### Path Analyzer Configuration Example Source: https://docs.v2.jxscout.app/docs/tutorial/analyzer Example of the default configuration for the 'path' analyzer, showing how to enable it and specify the file types it should process. ```json // path is the name of the analyzer. "path": { // `enabled` means that jxscout will run this analyzer to extract paths in this case "enabled": true, // `file_types` is the list of file types where this analyzer will run (js, html, or reversed_source) // One note: reversed_source files are JS files, but jxscout distinguishes js files from reversed_sources // for tracking purposes "file_types": [ "js", "html", "reversed_source" ] } ``` -------------------------------- ### Hook Configuration Example Source: https://docs.v2.jxscout.app/docs/tutorial/automation-with-hooks Configure global process concurrency and subscribe to events like `matches_created` and `js_file_saved`. This example shows how to set up multiple processes for an event and define specific concurrency limits for each. ```json { "$schema": "file://~/.jxscout-pro/project_settings.schema.json", // ... "hooks": { // `process_configuration` is an **optional** configuration for your hook processes. // For each event (e.g. `matches_created`), you can run multiple different "processes". // This allows you to parallelize work in case you want to run different scripts for the same // event. // A process is identified by its name and if you want to establish global concurrency values for it // you can use `process_configuration` like below. // In this case, we are ensuring that there's at most `10` notify processes running at the same time. "process_configuration": { "notify": { "concurrency": 10 } }, // The main part of hooks is setting process subscriptions to different events. The list of events available for hooks is: // - js_file_saved // - js_file_updated // - js_file_beautified // - html_file_saved // - html_file_updated // - html_file_beautified // - reversed_source_map_file_saved // - matches_created // - finding_created "matches_created": { // Here we are setting up a `check_relevant_matches` that will run on every `matches_created` event. // jxscout will ensure that only 5 instances of this script run at the same time. "check_relevant_matches": { // Scripts receive a relevant payload based on the event type. // We will explore this in a bit. "script": "bun run $JXSCOUT_PROJECT_DIR/scripts/analyze_matches.ts", // This is the `concurrency` for this process to run. This value overrides the global // `process_configuration` value for this particular event type. // By default the concurrency is set to `1`. "concurrency": 5 }, "notify": { "script": "notify 'matches created'" } }, "js_file_saved": { "notify": { "script": "notify 'JS File Saved'" } } } // ... } ``` -------------------------------- ### Install VSCode Extension Source: https://docs.v2.jxscout.app/docs/getting-started Use this command to install the jxscout VSCode extension. Ensure jxscout-pro-v2 is in your PATH. ```bash $ jxscout-pro-v2 -c install-vscode-extension ``` -------------------------------- ### Get jxscout CLI Help Source: https://docs.v2.jxscout.app/docs/tutorial/agent-skills Run this command to see all available commands for jxscout. ```bash $ jxscout-pro-v2 -c --help ``` -------------------------------- ### Skip Script Example (TypeScript with Bun) Source: https://docs.v2.jxscout.app/docs/tutorial/analyzer Create a TypeScript script file to determine if a file should be skipped. This example skips files whose paths include 'node_modules'. ```typescript const { file_path } = await Bun.stdin.json(); if (file_path.includes("node_modules")) { console.log("skip"); } ``` -------------------------------- ### jxscout Match Format Example Source: https://docs.v2.jxscout.app/docs/tutorial/analyzer An example of the JSON structure expected by jxscout for reporting code analysis matches. This format includes the match kind, the detected value, and its start and end positions in the source code. ```json [ { "kind": "path", "value": "/api/users", "start": { "line": 1, "column": 1 }, "end": { "line": 1, "column": 10 } } // ... ] ``` -------------------------------- ### jxscout CLI Command for Analysis Source: https://docs.v2.jxscout.app/docs/tutorial/analyzer Example command to run the jxscout analyzer on a specific project and file type. This is used to test the configured custom analyzers. ```bash $ jxscout-pro-v2 -c analyze --project-name analyzer-tutorial --file-type js ~/jxscout-pro/analyzer-tutorial/static_assets/current/js_and_html/labs.jxscout.app/labs/noisy-navigation/js/app.js ``` -------------------------------- ### Start jxscout in Monitoring Mode Source: https://docs.v2.jxscout.app/docs/tutorial/monitoring Run jxscout with the --monitoring flag to enable notifications for all detected updates. It is recommended to use a different port to avoid excessive notifications. ```bash $ jxscout-pro-v2 --monitoring ``` -------------------------------- ### Example Matches View Structure Entry Source: https://docs.v2.jxscout.app/docs/tutorial/analyzer This JSON snippet illustrates a single entry within the Matches view structure. It shows how to define navigation nodes and match nodes, including their types, labels, icons, and children. ```json // ... { // `type` can be either // - `navigation` for navigation-only nodes in the tree, or // - `match` for showing a specific kind of matches "type": "navigation", // `label` is a property of `navigation` nodes — the text displayed in VSCode "label": "HTML Manipulation", // `icon` is the icon to be displayed. // - use "jxscout:" prefix to use the jxscout icons // - use "vscode:" prefix to use native VSCode icons (https://code.visualstudio.com/api/references/icons-in-labels#icon-listing) // - use "file:/path/to/icon.svg" to use custom icons "icon": "jxscout:javascript", // `children` defines the child nodes of this navigation node (both `navigation` and `match` types) "children": [ { "type": "match", // `match_kind` is used to display matches of this kind at this level "match_kind": "html_manipulation", "icon": "jxscout:javascript", // `dont_collapse_individual_matches` // - when false or empty: same-value matches are collapsed into one node (e.g. two /api matches → one node) // - when true: every match is shown as its own node (e.g. two window.onmessage = e matches → two nodes) "dont_collapse_individual_matches": false } ] } // ... ``` -------------------------------- ### Example JSON Input for Skip Script Source: https://docs.v2.jxscout.app/docs/tutorial/analyzer This JSON object is passed to the skip_script on stdin. It contains information about the file being considered for analysis. ```json { "file_type": "reversed_source", "url": null, "file_path": "/.../node_modules/react/index.js" } ``` -------------------------------- ### Skip Script Configuration (jq/grep) Source: https://docs.v2.jxscout.app/docs/tutorial/analyzer Configure the analyzer to use a shell command to skip files. This example uses jq and grep to skip any file path containing 'node_modules'. ```json { // ... "analyzer": { "skip_script": "jq -r '.file_path' | grep -q node_modules && echo skip || true" } // ... } ``` -------------------------------- ### TypeScript Preprocess Script for Path Analysis Source: https://docs.v2.jxscout.app/docs/tutorial/analyzer This script filters out paths containing 'node_modules' or 'noisy', and transforms paths starting with '/oauth/' to '/api/v2/oauth/'. It reads from stdin and writes the processed path to stdout, or exits with code 0 to discard the match. ```typescript const path = (await Bun.stdin.text()).trim(); if (path.includes("node_modules") || path.toLowerCase().includes("noisy")) { process.exit(0); } const result = path.startsWith("/oauth/") ? "/api/v2/oauth" + path.slice(6) : path; console.log(result); ``` -------------------------------- ### Print Full Project Settings Source: https://docs.v2.jxscout.app/docs/tutorial/analyzer Use this command to view the complete default structure of the Matches view. This is useful for understanding the default configuration before making modifications. ```bash $ jxscout-pro-v2 -c print-full-project-settings --project-name analyzer-tutorial ``` -------------------------------- ### Print Full Project Settings Source: https://docs.v2.jxscout.app/docs/tutorial/analyzer Use this command to view the complete project settings, including analyzer configurations. This helps in identifying the structure and default values of analyzers. ```bash jxscout-pro-v2 -c print-full-project-settings --project-name analyzer-tutorial ``` -------------------------------- ### Wordlist Help and Configuration Source: https://docs.v2.jxscout.app/docs/tutorial/wordlists Access the help menu for wordlist options to configure the output. This allows customization of the words extracted from your project files. ```bash $ jxscout-pro-v2 -c wordlist --project-name --help ``` -------------------------------- ### Running the Semgrep to jxscout Conversion Script Source: https://docs.v2.jxscout.app/docs/tutorial/analyzer Shows how to execute the conversion script, piping the file path to be analyzed into the script and providing the semgrep rule path and a kind identifier. This is the final step to integrate semgrep analysis into jxscout. ```bash $ echo ~/jxscout-pro/analyzer-tutorial/static_assets/current/js_and_html/labs.jxscout.app/labs/noisy-navigation/js/admin.js | ./scripts/semgrep_to_jxscout.sh --rule semgrep/fetch_call.yaml --kind fetch_call_script ``` -------------------------------- ### Download Chrome Extension Source: https://docs.v2.jxscout.app/docs/getting-started Run this command to download the jxscout browser extension. Follow the subsequent steps to load it unpacked in Chrome. ```bash $ jxscout-pro-v2 -c download-browser-extension ``` -------------------------------- ### Restore Project Source: https://docs.v2.jxscout.app/docs/tutorial/monitoring Restore a jxscout project from a backup zip file. Use this command on your VPS or a new machine to import your project state. ```bash $ jxscout-pro-v2 -c restore --project-name .zip ``` -------------------------------- ### Generate Wordlists Source: https://docs.v2.jxscout.app/docs/tutorial/wordlists Use this command to initiate the wordlist generation process for your project. Ensure you replace '' with your actual project name. ```bash $ jxscout-pro-v2 -c wordlist --project-name ``` -------------------------------- ### Configure Path Analyzer with Preprocess Script Source: https://docs.v2.jxscout.app/docs/tutorial/analyzer Integrates a preprocess script into the 'path' analyzer configuration. Ensure the script path is correctly set using environment variables like $JXSCOUT_PROJECT_DIR. ```json { // ... "analyzer": { "built_in_analyzers": { "path": { "enabled": true, "file_types": ["js", "html", "reversed_source"], "preprocess_script": "bun run $JXSCOUT_PROJECT_DIR/scripts/preprocess_paths.ts" } } } // ... } ``` -------------------------------- ### Create URL Monitor Command Source: https://docs.v2.jxscout.app/docs/tutorial/monitoring Use this command to create a monitor for specific URLs. Wildcards can be used to match multiple files. ```bash jxscout-pro-v2 -c monitor create --help ``` -------------------------------- ### Test Custom Analyzer with Command Line Source: https://docs.v2.jxscout.app/docs/tutorial/analyzer Execute this command to test your newly added custom script analyzer. Replace placeholders with your actual project details. ```bash $ jxscout-pro-v2 -c analyze --project-name analyzer-tutorial --file-type js ~/jxscout-pro/analyzer-tutorial/static_assets/current/js_and_html/labs.jxscout.app/labs/noisy-navigation/js/admin.js ``` -------------------------------- ### Backup Project Source: https://docs.v2.jxscout.app/docs/tutorial/monitoring Create a backup of your jxscout project to a zip file. This is useful for migrating projects to a new machine or changing the working directory. ```bash $ jxscout-pro-v2 -c backup --project-name ``` -------------------------------- ### Testing Semgrep Rule with CLI Source: https://docs.v2.jxscout.app/docs/tutorial/analyzer Demonstrates how to test a custom semgrep rule against a specific JavaScript file using the semgrep CLI. This helps verify the rule's accuracy before integration. ```bash $ semgrep scan --config semgrep/fetch_call.yaml ~/jxscout-pro/analyzer-tutorial/static_assets/current/js_and_html/labs.jxscout.app/labs/noisy-navigation/js/admin.js ``` -------------------------------- ### Configure jxscout Global Settings Source: https://docs.v2.jxscout.app/docs/tutorial/agent-skills Update this JSON file to configure project creation hooks and agent skill settings. This allows for automatic copying of project-specific files and enables/disables the agent skills folder. ```json { "hooks": { // You can configure a hook during project creation to copy stuff like workflows or agent instructions for your projects "project_created": "cp /Users/francisconeves/.jxscout-pro/CLAUDE.md $JXSCOUT_PROJECT_DIR" }, "agent_skills": { "enabled": true, // disable the automatic creation of the skills folder "agents_folder_name": ".agents" // the name of the agents folder where jxscout skills will be populated } } ``` -------------------------------- ### Test Preprocess Script: Transforming /oauth/ paths Source: https://docs.v2.jxscout.app/docs/tutorial/analyzer