This is a submission for the GitHub Finish-Up-A-Thon Challenge
GitHub Repo: github.com/AliRana30/EnvArmor
npm Package: npmjs.com/package/envarmor-cli
Live Demo: env-armor.vercel.app
What I Built
Most developers have a secret-leaking story. Mine happened during a late-night push — a .env file slipped past .gitignore, and I caught it only after the commit was already on GitHub. No real damage that time, but the near-miss stuck with me.
The bigger realization came later: with AI coding tools like Cursor and Copilot ingesting entire project directories automatically, the leak surface expanded beyond public repos. A single unignored secret could quietly travel to a third-party AI provider during a normal development session. Nobody talks about that enough.
That's what EnvArmor is built to stop.
It ships as two things: a CLI scanner that hooks into git commit and blocks the push before secrets leave your machine, and a web dashboard where you can track scan history, review financial risk projections tied to real service abuse costs, and manage encrypted variables — without emailing .env files over Slack.
Tech Stack
Web Dashboard
- Framework: Next.js 15 (App Router)
- Database: Prisma ORM + Supabase PostgreSQL
- Auth: Supabase (Magic Links + GitHub OAuth)
- Styling: Vanilla CSS + custom Tailwind (Neo-Brutalist, high-contrast UI)
CLI
- Runtime: TypeScript + Node.js
- Commands: Commander.js, Chalk
- Detection Engine: Regex pattern signatures + Shannon Entropy analysis
- Vault: Local AES-256 encryption before cloud sync
Core Features
-
Financial Risk Estimation: When EnvArmor detects a Stripe key, an AWS credential, or an OpenAI token, it doesn't just flag it — it maps it to a real abuse cost range (e.g.,
$200–$5,000). You see the actual dollar exposure, not just a severity label. - AI Context Guard: Scans your project and auto-generates context exclusion rules to keep secrets out of Cursor, Copilot, and Claude's context windows during active development.
- Zero Plan Limits: Every account supports unlimited project creation. Useful if you're juggling multiple microservices or monorepos and don't want to hit an arbitrary cap.
-
Local-to-Cloud Linking: A
.envarmorconfig file or--projectCLI flag binds your terminal session directly to the right dashboard project. No manual syncing. - Encrypted Vault: Variables encrypt on your machine before hitting the cloud. Nothing travels in plaintext.
Demo (Screenshots)
Web Application
Home
An interactive landing page covering EnvArmor's core features, live detection statistics, and links to the docs and dashboard.
Dashboard
The main control panel — real-time scan analytics, secret severity breakdown, active projects, and estimated financial savings from blocked events.
Projects
All linked repositories in one view, with individual scan results, API key status, and active security rules per project.
New Project
A setup wizard to register repository metadata, define project scope, and configure environment policies.
Scan History
A searchable, chronological log of every scan — filenames, severity, leak status, and recommended fixes included.
Vault (Launching as a paid feature)
Encrypted secret storage with rotation schedules and credential access logs.
Settings
Profile details, notification triggers, organization scope, and API token management.
Login / Signup
Magic link or GitHub OAuth. Fast, clean, no friction.
Blog
Security advisories, vulnerability write-ups, and environment configuration best practices.
Realtime User Stats
A live summary card — total secrets detected, financial risk prevented, and onboarding timestamps per user.
CLI Tool
Initialization
npx envarmor init creates the local config, .envarmorignore, and wires up the pre-commit hook.
Login
envarmor login --key <api_key> links your terminal directly to your web profile.
Full Codebase Scan
envarmor scan -all sweeps every project folder for hardcoded secrets, database connection strings, and live API tokens.
AI Tool Protection
Detects and blocks AI agents from reading environment keys during active coding sessions.
Commit Blocking
The pre-commit hook intercepts every git commit, scans the staged diff, and rejects it if any secrets are present.
The Comeback Story
Where the Project Was
Six months ago, EnvArmor was a desktop-only prototype held together with duct tape and good intentions. The core scanner worked. Everything else was broken in ways that weren't obvious until you tried to actually use it.
Split Identity
The codebase lived under two names — the old EnvGuard and the new EnvArmor — simultaneously. Conflicting namespaces, broken directory references, mismatched Prisma schemas, and compilation errors that only appeared at link time. Rebranding sounds simple until half your imports point to the wrong package.
Fake Metrics on the Dashboard
The dashboard showed EST. $0K+ Savings Created across every account. Hardcoded. Static. Not connected to the database at all. The number looked good in a screenshot and meant nothing.
Hard Caps That Broke Real Workflows
The database had hard check constraints that blocked non-premium users from creating more than a few projects. Fine for a single app. Useless for anyone managing microservices or a multi-repo workspace.
Auth That Crashed Silently
No email validation before sending magic links. Supabase's 429 rate limit error surfaced as a raw network crash — no message, no retry guidance, just a broken page. New signups regularly hit this and bounced.
Mobile Was Unusable
Long file paths in the scan tables had no wrapping rules. They pushed severity badges and action buttons completely off-screen. The dashboard was desktop-only in practice, even though it wasn't designed that way.
