Skip to main content

js-fetch-analyze

The js-fetch-analyze tool is designed for automated security workflows to fetch and analyze JavaScript files from specified URLs. Its capabilities include automatic source map detection, secret scanning, and hash-based deduplication, making it essential for identifying potential security vulnerabilities in web applications.

Ideal Use Cases & Fit

This tool excels in scenarios where developers and security teams need to assess the security of client-side JavaScript. Common inputs include lists of URLs pointing to JavaScript files within an application. It effectively solves issues related to identifying hardcoded secrets, incomplete or erroneous source maps, and potential client-side flaws. However, it may not be appropriate for environments with minimal JavaScript usage or non-web applications that do not utilize public-facing JS.

Value in Workflows

Incorporating js-fetch-analyze into security workflows enhances early reconnaissance phases by providing valuable visibility into web application assets and potential vulnerabilities. It serves as a foundational step in the security assessment process, allowing teams to gather and analyze essential metrics before engaging in more complex testing or remediation efforts.

Input Data

The tool requires a text file containing URLs of JavaScript resources. Each URL should be on a new line, facilitating batch processing. For example, an input file might look like this:

https://example.com/static/js/app.js
https://example.com/static/js/vendor.js
https://cdn.example.com/analytics.js

Configuration

  • max-bytes: Defines the maximum bytes to download per JavaScript file, with a default value of 5,000,000.
  • timeout: Specifies the timeout (in seconds) for each HTTP request, defaulting to 30 seconds.
  • retries: Sets the maximum retry attempts for each URL on failure, with a default of 2 attempts.
  • user-agent: Allows customization of the User-Agent string used in HTTP requests.
  • no-sourcemaps: Enables or disables the automatic source map detection and fetching feature.
  • proxy: Specifies an HTTP/HTTPS proxy for requests if needed. Updated: 2026-01-21