Command to analyze a JavaScript file. Demonstrates the transformation of '/oauth/' paths to '/api/v2/oauth/' after applying the preprocess script. ```bash $ jxscout-pro-v2 -c analyze --project-name analyzer-tutorial --file-type js ~/jxscout-pro/analyzer-tutorial/static_assets/current/js_and_html/labs.jxscout.app/labs/noisy-navigation/js/auth.js ``` -------------------------------- ### Configure Discord Webhook for Monitoring Source: https://docs.v2.jxscout.app/docs/tutorial/monitoring Set up Discord Webhooks in your project's settings.jsonc file to receive monitoring notifications. This is the only supported notifier currently. ```json // project's settings.jsonc { // ... "monitoring_notifier": { "discord_webhook_url": "" } } ``` -------------------------------- ### Run JxScout Analyzer Source: https://docs.v2.jxscout.app/docs/tutorial/analyzer Execute the JxScout analyzer with specific project and file type settings to test the custom derived analyzers. ```bash $ jxscout-pro-v2 -c analyze --project-name analyzer-tutorial --file-type js ~/jxscout-pro/analyzer-tutorial/static_assets/current/js_and_html/labs.jxscout.app/labs/noisy-navigation/js/admin.js ``` -------------------------------- ### Bun Script for AI-Powered Security Check Source: https://docs.v2.jxscout.app/docs/tutorial/automation-with-hooks This script uses Bun to process input, invoke the gemini CLI for AI analysis of 'window.onmessage' listeners, and logs findings of missing origin checks. It requires the JXSCOUT_PROJECT_DIR environment variable to be set. ```typescript declare const Bun: { spawn( cmd: string[], opts?: { stdio?: ["inherit" | "pipe", "inherit" | "pipe", "inherit" | "pipe"]; } ): { exited: Promise }; }; interface Position { line: number; column: number; } interface Match { match_kind: string; match_value: string; position: { start: Position; end: Position; }; } interface Input { file_type: "html" | "js" | "reversed_source"; file_path: string; matches: Match[]; } const g = globalThis as unknown as { process: { stdin: AsyncIterable; exit(code: number): never; env: Record; }; Buffer: { concat(list: Uint8Array[]): { toString(): string } }; }; async function runGeminiCheck(projectDir: string, match: Match): Promise { const prompt = ` Analyze this code snippet: ${JSON.stringify(match)}. Does it contain a 'message' event listener without an origin check? If YES, output only the word 'VULNERABLE'. If NO, output nothing. `; // Capture the output instead of inheriting stdio const proc = Bun.spawn([ "gemini", "--include-directories", projectDir, "-p", prompt, ]); const text = await new Response(proc.stdout).text(); const exitCode = await proc.exited; if (exitCode === 0 && text.trim().includes("VULNERABLE")) { const logPath = `${projectDir}/missing_origin_check_found.log`; const entry = `Finding: Missing origin check in ${JSON.stringify(match)} `; await Bun.write(logPath, entry, { append: true }); } } async function main() { const chunks: Uint8Array[] = []; for await (const chunk of g.process.stdin) chunks.push(chunk); const raw = g.Buffer.concat(chunks).toString(); const data: Input = JSON.parse(raw); const projectDir = g.process.env.JXSCOUT_PROJECT_DIR ?? ""; if (!projectDir) { throw new Error("JXSCOUT_PROJECT_DIR is not set"); } const windowOnMessage = data.matches.filter( (m) => m.match_kind === "window_onmessage" ); for (const match of windowOnMessage) { await runGeminiCheck(projectDir, match); } } main().catch((err) => { console.error(err); g.process.exit(1); }); ``` -------------------------------- ### Skip Script Configuration (Bun script file) Source: https://docs.v2.jxscout.app/docs/tutorial/analyzer Configure the analyzer to use a Bun script file for skipping files. This points to the TypeScript script created previously. ```json { // ... "analyzer": { "skip_script": "bun run $JXSCOUT_PROJECT_DIR/scripts/skip_node_modules.ts" } // ... } ``` -------------------------------- ### Enable jxscout JavaScript Optimizer Source: https://docs.v2.jxscout.app/docs/tutorial/js-optimization Configure your project settings to enable the jxscout optimizer and specify transformations. The optimizer is not enabled by default. ```json { "beautifier": { "transformations": { "iterations": 3, "transformers": ["json_parse", "variable_inliner", "string_concat"] } } } ``` -------------------------------- ### Configure VSCode Matches View Structure Source: https://docs.v2.jxscout.app/docs/tutorial/analyzer