero dependencies.
go install github.com/roy0x01/jspect@latestjspect <input.js|url> [-o output.js] [--analyze] [--config <file>]
| Command | What it does |
|---|---|
jspect app.js |
Format and print with color |
jspect app.js -o pretty.js |
Format and save to file |
jspect https://site.com/app.js |
Fetch, format, and print |
jspect app.js --analyze |
Scan for endpoints, secrets, IPs, and more |
jspect --init-config |
Write the default rule set to ~/.jspect/analyze.conf |
Input is never modified unless -o is given.
Works on both clean and minified/obfuscated JS — expands single-line bundles into properly indented, readable code.
| Token | Color |
|---|---|
| Keywords | Violet |
| Strings / template literals | Sage green |
| Numbers | Coral |
| Function names | Sky blue |
| Operators | Pink |
{ } ( ) [ ] |
Gold |
| Comments | Grey |
JSON.parse("...") calls are automatically detected and the JSON inside is pretty-printed.
jspect app.js --analyzeOn first run, a default rule set is created at ~/.jspect/analyze.conf covering:
- Endpoints — API paths, HTTP client calls (
fetch,axios,$.ajax,.get/.post/...), template literal paths - URLs — absolute URLs, WebSocket endpoints, S3/Azure/GCS buckets
- GraphQL — operations and endpoints
- Credentials — JWTs, API keys, passwords, basic auth in URLs
- Cloud Keys — AWS, Google, Stripe, Slack, GitHub, SendGrid, Twilio
- Network — IPv4 addresses, private ranges
- Debug — console statements, TODO/FIXME/hardcoded-credential comments
Findings are grouped by category and sorted by severity (critical → high → medium → info).
Edit ~/.jspect/analyze.conf directly — no recompiling needed:
name = Internal Auth Header
category = Custom
severity = high
pattern = X-Internal-Token:\s*[\w\-]+
Use a team-shared config with --config:
jspect app.js --analyze --config ./team-rules.confsample.js — a realistic minified bundle containing endpoints, a JWT, an S3 bucket, GraphQL operations, and hardcoded secrets, for testing both formatting and analysis.
jspect sample.js
jspect sample.js --analyzeMIT