Frontend security reconnaissance from the browser's perspective. Proactively hunts leaked API keys, hardcoded credentials, and exposed environment variables in JavaScript bundles.
- What Is SuriSC?
- Use Cases
- Benefits
- Advantages Over Other Tools
- User Guide
- Installation
- Quick Start
- CLI Reference
- Configuration
- CI/CD Integration
- Development
- Architecture
SuriSC (/səˈrisk/, suh-REESK) is a memory-resident reconnaissance tool built specifically for frontend web security. Written in Go, it scrapes, parses, and analyzes JavaScript bundles from target URLs to detect secrets that should never reach the browser.
The name combines suri (Tagalog: "examine" or "analyze") with SC for scan — a tool that examines frontends by scanning their JavaScript.
- Scrapes — Discovers every
<script>tag on a page and fetches its payload without writing files to disk - Detects — 25+ secret types including AWS keys, Stripe secrets, GitHub PATs, Google API keys, Firebase/Supabase configs, and more
- Ingests — Fetches source map (
.map) files and recursively scans their original source code for secrets - Analyzes — Shannon entropy scoring flags high-density strings that look like real credentials
- Profiles — Identifies technology stack, hosting provider, CDN, CMS, SPA/PWA status, and security headers
- Discovers — Routes from HTML, JS, JSON,
robots.txt, andsitemap.xml; probes attack-surface paths - Probes — Detects GraphQL introspection endpoints, OpenAPI/Swagger spec files, and API documentation pages
- Filters — Built-in false positive suppression ignores compilation artifacts, placeholder values, and standard library internals
- Reports — Human-readable HUD output and machine-readable JSON with gravity scores for triage
| Problem | How SuriSC Solves It |
|---|---|
| Accidental API key commits to public JS bundles | Scans every fetched script for 25+ credential patterns with gravity scoring |
import.meta.env leaks in Vite/CRA builds |
Detects VITE_API_URL, SUPER_SECRET_TOKEN, etc. |
| Source map exposure | Fetches .map files and recursively scans original source code for secrets |
| Firebase/Supabase configs in client bundles | Detects firebaseConfig objects and supabaseUrl/supabaseKey assignments |
| Unknown tech stack during recon | Fingerprints frontend framework, hosting, CDN, CMS, and security headers |
| Manual route enumeration takes too long | Extracts routes from HTML, JS, JSON, robots.txt, and sitemap.xml automatically |
| SPA fallback pages hide real endpoints | Validates probed routes against 404 signatures to filter SPA shell responses |
| GraphQL introspection left enabled | Probes common GraphQL endpoints with __schema introspection query |
| Exposed API documentation | Probes /swagger.json, /openapi.json, /api/docs, and detects spec refs in JS |
- Minimal setup, maximum value. A single
-uflag and you get actionable results. No config file required. - Your process stays yours. Works as a standalone CLI, in Docker/Podman containers, or as a CI pipeline step.
- Truth over noise. Gravity scores, entropy thresholds, and false-positive filters mean every finding deserves your attention.
| Scenario | How SuriSC Helps |
|---|---|
| Bug bounty recon | Point at a target URL and get a complete security posture report — leaked secrets, tech stack, hidden routes, and missing security headers |
| Pre-deployment audit | Run in CI/CD against your staging server to catch secrets before they go live |
| Third-party JS audit | Scan vendor scripts for hardcoded tokens that could compromise your application |
| Vulnerability assessment | Identify SPA/PWA technology for targeted exploit research; discover GraphQL endpoints |
| Containerized scanning | Run from Docker or Podman for ephemeral, disposable scans without local installation |
- Zero disk writes — Operates entirely in RAM; leaves no forensic trace on the scanning machine
- Concurrent by default — Goroutine-powered engine processes multiple bundles simultaneously with rate limiting to avoid triggering WAFs
- Browser-level evasion — Chrome-like headers, random user agents, and configurable delays mimic real user traffic
- False positive engineered — Filters Base64 dictionaries, WASM headers, React validation warnings, route-like values, and placeholder strings
- Gravity scoring — Every finding gets a 0–10 score based on pattern confidence and Shannon entropy, so you prioritize what matters
- Hosting-aware profiling — Detects Vercel, Netlify, Cloudflare (Pages, Workers, Proxied), Heroku, Railway, GitHub Pages, and 12+ other providers
- Multi-format output — Human-friendly HUD and
-o jsonfor pipeline ingestion - Cross-platform — Ships as Windows binary, NSIS installer, Debian package, macOS (Intel + Apple Silicon), and Docker image
- Fast reachability check — Validates target is live before scanning, with intelligent retry handling
| Aspect | SuriSC | SecretScanner | TruffleHog | WPScan | manual |
|---|---|---|---|---|---|
| Setup time | ~10 seconds | Minutes | Minutes | Minutes | Ongoing effort |
| Memory-resident | Yes | No | No | No | N/A |
| Frontend framework detection | Yes (10+ frameworks) | No | No | No | Manual |
| Hosting provider detection | Yes (15+ providers) | No | No | No | Manual |
| Security header audit | Yes | No | No | Yes | Manual |
| SPA/PWA identification | Yes | No | No | No | Manual |
| Route discovery | Yes | No | No | Yes | Manual |
| Attack-surface probing | Yes | No | No | Limited | Manual |
| False-positive filters | Built-in per pattern | Basic | Basic | Pattern-based | N/A |
| Gravity scoring | Yes | No | No | No | N/A |
| Shannon entropy analysis | Yes | Yes | Yes | No | N/A |
| JS bundle scraping | Yes | No | No | No | Manual |
| JSON output | Yes | Yes | Yes | No | N/A |
| Docker/Podman support | Yes | Yes | Yes | Yes | N/A |
| Multi-platform binary | Windows, macOS, Linux (amd64+arm64) | Linux | Linux, macOS | Linux | N/A |
| NSIS installer | Yes | No | No | No | N/A |
| Debian package | Yes | No | No | Yes (via apt) | N/A |
| License | Apache 2.0 | Custom | Apache 2.0 | GPL | N/A |
Download the latest release from GitHub Releases.