Extend the VSCode matches view structure to include custom navigation nodes for 'internal_path' and 'internal_path_preprocess' match kinds. This configuration merges with the default structure. ```json { // ... "vscode_extension": { "matches_view": { "structure": [ { "type": "navigation", "label": "Internal Path", "icon": "vscode:heart", "children": [ { "type": "match", "match_kind": "internal_path", "icon": "vscode:heart" } ] }, { "type": "navigation", "label": "Internal Path Preprocess", "icon": "vscode:heart", "children": [ { "type": "match", "match_kind": "internal_path_preprocess", "icon": "vscode:heart" } ] } ] } } } ``` -------------------------------- ### Ingest Local Folder into jxscout Project Source: https://docs.v2.jxscout.app/docs/tutorial/file-system-ingestion Use this command to recursively import files from a local folder into your jxscout project. Ensure jxscout is running with the target project selected before execution. ```bash $ jxscout-pro-v2 -c fs-ingest --project-name --folder /path/to/files ``` -------------------------------- ### Hook Configuration for AI Onmessage Check Source: https://docs.v2.jxscout.app/docs/tutorial/automation-with-hooks This configuration snippet shows how to set up a 'matches_created' hook to execute a TypeScript script. The script's output and errors are redirected to a log file. ```json { "hooks": { "matches_created": { "onmessage_ai_check": { "script": "bun run $JXSCOUT_PROJECT_DIR/scripts/ai_onmessage.ts 2>&1 | tee $JXSCOUT_PROJECT_DIR/ai_onmessage.log" } } } } ``` -------------------------------- ### Perform Ad-hoc Analysis Source: https://docs.v2.jxscout.app/docs/tutorial/analyzer Use this command to test your current analyzer configuration on a specific file. It outputs potential matches without altering the database. ```bash $ jxscout-pro-v2 -c analyze --project-name --file-type /path/to/any/file ``` -------------------------------- ### Send Test Notifications Source: https://docs.v2.jxscout.app/docs/tutorial/monitoring Test your configured Discord webhook by sending mock notifications using this command. Ensure your webhook URL is correctly set up. ```bash $ jxscout-pro-v2 -c monitor send-test-notifications --project-name monitoring ``` -------------------------------- ### Configure Custom Analyzer in jxscout.yaml Source: https://docs.v2.jxscout.app/docs/tutorial/analyzer Add this configuration to your jxscout.yaml file to enable a custom script analyzer. Ensure the script path and file types are correctly set. ```yaml { // ... "analyzer": { // ... "custom_analyzers": { // ... "fetch_calls_script": { "enabled": true, "type": "script", "file_types": ["js", "reversed_source"], "script": "$JXSCOUT_PROJECT_DIR/scripts/semgrep_to_jxscout.sh --rule $JXSCOUT_PROJECT_DIR/semgrep/fetch_call.yaml --kind fetch_call_script" } } }, "vscode_extension": { "matches_view": { "structure": [ { "type": "navigation", "label": "Fetch Call Script", "icon": "vscode:heart", "children": [ { "type": "match", "match_kind": "fetch_call_script", "icon": "vscode:heart" } ] } ] } } } ``` -------------------------------- ### Ad-hoc Analysis Output (Enabled Analyzer) Source: https://docs.v2.jxscout.app/docs/tutorial/analyzer This JSON output includes matches from both the 'path' and 'html_manipulation' analyzers, demonstrating the effect of enabling all relevant analyzers. ```json { "matches_by_analyzer": { "path": [ { "kind": "path", "value": "/labs/noisy-navigation/frames/", "start": { "line": 3, "column": 14 }, "end": { "line": 3, "column": 46 } } ], "html_manipulation": [ { "kind": "html_manipulation", "value": "container.innerHTML = ''", "start": { "line": 11, "column": 5 }, "end": { "line": 12, "column": 74 } } ] } } ``` -------------------------------- ### Configure Hooks for Multiple Event Types Source: https://docs.v2.jxscout.app/docs/tutorial/automation-with-hooks This JSON configuration sets up Jxscout hooks to execute a bash script for different file-related events. Each hook is mapped to a specific event and calls the script with the event name as an argument. ```json { "hooks": { "js_file_saved": { "js_file_saved_process_hook": { "script": "$JXSCOUT_PROJECT_DIR/scripts/log_payload.sh js_file_saved" } }, "js_file_beautified": { "js_file_beautified_process_hook": { "script": "$JXSCOUT_PROJECT_DIR/scripts/log_payload.sh js_file_beautified" } }, "html_file_saved": { "html_file_saved_process_hook": { "script": "$JXSCOUT_PROJECT_DIR/scripts/log_payload.sh