The official command-line tool for JSMon. Scan URLs, domains, and source code, upload files, and explore reconnaissance and vulnerability data from your terminal.
- Quick Start
- Installation
- Configuration
- Commands Overview
- Scanning
- Viewing Data
- Reconnaissance & Filters
- Reverse Search
- Updates
- Examples
- Install the CLI (see Installation).
- Set your API key (flag, file, or env—see Configuration).
- Create or pick a workspace, then start scanning.
# Create a workspace
jsmon -cw "My Project" -key YOUR_API_KEY
# Scan a URL (use the workspace ID from the previous command)
jsmon -u "https://example.com/app.js" -wksp YOUR_WORKSPACE_ID
# List reconnaissance data (e.g. emails)
jsmon -recon "field=emails page=1" -wksp YOUR_WORKSPACE_ID
go install github.com/jsmonhq/jsmon-cli@latestEnsure your Go bin directory is in your PATH (e.g. $HOME/go/bin). The binary is typically named jsmon-cli; you can rename or symlink it to jsmon if you prefer.
git clone https://github.com/jsmonhq/jsmon-cli.git
cd jsmon-cli
go build -o jsmon .Use -o jsmon to get a binary named jsmon.
Get your API key from JSMon. The CLI looks for it in this order:
| Priority | Source |
|---|---|
| 1 | -key YOUR_API_KEY |
| 2 | File: ~/.jsmon/credentials |
| 3 | Environment: JSMON_API_KEY |
Credentials file: Create ~/.jsmon/credentials and put your API key on the first line (no label). Lines starting with # are ignored.
For scanning and data commands you need a workspace ID:
- Pass it with
-wksp YOUR_WORKSPACE_ID, or - Set
JSMON_WORKSPACE_IDin your environment.
The workspace ID is not read from the credentials file; it must be provided per command or via env.
-H "Header-Name: value"— Add custom HTTP headers for scan requests (can be used multiple times).-silent— Hide the JSMon logo when running commands.-depth 1..4/-scan-depth 1..4— Control domain scan depth.-wafbypass/-waf-bypass— Enable WAF bypass for URL, domain, and file scans.-keywords "api,admin"/-scan-keywords "api,admin"— Add domain scan keywords.-extensions "js,json"/-scan-extensions "js,json"— Limit domain scans to supported extensions.
Scan commands submit work to JSMon's asynchronous pipeline. The CLI prints the queued runId and version; use those values with read commands when you want run-scoped or version-specific results.
Usage: jsmon-cli [OPTIONS]
Input:
-u <input> Input URL to scan
-d <input> Input domain to scan
-cs <input> | -code-scan <input> Input source code file to scan
-f <input> Upload a URL list file for server-side file scan
-cw <input> | --create-workspace <input> Create a new workspace
Configuration:
-key <input> API key (or add the API key to ~/.jsmon/credentials)
-wksp <wksp id> Workspace ID to scan the target
-runId <id> Existing run ID for rescan or run-scoped counts
-depth <1..4> | -scan-depth <1..4> Optional scan depth for domain scans
-wafbypass | -waf-bypass Enable WAF bypass for URL, domain, and file scans
-keywords <a,b> | -scan-keywords <a,b> Optional domain scan keywords
-extensions <a,b> | -scan-extensions <a,b> Optional domain scan extensions
-H <input> Custom HTTP headers to send along with request to scan
-silent Silent the logo
-up, --update Check for updates and show update command
-duc, --disable-update-check Disable automatic update check on startup
Scans:
-count Show the counts of reconnaissance data and secrets count
--urls "page=<page number> limit=<number>" Fetch all scanned URLs (default: page=1, limit=100)
--domains "page=<page number> limit=<number>" Fetch all scanned domains (default: page=1, limit=100)
--files "page=<page number> limit=<number>" Fetch all scanned files (default: page=1, limit=100)
Data:
-workspaces Fetch all workspaces
-issues "page=<n> limit=<n> ..." Fetch dashboard vulnerabilities for a workspace (default: page=1, limit=100)
Supported options: severity, dateFrom, dateTo
-secrets "page=<number> limit=<number> runId=<id> version=<n>"
Fetch all secrets for a workspace (default: page=1, limit=100)
-recon "field=<name> page=<number> limit=<number> runId=<id> version=<n>"
Fetch the reconnaissance data (default: page=1, limit=100)
Example: -recon "field=extractedUrls page=3 limit=50"
Reverse Search:
-rsearch "<field name>=<value>" Search the source of the result where it comes from
Example: -rsearch "apipaths=@azure/msal-browser"
Filter:
-filters "<fieldname>=<keyword> page=<number> limit=<number> runId=<id> version=<n>"
Match keywords in the field data in reconnaissance results
(default: page=1, limit=100)
Example: -filters "urls=github.com page=2 limit=50"
Help:
-h, --help Show this help message
Field Names:
-recon, -rsearch:
apiPaths, urls/jsurls (scanned URLs), extractedUrls, extractedDomains, ip, emails, s3Buckets, s3takeovers, gqlQueries, gqlMutations, gqlMutaions, gqlFragments, param (extracted parameter),
npmPackages, npmConfusion, guids, localhost, expiredDomains, allAwsAssets, queryparams, socialUrls,
portUrls, extensionUrls
-filters:
jsurls, apiPaths, urls, emails, gqlQueries, gqlMutations, gqlMutaions, sqlFragments, param (extracted parameter)
jsmon -u "https://example.com/script.js" -wksp YOUR_WORKSPACE_IDjsmon -d "example.com" -wksp YOUR_WORKSPACE_ID
jsmon -d "example.com" -depth 3 -wksp YOUR_WORKSPACE_ID
jsmon -d "example.com" -depth 3 -keywords "api,admin" -extensions "js,json" -wksp YOUR_WORKSPACE_ID
jsmon -d "example.com" -wafbypass -wksp YOUR_WORKSPACE_ID-depth, -keywords, and -extensions are domain-scan only. Supported extension values are html, php, txt, js, xml, json, map, xhtml, and aspx.