go install github.com/marcuwynu23/surisc/cmd/surisc@latestgit clone https://github.com/marcuwynu23/surisc.git
cd surisc
make allThe binary will be placed in dist/surisc.exe (Windows) or dist/surisc (Linux/macOS).
docker pull ghcr.io/marcuwynu23/surisc:latest
podman pull ghcr.io/marcuwynu23/surisc:latestsurisc --help
# or
./dist/surisc.exe --help# Basic recon scan for secrets
surisc -u https://example.com
# Full target profiling (tech stack, routes, security headers)
surisc -u https://example.com -i
# JSON output for pipeline ingestion
surisc -u https://example.com -o jsonsurisc --help| Flag | Default | Description |
|---|---|---|
-u |
"" |
Required. Target URL to scan |
-o |
hud |
Output format: hud (human-readable) or json |
-i |
false |
Enable informative target analysis (disables secret leak scan) |
-i=webinfo |
— | Show only infrastructure/security header table |
-i=routes |
— | Show only discovered routes |
-i=robots |
— | Show only robots.txt analysis |
-i=sitemaps |
— | Show only sitemap.xml analysis |
Basic secret scan:
surisc -u https://example.comFull informative profile:
surisc -u https://example.com -iJSON output with secrets:
surisc -u https://example.com -o jsonTechnology stack only:
surisc -u https://example.com -i webinfoRoute discovery only:
surisc -u https://example.com -i routesSuriSC requires no configuration file. All options are passed as CLI flags.
| Source | Precedence |
|---|---|
| CLI flags | Highest |
| Built-in defaults | Lowest |
SuriSC Completed. Results:
--------------------------------------------------------------------------------
[!] [GOOGLE_API_KEY]
[SOURCE_URL]: https://example.com/assets/index.js
[GRAVITY_SCORE]: 9.00
[SNIPPET]: AIzaSyBLT...
--------------------------------------------------------------------------------
[!] [IMPORT_META_LEAK]
[SOURCE_URL]: https://example.com/assets/index.js
[GRAVITY_SCORE]: 8.50
[SNIPPET]: import.meta.env.VITE_BACKEND_API
name: Secret Scan
on:
schedule:
- cron: "0 6 * * 1" # Weekly Monday morning
jobs:
scan:
runs-on: ubuntu-latest
steps:
- name: Scan staging
uses: docker://ghcr.io/marcuwynu23/surisc:latest
with:
args: -u https://staging.example.com -o jsonsurisc-scan:
image: ghcr.io/marcuwynu23/surisc:latest
script:
- /surisc -u https://example.com -o json
artifacts:
paths:
- surisc-report.json| Tool | Version | Purpose |
|---|---|---|
| Go | 1.24+ | Compiler |
| Make | Any | Build automation |
| makensis (NSIS) | Any | Windows installer (optional) |
| fpm | Any | Debian packaging (optional) |
make all # Build binary + installer
make exe # Build Windows binary only
make linux # Build Linux binary
make test # Run all tests
make clean # Remove build artifacts
make deb # Build Debian package (requires fpm)surisc/
├── cmd/surisc/ # CLI entrypoint (flag parsing, output formatting)
├── internal/
│ ├── models/ # Data types (Leak, TechInsight)
│ └── scanner/ # Core scanning engine (colly scraper, regex, entropy)
├── tests/ # Integration tests
├── dist/ # Build output (gitignored)
├── docs/ # Static documentation site (HTML)
├── logo/ # SVG assets
├── installer/ # NSIS installer script
├── .github/workflows/ # CI/CD pipelines
├── Dockerfile
├── makefile
├── go.mod
└── go.sum
- Entrypoint (
cmd/surisc/main.go) — Parses CLI flags, validates the target URL, calls the scanner, and renders output - Scraper (
internal/scanner/scanner.go) — Usescolly/v2with async goroutines to crawl HTML, fetch JS bundles, and extract routes - Analyzer — Scans content with 20+ compiled regex patterns and Shannon entropy calculations; deduplicates; assigns gravity scores
- Profiler — Fingerprints frontend frameworks (React, Vue, Svelte, etc.), hosting providers (Vercel, Cloudflare, etc.), and security headers
- Models (
internal/models/models.go) — Go structs forLeak(finding) andTechInsight(profile) with JSON serialization tags - Output — HUD formatter (terminal tables) or JSON marshaler for pipeline use
Apache 2.0 — Copyright (c) 2026 Mark Wayne Menorca
A permissive license that grants you the freedom to use, modify, distribute, and sell the software, provided you include the original copyright notice. It also includes an express grant of patent rights from contributors.
Happy Coding! 🚀