html_file_saved" } }, "html_file_beautified": { "html_file_beautified_process_hook": { "script": "$JXSCOUT_PROJECT_DIR/scripts/log_payload.sh html_file_beautified" } }, "reversed_source_map_file_saved": { "reversed_source_map_file_saved_process_hook": { "script": "$JXSCOUT_PROJECT_DIR/scripts/log_payload.sh reversed_source_map_file_saved" } }, "matches_created": { "matches_created_process_hook": { "script": "$JXSCOUT_PROJECT_DIR/scripts/log_payload.sh matches_created" } } } } ``` -------------------------------- ### Enable and Configure HTTP Request Ingestion Source: https://docs.v2.jxscout.app/docs/tutorial/saving-raw-http-files Update your project settings to enable HTTP request ingestion. Configure scope rules to control which requests are captured, including host, path, and method filters, and set a maximum number of saved requests per unique endpoint. ```json { "http_request_ingestion": { "enabled": true, "scope": { "in_scope": [ { "max_saved_requests_per_unique_endpoint": 5, "request_scope": { "host": ["*jxscout*"], "path": ["*/api*"], "method": ["POST"] } } ] } } } ``` -------------------------------- ### Configure Concurrency Settings in jxscout Source: https://docs.v2.jxscout.app/docs/tutorial/speeding-up Adjust the concurrency limits for different jxscout pipeline steps by modifying project settings. Increase values to speed up processing, but be mindful of system resources. ```json { // ... "$schema": "file:///Users/francisconeves/.jxscout-pro/project_settings.schema.json", "analyzer": { "concurrency": 10 }, "beautifier": { "concurrency": 10 }, "chunk_discoverer": { "concurrency": 10 }, "sourcemaps": { "concurrency": 20 }, "wordlist": { "concurrency": 20 } } ``` -------------------------------- ### VSCode Matches View Structure with Individual Match Collapse Disabled Source: https://docs.v2.jxscout.app/docs/tutorial/analyzer Extends the VSCode Matches view configuration to prevent collapsing individual fetch call matches. This ensures each detected fetch call is shown separately in the view. ```json { // ... "vscode_extension": { "matches_view": { "structure": [ { "type": "navigation", "label": "Fetch Call", "icon": "vscode:heart", "children": [ { "type": "match", "match_kind": "fetch_call", "icon": "vscode:heart", "dont_collapse_individual_matches": true // we added this } ] } ] } } // ... } ``` -------------------------------- ### Introduce Syntax Error in Hook Configuration Source: https://docs.v2.jxscout.app/docs/tutorial/automation-with-hooks This JSON snippet demonstrates how to intentionally introduce an error in a hook's script path to simulate a failure. This is useful for testing Jxscout's error handling and debugging capabilities. ```json { "hooks": { "js_file_saved": { "js_file_saved_process_hook": { "script": "oops_this_command_doesnt_exist" } } // ... } } ``` -------------------------------- ### Expected Analyzer Output for Fetch Calls Source: https://docs.v2.jxscout.app/docs/tutorial/analyzer Sample output from the jxscout analyzer, indicating that the custom 'fetch_call' regex analyzer has successfully identified a fetch usage. This confirms the analyzer is working. ```json [{"kind":"fetch_call","value":"fetch(","start":{"line":15,"column":12},"end":{"line":15,"column":18}}] ``` -------------------------------- ### TypeScript Script for Analyzing window.onmessage Source: https://docs.v2.jxscout.app/docs/tutorial/automation-with-hooks This TypeScript script reads input from stdin, parses it to find 'window.onmessage' matches, and logs details for each found match. It requires the input to be in the specified JSON format. ```typescript interface Position { line: number; column: number; } interface Match { match_kind: string; match_value: string; position: { start: Position; end: Position; }; } interface Input { file_type: "html" | "js" | "reversed_source"; file_path: string; matches: Match[]; } const g = globalThis as unknown as { process: { stdin: AsyncIterable; exit(code: number): never }; Buffer: { concat(list: Uint8Array[]): { toString(): string } }; }; async function main() { const chunks: Uint8Array[] = []; for await (const chunk of g.process.stdin) chunks.push(chunk); const raw = g.Buffer.concat(chunks).toString(); const data: Input = JSON.parse(raw); const windowOnMessage = data.matches.filter( (m) => m.match_kind === "window_onmessage" ); for (const match of windowOnMessage) { console.log( "Found onmessage!", JSON.stringify({ file_path: data.file_path, match }) ); } } main().catch((err) => { console.error(err); g.process.exit(1); }); ``` -------------------------------- ### Bash Script to Log Event Payloads Source: https://docs.v2.jxscout.app/docs/tutorial/automation-with-hooks This script logs the event name and its payload to a file. It's designed to be executed by Jxscout hooks. ```bash #!