_____ _____ _
| __ \ / ____| | |
| | | | ___ _ __| (___ ___ ___ _ _| |_
| | | |/ _ \ '_ \\___ \ / __/ _ \| | | | __|
| |__| | __/ |_) |___) | (_| (_) | |_| | |_
|_____/ \___| .__/_____/ \___\___/ \__,_|\__|
| |
|_|
A high-performance, concurrent scanner for detecting unclaimed packages.
- Dependency Confusion Scanning: Identifies potential Dependency Confusion vulnerabilities by scanning JavaScript files for package names and checking their existence on the public npm registry.
- Dual Parsing Engine:
- Regex Mode: Fast, high-performance scanning using fine-tuned regular expressions to find
require()andimportstatements. - Deep Scan Mode (
--deep-scan): High-accuracy scanning using a full Abstract Syntax Tree (AST) parser to eliminate false positives from non-code contexts (e.g., comments). Includes an automatic fallback to regex if AST parsing fails.
- Regex Mode: Fast, high-performance scanning using fine-tuned regular expressions to find
- Concurrent Architecture: Leverages a powerful, concurrent worker model to perform high-speed fetching and analysis of hundreds or thousands of files simultaneously.
- Adaptive Rate Limiting: Features a smart, per-domain rate limiter that automatically adjusts request speeds based on server responses (e.g.,
429 Too Many Requests), maximizing speed without overwhelming targets. - Flexible Input: Accepts targets from single URLs (
-u), files (-f), local directories (-d), or piped viastdin. - Advanced Configuration: Provides a rich set of CLI flags for fine-grained control over concurrency, timeouts, file sizes, and more.
- Multiple Output Formats: Delivers results in human-readable text or machine-readable
JSON(--json).
# Clone the repository
git clone https://github.com/rafabd1/DepScout.git
cd DepScout
# Build the binary
go build -o depscout ./cmd/depscout
# Optional: Move to path (Linux/macOS)
sudo mv depscout /usr/local/bin/go install github.com/rafabd1/DepScout/cmd/depscout@latestYou can download pre-built binaries for your platform from the releases page.
Scan a single JavaScript file:
depscout -u https://example.com/assets/app.jsScan a local directory of JS files using the high-accuracy deep scan mode:
depscout -d /path/to/js/files --deep-scanScan a list of targets from a file:
depscout -f targets.txt| Flag | Description | Default |
|---|---|---|
-u |
A single target URL or local file path. | - |
-f |
A file containing a list of targets. | - |
-d |
Path to a local directory to scan for .js and .ts files. |
- |
-c |
Number of concurrent workers. | 25 |
-l |
Maximum requests per second per domain (in auto-adjustment mode). | 30 |
-H |
Custom header to include in all requests (can be specified multiple times). | - |
-o |
File to write output to. | stdout |
-p |
File containing a list of proxies (http/https/socks5). | - |
-proxy |
A single proxy server (e.g. http://127.0.0.1:8080). | - |
--deep-scan |
Enable deep scan using AST parsing (slower but more accurate). | false |
-json |
Enable JSON output format. | false |
--max-file-size |
Maximum file size to process in KB. | 10240 |
--no-limit |
Disable file size limit. | false |
--skip-verify |
Skip TLS certificate verification. | false |
-v |
Enable verbose output for debugging. | false |
--silent |
Suppress all output except for findings. | false |
--no-color |
Disable colorized output. | false |
Usage Warning & Responsibility
This tool is intended for security professionals and researchers for legitimate testing purposes only. Running DepScout against a target may generate a high volume of HTTP requests. You are responsible for your actions and must have explicit permission to test any target. The author of this tool is not responsible for any misuse or damage caused by this program.
- Changelog - Check the latest updates and version history.
Contributions are welcome! Please feel free to submit a Pull Request.
This project is licensed under the MIT License.
Made with 🖤 by Rafael (github.com/rafabd1)