{"id":47669013,"url":"https://github.com/secretsifter/secretsifter-desktop","last_synced_at":"2026-04-27T04:00:38.413Z","repository":{"id":346664745,"uuid":"1191039684","full_name":"secretsifter/secretsifter-desktop","owner":"secretsifter","description":"Standalone desktop app for macOS \u0026 Windows — scans websites and web apps for exposed API keys, credentials, tokens, and PII in real time. Built for penetration testers, bug bounty hunters, and security researchers. 160+ detection rules, browser crawling, and HTML reports.","archived":false,"fork":false,"pushed_at":"2026-03-24T22:32:43.000Z","size":2093,"stargazers_count":3,"open_issues_count":0,"forks_count":3,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-04-03T00:46:34.026Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/secretsifter.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-03-24T21:32:03.000Z","updated_at":"2026-03-27T19:01:43.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/secretsifter/secretsifter-desktop","commit_stats":null,"previous_names":["secretsifter/secretsifter-desktop"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/secretsifter/secretsifter-desktop","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/secretsifter%2Fsecretsifter-desktop","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/secretsifter%2Fsecretsifter-desktop/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/secretsifter%2Fsecretsifter-desktop/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/secretsifter%2Fsecretsifter-desktop/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/secretsifter","download_url":"https://codeload.github.com/secretsifter/secretsifter-desktop/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/secretsifter%2Fsecretsifter-desktop/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32321940,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-26T23:26:28.701Z","status":"online","status_checked_at":"2026-04-27T02:00:06.769Z","response_time":128,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-04-02T12:18:30.136Z","updated_at":"2026-04-27T04:00:38.397Z","avatar_url":"https://github.com/secretsifter.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# SecretSifter Desktop\n\n[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)\n[![Latest Release](https://img.shields.io/github/v/release/secretsifter/secretsifter-desktop?label=latest)](https://github.com/secretsifter/secretsifter-desktop/releases/latest)\n[![Downloads](https://img.shields.io/github/downloads/secretsifter/secretsifter-desktop/total?color=brightgreen)](https://github.com/secretsifter/secretsifter-desktop/releases)\n[![Platform: Windows](https://img.shields.io/badge/platform-Windows%2010%2F11-blue)](https://github.com/secretsifter/secretsifter-desktop/releases/latest)\n\n\u003e **A standalone secret scanner for live web applications.**\n\u003e Most secret scanners stop at the repository. The repository is not the attack surface — the running application is.\n\nSecretSifter Desktop is a Windows-native scanner that finds API keys, credentials, tokens, and PII inside live single-page apps, API responses, request headers, JavaScript bundles, and proxied traffic. It bundles a Playwright-driven crawler, an embedded MITM proxy, HAR import, and a Bearer-authenticated REST + MCP server — no Burp licence required.\n\n---\n\n## ⬇️ Quick Install\n\n1. Grab **`SecretSifter-1.7.7.exe`** from the [latest release](https://github.com/secretsifter/secretsifter-desktop/releases/latest).\n2. Double-click. Windows SmartScreen → *More info → Run anyway*.\n3. Per-user install, no admin rights. Default path: `%LOCALAPPDATA%\\SecretSifter`.\n4. Launch from Start Menu. Paste a URL into the Scan tab → click **Start Scan**.\n\nThat's it. Java is bundled. Chrome is auto-detected (or falls back to system Edge / bundled Chromium).