/usr/bin/env bash set -e event_name="$1" logfile="${JXSCOUT_PROJECT_DIR}/${event_name}.log" { cat; echo; } >> "$logfile" ``` -------------------------------- ### Configure Rate Limiting Settings in jxscout Source: https://docs.v2.jxscout.app/docs/tutorial/speeding-up Modify request settings to control jxscout's rate limiting behavior. Enable or disable rate limiting and set the maximum requests per minute to prevent overloading targets. ```json { // ... "request_settings": { "rate_limiting_enabled": true, // can be used to disable rate limiting "max_requests_per_minute": 1 // max number of requests that jxscout does per minute } } ``` -------------------------------- ### VSCode Matches View Structure for Fetch Calls Source: https://docs.v2.jxscout.app/docs/tutorial/analyzer Configuration for the VSCode extension to display custom 'fetch_call' matches in the Matches view. It defines a navigation node labeled 'Fetch Call' with a specific icon. ```json { // ... "vscode_extension": { "matches_view": { "structure": [ { "type": "navigation", "label": "Fetch Call", "icon": "vscode:heart", "children": [ { "type": "match", "match_kind": "fetch_call", "icon": "vscode:heart" } ] } ] } } // ... } ``` -------------------------------- ### Basic Custom Regex Analyzer Structure Source: https://docs.v2.jxscout.app/docs/tutorial/analyzer Defines the general structure for a custom regex analyzer in jxscout configuration. This serves as a template for creating new analyzers. ```json { "custom_analyzers": { // this is an arbitrary name for your custom analyzer, used by jxscout internally to track // whether this analyzer has already run or not "my_custom_analyzer_name": { "enabled": true, // regex analyzers have type `regex` "type": "regex", // `file_types` where this regex will be applied "file_types": ["js", "reversed_source"], // `match_kind` for matches generated by this regex "match_kind": "my_custom_match_kind", // `regex_list` is the list of regexes that will generate matches for this analyzer "regex_list": ["my_regex_pattern", "my_other_regex_pattern"] } } } ``` -------------------------------- ### Default HTML Manipulation Analyzer Configuration Source: https://docs.v2.jxscout.app/docs/tutorial/analyzer This JSON snippet shows the default configuration for the 'html_manipulation' built-in analyzer. It includes settings for 'enabled' status and 'file_types'. ```json { // ... "analyzer": { // ... "built_in_analyzers": { // ... "html_manipulation": { "enabled": true, "file_types": ["js", "reversed_source"] } // ... } // ... } } ``` -------------------------------- ### Configure Custom Derived Analyzers Source: https://docs.v2.jxscout.app/docs/tutorial/analyzer Define custom analyzers for 'path' values to create new match kinds like 'internal_path' using regex or preprocess scripts. This configuration is added to the project settings. ```json { // ... "custom_analyzers": { // one way to implement this is to use a derived analyzer with a `regex_list` "internal_paths": { "enabled": true, "type": "derived", "file_types": ["html", "js", "reversed_source"], // this is the original match kind from where we want to derive a new match kind "original_match_kind": "path", // the name of the new match kind "new_match_kind": "internal_path", // a list of regexes that will be applied to the original value. if there's any match // then a new match of the `new_match_kind` will be generated "regex_list": [".*internal.