Advanced JavaScript Security Scanner & SPA Analyzer
SPAnalyzeR is a comprehensive tool for analyzing Single Page Applications (SPAs) and detecting sensitive data in JavaScript files. It combines asset collection, code analysis, and security scanning in one powerful CLI tool.
- API Keys & Tokens: Detects hardcoded API keys, OAuth tokens, JWT tokens
- Credentials: Finds usernames, passwords, and authentication data
- Personal Information: Identifies emails, phone numbers, SSNs, credit cards
- Network Data: Discovers IP addresses, URLs, and endpoints
- Database Connections: Finds connection strings and database credentials
- Cloud Services: Detects AWS, Google Cloud, Azure credentials
- Environment Variables: Identifies environment variable usage
- Asset Collection: Downloads all JavaScript, CSS, and HTML assets
- Code Processing: Deobfuscates and beautifies minified JavaScript
- Source Map Extraction: Extracts original source code from source maps
- Framework Detection: Identifies React, Vue, Angular, and other frameworks
- Comprehensive Reporting: Generates detailed analysis reports
- Project Scanning: Scan entire projects for sensitive data
- File Analysis: Analyze specific JavaScript files
- Pattern Listing: View all available detection patterns
- Statistics: Get detailed project statistics
- Export Results: Export findings in JSON and CSV formats
# Clone the repository
git clone https://github.com/yourusername/SPAnalyzeR.git
cd SPAnalyzeR
# Install dependencies
pip install -r requirements.txt
# Install Playwright browsers (optional, for asset collection)
playwright installpython main.py https://example.compython detect.py scan /path/to/projectpython detect.py file /path/to/file.jspython detect.py patternspython detect.py stats /path/to/project- API Keys: 32+ character strings, API key patterns
- OAuth Tokens: GitHub, social media, OAuth tokens
- JWT Tokens: JSON Web Token patterns
- Hardcoded Credentials: Usernames, passwords, secrets
- URLs & Endpoints: API endpoints, fetch calls, axios requests
- IP Addresses: Hardcoded IP addresses and localhost references
- Connection Strings: MongoDB, PostgreSQL, MySQL, Redis connections
- Database Credentials: Database usernames and passwords
- Emails: Email address patterns
- Phone Numbers: Phone number formats
- SSNs: Social Security Number patterns
- Credit Cards: Credit card number patterns
- IBAN: International Bank Account Numbers
- AWS Credentials: Access keys, secret keys, ARNs
- Google Cloud: Storage URLs, API endpoints
- Azure: Azure service URLs and credentials
- Environment Variables: process.env, import.meta.env usage
- Debug Information: Console logs, debugger statements
π SENSITIVE DATA DETECTION SUMMARY
============================================================
π Total Detections: 15
π Files Analyzed: 8
π¨ SEVERITY BREAKDOWN:
π΄ CRITICAL: 3
π HIGH: 8
π‘ MEDIUM: 4
π CATEGORY BREAKDOWN:
π Authentication: 8
π Network: 4
π Personal: 3
π TOP DETECTION TYPES:
π api_keys: 5
π urls_endpoints: 4
π personal_info: 3
- JSON: Complete detection results with metadata
- CSV: Tabular format for spreadsheet analysis
- Detailed Report: Human-readable text report
- Pattern Validation: Advanced regex patterns with validation
- Context Analysis: Analyzes surrounding code context
- False Positive Filtering: Filters out common test/example data
- Confidence Scoring: Each detection has a confidence score
- Value Masking: Sensitive values are masked in output
- Secure Logging: No sensitive data in log files
- Temporary File Cleanup: Automatic cleanup of temporary files
SPAnalyzeR/
βββ main.py # Main SPA analysis tool
βββ detect.py # Sensitive data detection CLI
βββ libs/
β βββ detector.py # Sensitive data detection engine
β βββ downloader.py # Asset collection system
β βββ processor.py # JavaScript processing
β βββ framework.py # Framework detection
β βββ sourcemap.py # Source map extraction
β βββ reporter.py # Report generation
β βββ utils.py # Utility functions
βββ projects/ # Analysis results
βββ requirements.txt # Python dependencies
βββ README.md # This file
The detection system uses configurable patterns in libs/detector.py:
self.detection_patterns = {
'api_keys': {
'patterns': [
r'["\']([a-zA-Z0-9]{32,})["\']',
r'api[_-]?key["\']?\s*[:=]\s*["\']([^"\']+)["\']',
],
'confidence': 0.8,
'severity': 'HIGH',
'category': 'Authentication'
}
}You can add custom detection patterns by modifying the _initialize_patterns() method in SensitiveDataDetector.
- Fast Scanning: Processes thousands of files quickly
- Memory Efficient: Streams large files without loading entirely
- Parallel Processing: Uses async/await for concurrent operations
- Incremental Analysis: Can analyze specific files or directories
- Fork the repository
- Create a feature branch
- Add your detection patterns or improvements
- Submit a pull request
This project is licensed under the MIT License - see the LICENSE file for details.
This tool is for security research and educational purposes only. Always ensure you have permission to scan the target systems. The authors are not responsible for any misuse of this tool.
- Issues: Report bugs and feature requests on GitHub
- Documentation: Check the inline code documentation
- Examples: See the
examples/directory for usage examples
π SPAnalyzeR v2.0 - Advanced JavaScript Security Scanner