EntroJS
JavaScript exposure hunting by EntroVyx.
EntroJS is a practical JavaScript scanner for remote bundles, discovered script assets, local files, and pasted source. It focuses on exposed secrets, dangerous client-side patterns, high-entropy strings, source map signals, recon-relevant endpoints, and readable triage.
The workflow is simple:
- run a direct scan or spider a target
- watch the live progress panel
- land in a dedicated HTML report automatically
- keep JSON available for export or pipelines
If Ollama is configured, EntroJS can run a second local validation pass on sensitive findings. If it is not configured, scanning still works normally.
go install -v github.com/EntroVyx/EntroJS/cmd/entrojs@latestRun:
entrojsOpen:
http://127.0.0.1:8080
- Single URL for a direct JavaScript file
- Spider mode for same-origin page crawling and script discovery
- Batch mode for multiple JavaScript URLs
- Upload mode for local bundles
- Raw mode for pasted source
EntroJS supports optional local validation through Ollama.
- no Ollama configured: deterministic scan only
- Ollama configured: deterministic scan plus local validation
- if Ollama fails: the base scan still returns results
Recommended lightweight model:
ollama pull qwen3:4bThe embedded interface is intentionally simple:
- compact input flows
- visible progress steps during scan and spider runs
- automatic redirect to a dedicated HTML report
- JSON report download from the final report page
- optional Ollama endpoint and model settings
Analyze a remote file:
entrojs -url https://target.tld/static/app.jsAnalyze a local file:
entrojs -file bundle.jsAnalyze stdin:
cat bundle.js | entrojs -stdinRun with local AI validation:
entrojs -url https://target.tld/app.js -use-ai -ollama-url http://127.0.0.1:11434 -ollama-model qwen3:4bReturns service status and version.
Returns UI defaults such as the default Ollama URL, model, and spider limit.
Accepts:
urlurlscontent- multipart file upload
Optional AI fields:
use_aiollama_urlollama_model
Returns a session id, structured results, and a report_url.
Crawls the target, follows same-origin pages, discovers JavaScript assets, analyzes them, and returns a report_url.
Checks whether the configured Ollama endpoint is reachable and lists available local models.
Each scan creates a dedicated report session with:
- severity summary
- per-file risk score
- grouped findings
- compact context snippets
- spider summary when applicable
- JSON export
| Variable | Default | Purpose |
|---|---|---|
ENTROJS_HOST |
0.0.0.0 |
HTTP listen host |
ENTROJS_PORT |
8080 |
HTTP listen port |
ENTROJS_MAX_FILE_SIZE |
20971520 |
Max file size in bytes |
ENTROJS_FETCH_TIMEOUT |
45 |
Fetch timeout in seconds |
ENTROJS_FETCH_MAX_RETRIES |
2 |
Retry count |
ENTROJS_FETCH_RETRY_DELAY |
2 |
Retry delay in seconds |
ENTROJS_ENTROPY_THRESHOLD |
4.5 |
Shannon entropy threshold |
ENTROJS_OLLAMA_URL |
http://127.0.0.1:11434 |
Default Ollama endpoint |
ENTROJS_OLLAMA_MODEL |
qwen3:4b |
Default Ollama model |
ENTROJS_MAX_SPIDER_PAGES |
10 |
Max internal pages for spider mode |
cmd/entrojs/ # CLI + web entrypoint
internal/ai/ # Optional Ollama validation
internal/analyzer/ # Fetching, regex, entropy, spider, scoring
internal/app/ # HTTP handlers and report generation
internal/config/ # Environment-driven configuration
internal/models/ # Shared API and result models
web/ # Embedded UI
assets/ # Branding assets
Use EntroJS only on assets you own or are explicitly authorized to test.