klyrek-js¶
Status: live on PyPI — pip install klyrek-js
Scans client-side JavaScript source for hardcoded secrets (AWS keys, Google API keys, Stripe keys, Slack tokens, GitHub PATs, private key blocks, and a generic api_key=/secret_key=-shaped assignment pattern) and extracts API-shaped endpoint references (both relative paths and absolute URLs).
from klyrek_js.secrets import scan_for_secrets
from klyrek_js.endpoints import extract_endpoints
findings = scan_for_secrets(js_source, source_url="https://admin.sandbox.klyrek.com/assets/app.js")
endpoints = extract_endpoints(js_source, base_url="https://admin.sandbox.klyrek.com/assets/app.js")
Real finding from the sandbox (matched values are masked to the first/last 4 characters, since a Finding may end up in a report handed to a third party):
{
"title": "Hardcoded Stripe Live Secret Key found in JavaScript",
"severity": "critical",
"evidence": ["sk_l...DEMO", "https://admin.sandbox.klyrek.com/assets/app.js"],
"module": "klyrek-js"
}
extract_endpoints pulls out both fetch("/api/v1/products")-style relative paths (anchored to a small set of API-shaped prefixes: /api, /v1, /v2, /graphql, /rest, so it doesn't match every static asset path like /favicon.ico) and full absolute URLs like https://api.sandbox.klyrek.com/api/v1/admin/stats — both show up as real js-endpoint-sourced Endpoint records once run through the full pipeline.
API reference¶
klyrek_js.secrets ¶
Detect hardcoded secrets and API keys embedded in JavaScript source.
scan_for_secrets ¶
Scan JavaScript source text for hardcoded secrets and API keys.
Matched values are masked in the evidence (kept to first/last 4 chars) rather than stored in full, since a Finding may end up in a report handed to a third party.
Source code in klyrek_js\secrets.py
klyrek_js.endpoints ¶
Extract API-like endpoint strings referenced inside JavaScript source.
extract_endpoints ¶
Pull API-shaped path and URL string literals out of a JavaScript source file.