When working in a team, we have all seen the message: "Can someone DM me the staging env keys?"
Pasting credentials into Slack, Discord, or Teams is a security risk. If a token is leaked in chat history, it remains searchable forever.
Instead of sharing env files, you should share an env schema. A schema defines the required keys, types, and defaults, but contains none of the actual secrets.
Here is how to set up schema validation in under 2 minutes:
Install the validator:
npm install -g envlintGenerate a schema from your existing environment:
envlint init
This creates a .env.schema file. It looks like this:
PORT optional type=port default=3000
DATABASE_URL required type=string
DEBUG_MODE optional type=boolean default=false
Commit the schema file to Git. Your teammates can now validate their local setups by running:
envlint checkCompare environments safely:
If you need to check if your local setup matches production, run:
envlint diff .env .env.production
The tool will print a table showing which keys are present or missing, but it will never print the actual values. You can copy-paste the output to your team chat without leaking any credentials.
You can also run it in your CI pipeline to catch missing variables before your code builds.
Code and documentation: https://github.com/7xmohamed/envlint
Top comments (1)
I think varlock.dev is what you’re looking for :)
Similar to what you’ve built but very complete and mature. Check it out! Open source too so happy to have more contributors.