npx envguard secrets .env
npx envguard secrets .env
npx envguard secrets .env
$ envguard secrets .env ⚠ Secret detected in .env: Line 3: AWS_ACCESS_KEY_ID Pattern: AWS Access Key ID (AKIA...) Line 4: AWS_SECRET_ACCESS_KEY Pattern: AWS Secret Access Key (40 chars, base64) Line 7: GITHUB_TOKEN Pattern: GitHub Token (ghp_...) Found 3 secrets. Values have been redacted.
Exit code: 1
$ envguard secrets .env ⚠ Secret detected in .env: Line 3: AWS_ACCESS_KEY_ID Pattern: AWS Access Key ID (AKIA...) Line 4: AWS_SECRET_ACCESS_KEY Pattern: AWS Secret Access Key (40 chars, base64) Line 7: GITHUB_TOKEN Pattern: GitHub Token (ghp_...) Found 3 secrets. Values have been redacted.
Exit code: 1
$ envguard secrets .env ⚠ Secret detected in .env: Line 3: AWS_ACCESS_KEY_ID Pattern: AWS Access Key ID (AKIA...) Line 4: AWS_SECRET_ACCESS_KEY Pattern: AWS Secret Access Key (40 chars, base64) Line 7: GITHUB_TOKEN Pattern: GitHub Token (ghp_...) Found 3 secrets. Values have been redacted.
Exit code: 1
envguard check .env .env.example
envguard check .env .env.example
envguard check .env .env.example
$ envguard check .env .env.example ✓ DATABASE_URL
✗ REDIS_URL ← missing
+ STRIPE_KEY ← extra (not in .env.example)
! PORT ← empty value 3 issues found.
Exit code: 1
$ envguard check .env .env.example ✓ DATABASE_URL
✗ REDIS_URL ← missing
+ STRIPE_KEY ← extra (not in .env.example)
! PORT ← empty value 3 issues found.
Exit code: 1
$ envguard check .env .env.example ✓ DATABASE_URL
✗ REDIS_URL ← missing
+ STRIPE_KEY ← extra (not in .env.example)
! PORT ← empty value 3 issues found.
Exit code: 1
# .env.example
DATABASE_URL= # @required @type url
PORT=3000 # @type number
DEBUG=false # @type boolean
ADMIN_EMAIL= # @type email
FEATURE_FLAGS= # @type json
# .env.example
DATABASE_URL= # @required @type url
PORT=3000 # @type number
DEBUG=false # @type boolean
ADMIN_EMAIL= # @type email
FEATURE_FLAGS= # @type json
# .env.example
DATABASE_URL= # @required @type url
PORT=3000 # @type number
DEBUG=false # @type boolean
ADMIN_EMAIL= # @type email
FEATURE_FLAGS= # @type json
envguard validate .env .env.example
envguard validate .env .env.example
envguard validate .env .env.example
# .github/workflows/deploy.yml
steps: - uses: actions/checkout@v4 - name: Check env vars are complete run: npx envguard check .env .env.example - name: Validate env types run: npx envguard validate .env .env.example - name: Scan for leaked secrets run: npx envguard secrets .env - name: Deploy run: ./deploy.sh
# .github/workflows/deploy.yml
steps: - uses: actions/checkout@v4 - name: Check env vars are complete run: npx envguard check .env .env.example - name: Validate env types run: npx envguard validate .env .env.example - name: Scan for leaked secrets run: npx envguard secrets .env - name: Deploy run: ./deploy.sh
# .github/workflows/deploy.yml
steps: - uses: actions/checkout@v4 - name: Check env vars are complete run: npx envguard check .env .env.example - name: Validate env types run: npx envguard validate .env .env.example - name: Scan for leaked secrets run: npx envguard secrets .env - name: Deploy run: ./deploy.sh
# .github/workflows/pr.yml
steps: - uses: actions/checkout@v4 - name: Ensure no secrets in env files run: npx envguard secrets
# .github/workflows/pr.yml
steps: - uses: actions/checkout@v4 - name: Ensure no secrets in env files run: npx envguard secrets
# .github/workflows/pr.yml
steps: - uses: actions/checkout@v4 - name: Ensure no secrets in env files run: npx envguard secrets
# Scan for secrets
npx envguard secrets # Check env completeness
npx envguard check # Full validation with types
npx envguard validate # Generate .env.example from existing .env
npx envguard init
# Scan for secrets
npx envguard secrets # Check env completeness
npx envguard check # Full validation with types
npx envguard validate # Generate .env.example from existing .env
npx envguard init
# Scan for secrets
npx envguard secrets # Check env completeness
npx envguard check # Full validation with types
npx envguard validate # Generate .env.example from existing .env
npx envguard init - AWS keys (AKIA...) in public npm packages
- GitHub personal access tokens (ghp_...) committed in monorepos
- Database URLs with passwords in Stack Overflow questions (screenshots, but still)
- Private keys embedded in Docker build contexts - AWS Access Key IDs (AKIA...)
- AWS Secret Access Keys
- GitHub Tokens (ghp_, ghs_)
- Generic API Keys (20+ chars, high-entropy strings)
- Generic Tokens (32+ chars)
- Private Keys (-----BEGIN ... PRIVATE KEY-----)
- JWTs (eyJ...) - Missing keys — variables expected but not set
- Extra keys — variables set but not documented
- Empty values — keys that exist but have no value - git-secrets scans your git history for patterns. It's preventive but doesn't check your current working directory.
- trufflehog scans repos and orgs for leaked credentials. It's an audit tool.
- detect-secrets by Yelp is similar — great for scanning repos.
