Skip to content

marcuwynu23/surisc

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

41 Commits
.github/workflows
.github/workflows
 
 
cmd/surisc
cmd/surisc
 
 
installer
installer
 
 
internal
internal
 
 
tests
tests
 
 
.gitignore
.gitignore
 
 
CHANGELOG.md
CHANGELOG.md
 
 
Dockerfile
Dockerfile
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
makefile
makefile
 
 

Repository files navigation

surisc

Go Version Security Status

A high-performance reconnaissance tool built specifically for frontend web security.

Written in Go, it operates entirely in memory to scrape, parse, and analyze JavaScript bundles from target URLs, proactively hunting for leaked API keys, hardcoded credentials, and exposed environment variables.

Features

  • Memory-Resident Scraping: Operates entirely in RAM using colly/v2 to intercept target URLs, discover <script> tags, and fetch payload contents without writing temporary files to disk.

  • Concurrent Engine: Utilizes goroutines and sync.WaitGroup to process multiple Javascript bundles concurrently.

  • Shannon Entropy Analysis: Scans alphanumeric strings to calculate true information density (H = - sum(p * log2(p))), allowing the scanner to flag complex payloads such as JWTs or generic cloud provider keys.

  • Pattern Matching: Contains built-in rules designed to detect:

    Target / Platform Pattern / Description
    AWS Access Keys AKIA...
    Stripe Secret Keys sk_live_...
    GitHub Personal Access Tokens ghp_...
    GitLab Personal Access Tokens glpat-...
    Mail Service API Keys SendGrid, Mailgun, Resend
    Payment & Gateway Tokens Square, Twilio
    Cloudflare Credentials Global API keys and API tokens
    User API Tokens user_api_token / user-api-token style assignments
    RSA Private Keys headers -----BEGIN PRIVATE KEY...
    Slack API Tokens xoxb-...
    Google API Keys Generic GCP, Maps, Firebase (AIza...)
    Exposed map file dependencies .map
    Bearer authentication tokens Bearer ...
    Internal IP address ranges 10.x, 172.16.x, 192.168.x
    Build-time import.meta asset leaks import.meta.env.*
    Generic secret strings Variable assignments (e.g., API_KEY:"value")

  • False Positive Filtering: Automatically ignores standard frontend compilation artifacts such as the Base64 sequence dictionary, WebAssembly module headers, and standard React.js validation warnings.

Terminology

When looking at your scan results, here is what each term means:

  • Gravity Score: A number (usually 0 to 10) that tells you how certain we are that we found a real secret. A score of 10 means it is highly likely a real API key (like an AWS key). A lower score means it might just be a normal variable or false positive.
  • Shannon Entropy: A mathematical way of measuring how "random" a piece of text looks. Real API keys look like random gibberish (high entropy). Regular words like "password" don't look random (low entropy). This helps the scanner ignore normal text.
  • Target / Leak Type: What kind of secret was found. For example, GOOGLE_API_KEY or STRIPE_SECRET_KEY.
  • Source URL: The exact web address link where the leaked secret is located.
  • Snippet: A small preview of the exact code or key that leaked. This saves you from having to read through massive, messy code files yourself.

Build Instructions

Use the included Makefile to securely compile SuriSC.

# Compile the executable into /dist/surisc.exe
make all

# Clean previous build outputs
make clean

# Run Unit and E2E verification tests
make test

Usage

SuriSC can be executed directly from the terminal and supports both raw console output and JSON rendering.

Basic Reconnaissance Scan

.\dist\surisc.exe -u https://example.com

Informative Target Analysis (Technology Stack Detection)

The -i flag skips the secret scan and focuses solely on extracting infrastructure insights such as the Backend, Frontend, Server, Protocol (e.g., HTTP/2), and CDN/WAF.

.\dist\surisc.exe -u https://example.com -i

JSON Reporting Mode

.\dist\surisc.exe -u https://example.com -o json

Output Example

SuriSC Completed. Results:
--------------------------------------------------------------------------------
[!]     [GOOGLE_API_KEY]
        [SOURCE_URL]: https://example.com/assets/index.js
        [GRAVITY_SCORE]: 9.00
        [SNIPPET]: AIzaSyBLT...
--------------------------------------------------------------------------------
[!]     [IMPORT_META_LEAK]
        [SOURCE_URL]: https://example.com/assets/index.js
        [GRAVITY_SCORE]: 8.50
        [SNIPPET]: import.meta.env.VITE_BACKEND_API
--------------------------------------------------------------------------------

Docker and Podman Usage

SuriSC can be built and run in a container environment using either Docker or Podman.

Building the Image

Using Docker:

docker build -t surisc .

Using Podman:

podman build -t surisc .

Running the Container

Once built, you can run the container by passing your target URL using the -u flag.

Using Docker:

docker run --rm surisc -u https://example.com

For JSON output:

docker run --rm surisc -u https://example.com -o json

Using Podman:

podman run --rm surisc -u https://example.com

For JSON output:

podman run --rm surisc -u https://example.com -o json

Using GitHub Container Registry (GHCR)

You can also run SuriSC directly from the GitHub Container Registry without needing to build it locally.

Run using Docker:

docker run --rm ghcr.io/marcuwynu23/surisc:latest -u https://example.com

Run using Podman:

podman run --rm ghcr.io/marcuwynu23/surisc:latest -u https://example.com

About

A high-performance reconnaissance tool built specifically for frontend web security.

Topics

api-security frontend-security api-security-discovery api-leaks

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 7

v1.1.6 Latest
Mar 23, 2026
+ 6 releases

Packages

 
 
 

Contributors

Languages