jsmon -cs app.js -wksp YOUR_WORKSPACE_IDPut one URL per line in a file, then submit the file to JSMon's server-side file scan:
jsmon -f urls.txt -wksp YOUR_WORKSPACE_ID
jsmon -f urls.txt -wafbypass -wksp YOUR_WORKSPACE_IDThe response includes runId and version. Re-submit the file if a queued file scan fails before processing.
jsmon -workspaces -key YOUR_API_KEYjsmon --urls "page=1 limit=50" -wksp YOUR_WORKSPACE_ID
jsmon --domains "page=1 limit=50" -wksp YOUR_WORKSPACE_ID
jsmon --files "page=1 limit=50" -wksp YOUR_WORKSPACE_IDDefault is page=1 and limit=100 if omitted. (Max limit: 5000 per page)
jsmon -secrets "page=1 limit=100" -wksp YOUR_WORKSPACE_IDjsmon -issues "page=1 limit=20" -wksp YOUR_WORKSPACE_ID
jsmon -issues "page=1 limit=20 severity=critical,high dateFrom=2026-04-01 dateTo=2026-04-14" -wksp YOUR_WORKSPACE_IDThe -issues command mirrors the mounted dashboard vulnerability table and returns data, severityCount, and pagination.
jsmon -count -wksp YOUR_WORKSPACE_IDOptional: add -runId RUN_ID for a specific run.
Get extracted intelligence for a field and optional pagination:
jsmon -recon "field=emails page=1 limit=50" -wksp YOUR_WORKSPACE_IDCommon fields: apiPaths, urls/jsurls for scanned URLs, extractedUrls for automation-extracted URL strings, extractedDomains, expiredDomains, ip, emails, s3Buckets (awsassets.s3buckets), gqlQueries, gqlMutations, gqlFragments, param, queryparams, allAwsAssets, npmPackages, socialUrls, portUrls, extensionUrls, and others (see jsmon -h).
Add runId=<id> to scope results to one scan. Add version=<n> with runId to inspect a specific monitoring/rescan version.
Search within a field (e.g. only URLs containing "github"):
jsmon -filters "urls=github.com page=1" -wksp YOUR_WORKSPACE_ID
jsmon -filters "param=github page=1" -wksp YOUR_WORKSPACE_IDFormat: "fieldname=keyword page=N limit=N". Defaults: page=1, limit=100.
Find where a value came from (e.g. which script exposes an API path):
jsmon -rsearch "apipaths=@azure/msal-browser" -wksp YOUR_WORKSPACE_ID
jsmon -rsearch "extractedDomains=blogs.jsmon.sh" -wksp YOUR_WORKSPACE_IDFormat: "fieldname=value". Use extractedDomains (not domains) for domain reverse search.
- Automatic: On startup the CLI checks for a newer release and prints a message if one exists (no auto-download).
- Manual check:
jsmon -uporjsmon --updateto check and see the install command. - Disable startup check:
jsmon -ducorjsmon --disable-update-check.
To upgrade after a new release:
go install github.com/jsmonhq/jsmon-cli@latest# Create workspace
jsmon -cw "My Project" -key YOUR_API_KEY
# Scan targets
jsmon -u "https://example.com/script.js" -wksp YOUR_WORKSPACE_ID
jsmon -u "https://example.com/script.js" -wafbypass -wksp YOUR_WORKSPACE_ID
jsmon -d "example.com" -wksp YOUR_WORKSPACE_ID
jsmon -d "example.com" -depth 2 -wksp YOUR_WORKSPACE_ID
jsmon -d "example.com" -depth 3 -keywords "api,admin" -extensions "js,json" -wafbypass -wksp YOUR_WORKSPACE_ID
jsmon -cs app.js -wksp YOUR_WORKSPACE_ID
jsmon -f urls.txt -wksp YOUR_WORKSPACE_ID
# Use credentials file (no -key needed)
jsmon -u "https://example.com/script.js" -wksp YOUR_WORKSPACE_ID
# Reconnaissance
jsmon -recon "field=emails page=1" -wksp YOUR_WORKSPACE_ID
jsmon -recon "field=allAwsAssets page=1" -wksp YOUR_WORKSPACE_ID
jsmon -issues "page=1 limit=20 severity=critical,high" -wksp YOUR_WORKSPACE_ID
# Filter and reverse search
jsmon -filters "urls=api page=1" -wksp YOUR_WORKSPACE_ID
jsmon -rsearch "apipaths=/auth/login" -wksp YOUR_WORKSPACE_ID- GitHub: github.com/jsmonhq/jsmon-cli
- JSMon: jsmon.sh