\n\n---\n\n## ✨ Why SecretSifter\n\n| Problem | SecretSifter's answer |\n|---|---|\n| Burp licences are expensive; not every analyst has one | Free standalone, no Burp dependency |\n| API keys hardcoded in 2–8 MB Angular / React bundles | GENERIC_KV scans the **full text** with line-aware reporting (every occurrence at every line, like Burp) |\n| Vendor-specific tokens (AWS, Azure, Stripe, GitHub, JWT, Google, …) | 100+ anchored CERTAIN-confidence rules |\n| Secrets in OAuth `access_token=...\u0026resource=...` bodies | Form-encoded pre-pass extracts each pair |\n| Secrets in `__NEXT_DATA__` / `__INITIAL_STATE__` SSR blobs | Dedicated SSR + JSON_SCRIPT_TAG scanners |\n| Secrets buried deep in JSON (`data.user.config.apiKey`) | Recursive JSON_WALK |\n| WAF-blocked corporate WiFi flagging headless browsers | Crawler launches **real Chrome** with `--disable-blink-features=AutomationControlled` for Akamai / Cloudflare bypass |\n| Need request/response context for each finding | Burp-style **Details** panel with Request and Response tabs |\n| Custom org-specific rule packs without scanner noise | \"Custom rules ONLY\" toggle in **raw mode** — bypasses every default noise filter |\n| Need to integrate scanner output into automation | Bearer-authenticated **REST + MCP** server |\n\n---\n\n## 🔍 Detection Coverage\n\n| Family | Rules | Confidence |\n|---|---|---|\n| Anchored vendor tokens (AWS, Azure, GCP, Stripe, GitHub, Slack, JWT, Twilio, SendGrid, Mailgun, Heroku, npm, PyPI, etc.) | 100+ | CERTAIN |\n| Context-gated rules (DB connection strings, OAuth flows, request headers) | 40+ | FIRM |\n| GENERIC_KV (semantic key + entropy gate, full-text) | 1 (rich filter chain) | FIRM / CERTAIN |\n| JSON_WALK (recursive deep-key walker) | 1 | FIRM |\n| Entropy-gated unanchored tokens | 1 | FIRM |\n| Getter-function returns (JS) | 1 | FIRM |\n| SSR state blob recursion | 1 | varies |\n| User-defined custom rules | unbounded | FIRM (or NOISE in raw mode) |\n\n**Scan tiers:** FAST (vendor tokens only) · LIGHT (+ DB strings + context-gated) · FULL (+ GENERIC_KV + entropy + getter functions + SSR blobs).\n\n---\n\n## 🚀 Capabilities\n\n- **Bulk URL scan** — paste 1–N URLs, optionally enable Browser Mode for SPAs.\n- **Playwright crawler** — drives real Chrome, captures every request and response.\n- **MITM proxy** — embedded HTTP/1.1 proxy with on-the-fly per-host TLS certs (Bouncy Castle CA). Point any browser at `127.0.0.1:8888`.\n- **HAR import** — replay any DevTools-saved HAR file through the scanner; the Details panel works the same way.\n- **Findings dashboard** — sortable / filterable, severity badges, NOISE triage, mask-value / mask-URL toggles, column visibility menu.\n- **Capture store** — bounded LRU cache of HTTP request/response captures keyed by URL, backing the Details / Request / Response side panel.\n- **Custom rules** — `RuleName | regex | severity` per line. Run additively, or in raw mode that bypasses every default noise filter.\n- **Report bundles** — All-in-One ZIP (HTML + CSV + JSON + suppressed CSV) and Per-Domain ZIP. Every artifact timestamped `yyyyMMdd_HHmmss`.\n- **REST + MCP** — Bearer-authenticated localhost server. Full route table (`/api/scan`, `/api/findings`, `/api/report`, `/api/settings`, `/api/rules`, `/api/logs`) + JSON-RPC at `/mcp`.\n\n---\n\n## 🤖 REST API Example\n\nOnce MCP is enabled (Settings → AI / MCP → Apply), automate scans from any language:\n\n```powershell\n$port  = 8765\n$token = \"\u003cpaste from Settings\u003e\"\n$h     = @{ Authorization = \"Bearer $token\" }\n\n# Start a scan\n$body = @{ urls = @(\"https://example.com\") } | ConvertTo-Json\nInvoke-RestMethod -Uri \"http://localhost:$port/api/scan\" `\n    -Method POST -Headers $h -Body $body -ContentType \"application/json\"\n\n# Fetch findings\nInvoke-RestMethod -Uri \"http://localhost:$port/api/findings\" -Headers $h |\n    Format-Table severity, ruleId, keyName, value -AutoSize\n```\n\nOr via Python:\n\n```python\nimport requests\nh = {\"Authorization\": f\"Bearer {TOKEN}\"}\nrequests.post(f\"http://localhost:{PORT}/api/scan\", headers=h,\n              json={\"urls\": [\"https://example.com\"]})\nfindings = requests.get(f\"http://localhost:{PORT}/api/findings\", headers=h).json()\n```\n\nClaude