CTAs That Led Nowhere
Primary call-to-action buttons pointed to # anchors. Clicking "Get Started" on the landing page did nothing. There was also no onboarding guide — new users arrived with no path forward.
Risk Math That Disagreed With Itself
Financial estimates were calculated independently in the dashboard summary, the project detail view, and the activity feed. All three used different logic. All three showed different numbers for the same data.
Where It Is Now
Unified Codebase and Published CLI
Every reference to EnvGuard is gone. Directory names, database schemas, npm package name, component imports, metadata — all standardized under EnvArmor. Version 0.1.1 of envarmor-cli is live on npm and installable with npx envarmor init.
A Savings Engine That Reads Real Data
lib/savings-engine.ts pulls live ScanEvent records from the database and calculates financial exposure using severity-based multipliers. Pre-commit blocked events apply a 10x multiplier automatically — because stopping a secret before it commits is worth more than catching it after. The dashboard now shows numbers that mean something.
No More Project Caps
Hard database constraints replaced with dynamic limits tied to account metadata. Every tier supports unlimited project creation. Building five microservices in parallel no longer requires an upgrade.
Auth That Handles Failure Gracefully
/api/v1/auth/check-email validates registration before any OTP is sent. Supabase 429 errors now return a clear cooldown message with retry timing instead of crashing the page. A developer bypass workflow handles local testing without triggering rate limits.
Mobile That Actually Works
Dashboard grids rebuilt with responsive flex and grid utilities. File paths in scan tables use break-all. Severity badges and action buttons stay on screen at any viewport width. Tested across mobile, tablet, and desktop.
Docs Inside the Dashboard
An interactive CLI Docs page now lives inside the dashboard — installation steps, config options, flag overrides, vault operations. No hunting through a separate README.
One Source of Truth for Risk Math
All financial and risk calculations route through the Savings Engine. Every dashboard surface — summary cards, activity feeds, project detail views, analytics — reads from the same function with the same logic. The numbers agree now.
What Changed, Fixed, or Got Added
- Unified Brand Architecture: Every folder, schema, model, component, and npm reference now points to EnvArmor. The EnvGuard era is gone.
-
Live Savings Engine:
lib/savings-engine.tsqueries realScanEventlogs, applies severity tiers, and adds the10xmultiplier for pre-commit blocks. Dashboard projections are now live, not hardcoded. -
Auth Preflight Route:
/api/v1/auth/check-emailruns before OTP delivery. Supabase 429s surface as friendly cooldown messages, not crashes. - Limitless Projects: Hard caps removed. Unlimited creation across all account tiers.
-
Responsive Layouts:
break-allon file paths, fluid grid rebuilds on dashboard panels, tested across viewports. - CLI Docs Hub: Built inside the dashboard — covers init, login, scan flags, vault commands, and project linking.
-
Consistent Audit Logs:
estimateSavingsutility now powers both recent activity logs and project detail views. No more discrepancies. -
Production
.gitignore: Filters.envarmorlocal configs,.venv/, temp scan reports, and build artifacts.
My Experience with GitHub Copilot
I used Copilot throughout this sprint, and the moments where it actually saved time were specific enough to be worth calling out.
Savings Engine Completion
When I wrote the estimateSavings function signature with its severity parameter and return type, Copilot completed the entire multiplier table — CRITICAL: 10x, HIGH: 5x, MEDIUM: 2x, LOW: 1x — in a single suggestion. I adjusted the thresholds, but the structure was right on the first completion. That function is now the single source of truth for every financial figure in the dashboard.
Preflight Route Scaffolding
For the /api/v1/auth/check-email route, Copilot inlined the Supabase admin client lookup, the 429 detection branch, and the JSON error shape in one pass. I only had to wire in the cooldown timer logic and adjust the response messages. A route that would have taken 30 minutes of back-and-forth with docs took about 10.
Shannon Entropy Test Cases
Writing unit tests for the entropy-based secret detector is tedious — you need strings that hover right at the boundary between high-entropy random values and normal code. Copilot generated a solid set of boundary cases I hadn't thought to include: UUID-adjacent strings, base64 padding edge cases, and short tokens that look like secrets but aren't. Several of those cases caught real false positives in the scanner.
Responsive Grid Fixes
When I was patching the mobile overflow issues, I described the problem in a comment — "file paths in scan table overflow on mobile, need break-all with flex wrap on action column" — and Copilot suggested the full Tailwind class combination, including the min-w-0 fix on the flex child that actually solved the overflow. That one I wouldn't have found without digging through docs.
Final Outcome
EnvArmor went from a prototype that worked in one narrow scenario to a platform you can actually ship a project with.
It now delivers:
- Pre-commit secret blocking with Shannon Entropy + Regex detection
- Live financial risk projections tied to real scan data
- AI context window protection for Cursor, Copilot, and Claude
- Responsive dashboard across mobile, tablet, and desktop
- Reliable auth with rate-limit protection and email validation
- Unlimited project creation across all account tiers
- Published CLI (
envarmor-clion npm) - Consistent risk math across every dashboard surface
The secret-leaking story I mentioned at the start? EnvArmor would have caught it at the pre-commit hook — before the push, before the panic, before the late-night token rotation. That's the version worth shipping.
Top comments (0)