*"] }, "internal_paths_with_preprocess": { "enabled": true, "type": "derived", "file_types": ["html", "js", "reversed_source"], "original_match_kind": "path", "new_match_kind": "internal_path_preprocess", // you could always leave the `regex_list` empty "regex_list": [], // and use a preprocess script to implement a similar functionality "preprocess_script": "grep -F internal" } // ... } // ... } ``` -------------------------------- ### Configure Monitoring Notifications Source: https://docs.v2.jxscout.app/docs/tutorial/monitoring Customize notification settings by editing the 'monitoring_notifier' section in your project's settings.jsonc file. This allows you to enable or disable alerts for different events. ```json // project's settings.jsonc { // ... "monitoring_notifier": { "discord_webhook_url": "", "notify_js_file_updates": true, "notify_new_js_files": true, "notify_new_js_matches": true, "notify_request_failures": true, "notify_html_file_updates": false, "notify_new_html_matches": false } } ``` -------------------------------- ### Input Format for matches_created Hook Source: https://docs.v2.jxscout.app/docs/tutorial/automation-with-hooks This JSON structure represents the input provided to a script when a 'matches_created' hook is triggered. It includes file details and a list of detected matches. ```json { "file_type": "html|js|reversed_source", "file_path": "/absolute/path/to/file", "matches": [ { "match_kind": "", "match_value": "", "position": { "start": { "line": 9, "column": 9 }, "end": { "line": 13, "column": 10 } } } ] } ``` -------------------------------- ### Grouping Navigation Nodes in Matches View Source: https://docs.v2.jxscout.app/docs/tutorial/analyzer This JSON configures the Matches view to group 'Paths' and 'API Paths' under a new 'Routes' parent node. It demonstrates nested navigation structures. ```json { "type": "navigation", "label": "Routes", "icon": "jxscout:path", "children": [ { "type": "navigation", "label": "Paths", "icon": "jxscout:path", "children": [ { "type": "match", "match_kind": "path", "icon": "jxscout:path" } ] }, { "type": "navigation", "label": "API Paths", "icon": "jxscout:api", "children": [ { "type": "match", "match_kind": "api_path", "icon": "jxscout:api" } ] } ] } ``` -------------------------------- ### Custom Regex Analyzer for Fetch Calls Source: https://docs.v2.jxscout.app/docs/tutorial/analyzer Configures a specific custom regex analyzer to detect 'fetch(...)' calls in JavaScript and reversed source files. It specifies the file types, match kind, and the regex pattern to use. ```json { // ... "analyzer": { // ... "custom_analyzers": { "fetch_calls": { "enabled": true, "type": "regex", "file_types": ["js", "reversed_source"], "match_kind": "fetch_call", "regex_list": ["fetch\s*\("] } } // ... } } ``` -------------------------------- ### Ad-hoc Analysis with Disabled Analyzer Source: https://docs.v2.jxscout.app/docs/tutorial/analyzer Run an ad-hoc analysis after disabling a specific analyzer (e.g., 'html_manipulation') to see the reduced output. This helps verify analyzer-specific behavior. ```bash $ jxscout-pro-v2 -c analyze --project-name analyzer-tutorial --file-type js ~/jxscout-pro/analyzer-tutorial/static_assets/current/js_and_html/labs.jxscout.app/labs/noisy-navigation/js/main.js ``` -------------------------------- ### Check Enabled Analyzers Source: https://docs.v2.jxscout.app/docs/tutorial/analyzer Command to check which analyzers are currently enabled by default in your jxscout project. The list of built-in analyzers is found under 'analyzer > built_in_analyzers'. ```bash $ jxscout-pro-v2 -c print-full-project-settings --project-name analyzer-tutorial ``` -------------------------------- ### Semgrep Rule for Detecting Fetch Calls Source: https://docs.v2.jxscout.app/docs/tutorial/analyzer Defines a semgrep rule to detect 'fetch()' calls in JavaScript and TypeScript files. This rule can be used to identify network requests made using the fetch API. ```yaml rules: - id: detect-fetch-call message: Detected fetch() call pattern: fetch(...) languages: - javascript - typescript severity: INFO ``` -------------------------------- ### Match Data Structure Source: https://docs.v2.jxscout.app/docs/tutorial/analyzer Defines the structure of a match generated by an analyzer, including its kind, value, and position in the source code. ```json { // `kind` of a match is basically the type of information that this match corresponds to "kind": "path", // `value` is the information extracted from the source code by the analyzer "value": "/api/users", // `start` and `end` are the 0-based positions in the source code where this match was extracted. // This is used by the VSCode extension to know where to jump when clicking on a match "start": { "line": 1, "column": 1 }, "end": { "line": 1, "column": 10 } } ``` -------------------------------- ### Script-based Monitoring Payload Source: https://docs.v2.jxscout.app/docs/tutorial/monitoring This JSON payload is passed to your custom script for authenticated page monitoring, providing proxy details. ```json { "proxy_host": "", "proxy_port": "" } ```