Description
Retire.js scans web applications for use of JavaScript libraries with known vulnerabilities. It cross-references detected library versions against a database of CVEs and security advisories. Available as CLI, Burp extension, and browser plugin.
Installation
BASH
# npm (CLI)
npm install -g retire
# Burp Suite extension
# Install from BApp Store: "Retire.js"
# Browser extension
# Available for Chrome and FirefoxBasic Usage
BASH
# Scan current directory
retire
# Scan specific path
retire --path /var/www/html/
# Scan a URL
retire --js-repo https://target.com/js/Advanced Usage
BASH
# Output as JSON
retire --outputformat json --outputpath results.json
# Only show critical/high severity
retire --severity high
# Ignore specific libraries
retire --ignore jquery
# Scan node_modules
retire --node
# Custom vulnerability repository
retire --jsrepo https://raw.githubusercontent.com/RetireJS/retire.js/master/repository/jsrepository.jsonCommon Workflows
BASH
# Scan web app for vulnerable JS
retire --path ./target_app/ --outputformat json --outputpath vulns.json
# CI/CD integration
retire --severity medium --exitwith 1
# Combine with getJS for remote scanning
echo "https://target.com" | getJS --complete | while read js; do
echo "Checking: $js"
retire --jsurl "$js" 2>/dev/null
done