A high-performance tool for bug bounty hunters and security researchers to detect hardcoded secrets, API keys, tokens, and sensitive credentials in JavaScript and JSON files.
✔ Detects:
- API keys & tokens (OpenAI, Stripe, Twilio, Telegram, etc.)
- Cloud credentials (AWS, GCP, Azure)
- Webhooks (Slack, Discord)
- JWT tokens
- SSH private keys
- Database credentials
- Financial data (Credit Cards, CVV, IBAN)
✔ Regex-based detection with support for custom patterns via a JSON file
✔ Multi-threaded scanning for speed (default: 50 threads)
✔ Beautiful progress bars and colorized output using Rich
✔ Designed for Bug Bounty & Recon workflows
Clone the repository:
git clone https://github.com/rahmansec/SecretHunter.git
cd secret-hunterInstall dependencies:
pip install -r requirements.txtpython secret-hunter.py -i urls.txt -p patterns.json| Argument | Description |
|---|---|
-i, --file |
File containing URLs to scan |
-p, --patterns |
JSON file with regex patterns for secrets |
-t, --threads |
Number of threads (default: 50) |
--timeout |
HTTP request timeout in seconds (default: 6) |
urls.txt
https://target.com/main.js
https://target.com/config.json
Run the scan
python secret-hunter.py -i urls.txt -p patterns.jsonSample Output
⚠️ Secrets found in https://target.com/main.js
- Slack Token: xoxb-1234567890-abcdef
- OpenAI API Key: sk-xxxxxxxxxxxxxxxxxxxxxxxx
patterns.json example:
[
{
"name": "Generic API Key",
"regex": "(api[_-]?key|token|auth|secret)[\"'\\s:=>]{1,10}[^\"'\\s]+",
"confidence": "medium"
},
{
"name": "AWS Access Key ID",
"regex": "AKIA[0-9A-Z]{16}",
"confidence": "high"
},
{
"name": "OpenAI API Key",
"regex": "sk-[A-Za-z0-9]{48}",
"confidence": "high"
}
]✔ Find exposed API keys in public repos or JS files
✔ Detect secrets in web application assets
✔ Automate credential leak detection during recon
✔ Increase chances of valid findings in bounty programs
- Export results to JSON / CSV