Code one-liner:\n\n```\nclaude mcp add --transport http secretsifter-desktop \\\n    http://localhost:\u003cport\u003e/mcp \\\n    --header \"Authorization: Bearer \u003ctoken\u003e\"\n```\n\n---\n\n## Screenshots\n\n### Scan Dashboard — Burp-style Details / Request / Response panel for every finding\n![Scan Dashboard](images/SecretSifter-Scanner-Dashboard.jpg)\n\n### Scan Results — sortable / filterable findings table with severity badges\n![Scan Results](images/SecretSifter-ScanResults.png)\n\n### HTML Report — filterable, shareable deliverable\n![HTML Report](images/SecretSifter-HTML_Report.png)\n\n### Settings — Scanner\n\n![Scanner Settings](images/SecretSifter-Settings-Scanner.jpg)\n\n### Settings — Custom Rules (with \"Use ONLY\" raw-mode toggle)\n\n![Custom Rules](images/SecretSifter-Settings-CustomRules.jpg)\n\n### Settings — AI / MCP server\n\n![AI / MCP](images/SecretSifter-Settings-AI_MCP.jpg)\n\n### Settings — MITM Proxy\n\n![Proxy](images/SecretSifter-Settings-Proxy.jpg)\n\n### Live Logs — proxy intercepts, crawler activity, scan progress\n![Logs](images/SecretSifter-Logs.png)\n\n---\n\n## 📚 Documentation\n\n- **[User Documentation](https://htmlpreview.github.io/?https://github.com/secretsifter/secretsifter-desktop/blob/main/docs/SecretSifter_Desktop_User_Documentation_v1.7.6.html)** — installation guide, every workflow, severity / confidence model, triage guide, settings reference, REST API quickstart, troubleshooting.\n\n---\n\n## ⚙️ System Requirements\n\n- Windows 10 / 11 (x64)\n- ~500 MB disk space (installer + bundled JRE + Chromium fallback)\n- No admin rights required (per-user install)\n- Java is bundled — no external JRE needed\n- Google Chrome recommended for best WAF-bypass coverage; the crawler falls back to bundled Chromium / system Edge if Chrome is absent\n\n---\n\n## 🔨 Building from Source\n\n```powershell\n# Prerequisites: JDK 17+ with jpackage, WiX Toolset 3.11+ on PATH\n\ncd secretsifter-windows\n.\\gradlew.bat reinsertObfuscatedClasses    # obfuscated fat JAR (~1m)\n.\\gradlew.bat buildAppImage                # portable app folder (~2m)\n.\\gradlew.bat buildExeInstaller            # full Windows EXE installer (~3m)\n```\n\n\u003e **Build hygiene:** delete every `secretsifter-\u003cversion\u003e.jar` in `build/libs/` except the current version before each `buildExeInstaller` run. `jpackage --input` bundles every file in that directory into the installer image; stale per-version JARs balloon the EXE from ~240 MB to 1.8+ GB and can fail the WiX link step.\n\nOutput:\n\n| Path | Artifact |\n|---|---|\n| `build/libs/secretsifter-\u003cver\u003e.jar` | Obfuscated fat JAR |\n| `build/app-image-protected/SecretSifter/` | Portable folder + JRE |\n| `build/exe-installer/SecretSifter-\u003cver\u003e.exe` | Windows installer |\n\n---\n\n## 🛡️ Authorized Use Only\n\nSecretSifter is a security research and penetration testing tool. Use it **only** against systems you own or have explicit written authorisation to test. Unauthorised scanning of third-party systems may violate the Computer Fraud and Abuse Act (US), the UK Computer Misuse Act, the EU Directive on Attacks Against Information Systems, or equivalent local legislation. The author and contributors disclaim all liability for misuse.\n\n---\n\n## 📜 License\n\n[MIT License](LICENSE.txt) · Copyright © 2024–2026 Hemanth Gorijala.\n\nThe desktop edition bundles open-source components: Playwright for Java (Apache 2.0), Bouncy Castle (MIT-style), org.json (JSON License), Chromium (BSD), OpenJDK 21 (GPLv2 + Classpath Exception), WiX Toolset (MS-RL, build-time only).\n\n---\n\n\u003csub\u003eSecretSifter v1.7.7 · Windows Desktop Edition · Author: Hemanth Gorijala · MIT License\u003c/sub\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsecretsifter%2Fsecretsifter-desktop","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsecretsifter%2Fsecretsifter-desktop","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsecretsifter%2Fsecretsifter-desktop/lists"}