Skip to content

roy0x01/jspect

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

jspect logo

jspect

Beautify and recon JS from the terminal

Go License Platform


jspect formats JavaScript with syntax highlighting — including expanding minified/obfuscated bundles into readable code — and inspects JS for endpoints, secrets, and other recon findings using a configurable rule set. Pure Go, zero dependencies.

Install

go install github.com/roy0x01/jspect@latest

Usage

jspect <input.js|url> [-o output.js] [--analyze] [--config <file>]
Command What it does
jspect app.js Format and print with color
jspect app.js -o pretty.js Format and save to file
jspect https://site.com/app.js Fetch, format, and print
jspect app.js --analyze Scan for endpoints, secrets, IPs, and more
jspect --init-config Write the default rule set to ~/.jspect/analyze.conf

Input is never modified unless -o is given.


Formatting

Works on both clean and minified/obfuscated JS — expands single-line bundles into properly indented, readable code.

Token Color
Keywords Violet
Strings / template literals Sage green
Numbers Coral
Function names Sky blue
Operators Pink
{ } ( ) [ ] Gold
Comments Grey

JSON.parse("...") calls are automatically detected and the JSON inside is pretty-printed.


Recon analysis

jspect app.js --analyze

On first run, a default rule set is created at ~/.jspect/analyze.conf covering:

  • Endpoints — API paths, HTTP client calls (fetch, axios, $.ajax, .get/.post/...), template literal paths
  • URLs — absolute URLs, WebSocket endpoints, S3/Azure/GCS buckets
  • GraphQL — operations and endpoints
  • Credentials — JWTs, API keys, passwords, basic auth in URLs
  • Cloud Keys — AWS, Google, Stripe, Slack, GitHub, SendGrid, Twilio
  • Network — IPv4 addresses, private ranges
  • Debug — console statements, TODO/FIXME/hardcoded-credential comments

Findings are grouped by category and sorted by severity (critical → high → medium → info).

Customizing rules

Edit ~/.jspect/analyze.conf directly — no recompiling needed:

name     = Internal Auth Header
category = Custom
severity = high
pattern  = X-Internal-Token:\s*[\w\-]+

Use a team-shared config with --config:

jspect app.js --analyze --config ./team-rules.conf

Sample file

sample.js — a realistic minified bundle containing endpoints, a JWT, an S3 bucket, GraphQL operations, and hardcoded secrets, for testing both formatting and analysis.

jspect sample.js
jspect sample.js --analyze

License

MIT

About

Beautify and recon JS from the terminal

Topics

Resources

Stars

2 stars

Watchers

0 watching

Forks

Packages

 
 
 

Contributors