Stop Leaking Secrets: How EnvGuard Catches API Keys in Your .env Files
Every year, thousands of API keys and secrets are accidentally pushed to GitHub. EnvGuard is a zero-dependency CLI tool that catches them before it's too late.
The Problem
We've all been there — you're rushing to deploy, push your code, and suddenly realize your .env file containing AWS keys, database passwords, and GitHub tokens just went public. By the time you notice, automated scrapers have already harvested your credentials.
According to GitHub's own research, over 1.7 million secrets were leaked on the platform in a single year. The average time to rotate a compromised key? Hours of downtime and thousands of dollars.
Meet EnvGuard
EnvGuard is an all-in-one CLI tool for environment variable validation, security scanning, and documentation generation. It's built with zero external dependencies — pure Node.js, no supply chain risk.
npm install -g @anhuijie/envguard
The Security Scanner That Catches What You Miss
Let's say you have a .env file like this:
# .env
NODE_ENV=production
DATABASE_URL=postgres://admin:s3cretP@ss@db.example.com:5432/mydb
AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
GITHUB_TOKEN=ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
STRIPE_SECRET_KEY=sk_live_51Hxxxxxxxxxxxxxxxxxxxxxx
APP_SECRET=my-super-secret-jwt-key-2024
Run the scanner:
envguard check
Output:
🔍 Scanning environment variables for secrets...
🔴 CRITICAL: AWS Access Key detected in "AWS_ACCESS_KEY_ID"
🔴 CRITICAL: GitHub Token detected in "GITHUB_TOKEN"
🔴 CRITICAL: Stripe Key detected in "STRIPE_SECRET_KEY"
🔴 CRITICAL: Database URL with Password detected in "DATABASE_URL"
🟠 HIGH: JWT Secret detected in "APP_SECRET"
📊 Summary: 5 findings (4 critical, 1 high)
What It Detects
| Secret Type | Severity | Pattern |
|---|---|---|
| AWS Access Key | Critical |
AKIA prefix + 16 alphanumeric chars |
| AWS Secret Key | Critical | aws + secret/key context |
| GitHub Token | Critical |
ghp_ / ghs_ prefix |
| GitLab Token | Critical |
glpat- prefix |
| Slack Token | Critical |
xoxb- / xoxp- prefix |
| Stripe Live Key | Critical |
sk_live_ prefix |
| Private Key | Critical | -----BEGIN PRIVATE KEY----- |
| JWT Secret | High | jwt + secret/key context |
| Database URL with Password | High | Connection string with embedded credentials |
| Generic API Key / Password / Secret | High/Medium | Common key name patterns |
Beyond Scanning: Full Environment Safety
Security scanning is just one piece. EnvGuard also provides:
Schema Validation
Define what your environment variables should look like:
// envguard.config.js
module.exports = {
schema: {
NODE_ENV: {
required: true,
type: 'string',
enum: ['development', 'staging', 'production', 'test'],
},
PORT: {
required: false,
type: 'port',
default: '3000',
},
DATABASE_URL: {
required: true,
type: 'url',
},
},
};
envguard validate
Catches missing required variables, wrong types, invalid ports, and more — before your app crashes in production.
Auto Documentation
envguard docs
Generates .env.example and ENV.md from your schema, so your team always knows which variables are needed.
Environment Diff
envguard diff .env.development .env.production
Compare .env files across environments to find configuration drift before it causes issues.
CI/CD Integration
Add EnvGuard to your GitHub Actions pipeline:
name: Env Safety Check
on: [push, pull_request]
jobs:
check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: '20'
- run: npm install -g @anhuijie/envguard
- name: Validate environment config
run: envguard validate
- name: Security scan
run: envguard check
The command exits with code 1 on validation errors or critical findings, failing the build and preventing secrets from reaching production.
Programmatic API
Use EnvGuard in your own tools:
const { validateEnv, scanForSecrets, generateEnvExample } = require('@anhuijie/envguard');
// Validate
const result = validateEnv(process.env, schema);
if (!result.valid) {
console.error('Invalid config:', result.errors);
}
// Scan
const secrets = scanForSecrets(process.env);
if (secrets.hasCritical) {
throw new Error('Critical secrets detected!');
}
// Generate docs
const example = generateEnvExample(schema);
Why EnvGuard?
| Feature | EnvGuard | dotenv | convict | env-schema |
|---|---|---|---|---|
| Schema Validation | ✅ | ❌ | ✅ | ✅ |
| Secret Scanning | ✅ | ❌ | ❌ | ❌ |
| Auto Documentation | ✅ | ❌ | ❌ | ❌ |
| Environment Diff | ✅ | ❌ | ❌ | ❌ |
| Zero Dependencies | ✅ | ❌ | ❌ | ❌ |
| CLI + API | ✅ | ❌ | ❌ | ❌ |
Get Started
# Install globally
npm install -g @anhuijie/envguard
# Or use without installing
npx @anhuijie/envguard init
npx @anhuijie/envguard validate
npx @anhuijie/envguard check
Links:
- GitHub: https://github.com/AnhuiJie/envguard
- npm: https://www.npmjs.com/package/@anhuijie/envguard
- License: MIT
Found this useful? Star the repo on GitHub — it helps others discover it too!
Top comments (3)
Check out varlock.dev - it is a mature solution that will solve your problems, and does a lot more -- like loading from various backends using plugins, and additional security guardrails like leak detection and log redaction.
Sidenote - search github for "envguard" - there literally hundreds vibe coded repos popping up solving this problem. Search just this site - there are a few that popped up in the last few months.
Thanks for the recommendation, Theo! I'll check out varlock.dev — it looks like a solid, mature solution for teams that need full-featured config management with backend plugins and log redaction.
EnvGuard takes a different approach: it's intentionally minimal and zero-dependency. No runtime, no plugins, no backend integration — just a lightweight CLI you can drop into any project in seconds. The focus is on catching secrets before they reach production, not on managing how configs are loaded.
The "vibe coded repos" phenomenon is actually a sign that this problem matters to a lot of developers. The difference with EnvGuard is that it's a real, maintained project with a clear roadmap (multi-language support, plugin system, IDE integration) — not a weekend experiment.
Different tools for different needs. If you need enterprise-grade config management, varlock.dev is great. If you need a quick, audit-friendly security scan before pushing to GitHub, EnvGuard is designed for that.
I agree that the volume of vibe coded solutions is a sign that it's a real problem. I do wish more folks would do a bit more reasearch before jumping in and trying to reinvent the wheel though 🤣
No shade and no judgement about your project. Just pointing out the name "envguard" is extremely popular these days, so if this is a real project you intend to continue building, you may want to pick a more unique name.
Our goal with varlock is that it makes as much sense to use on a tiny solo experiment as it does on a big enterprise project.
Anyway good luck with your project :)