It happened on a Tuesday morning.
I pushed a commit, went to get coffee, came back to find an AWS bill alert for $847. A crypto miner had been running on my dime for six hours — because my .env file with real AWS keys had just been committed to a public GitHub repo.
I rotated the keys, cleaned up the history with git filter-branch, filed a support ticket with AWS (they were actually great about it), and spent the rest of the day feeling sick.
That was the day I decided to build EnvGuard.
What EnvGuard does
EnvGuard is a CLI tool that audits your .env files and catches dangerous secrets before they make it into git.
npm install -g envguard
envguard audit
It detects:
- üî¥ AWS Access Key IDs and Secret Keys
- üî¥ Stripe live/test secret keys
- üî¥ GitHub tokens (ghp_, ghs_, ghx_, etc.)
- üî¥ Slack tokens and webhook URLs
- üî¥ Database URLs with embedded credentials (postgres://user:pass@host)
- üî¥ PEM private keys
- üü† JWT tokens
- üü° Generic API keys
- ⚠️ Weak placeholder values (changeme, password, secret, etc.)
It also checks:
- Whether your
.envfile is tracked by git (the big one) - Whether it's missing from
.gitignore
Example output
‚ïî‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïó
‚ïë EnvGuard Audit Report ‚ïë
‚ïö‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïù
File: .env
Variables found: 8
Git tracked: ⚠️ YES (danger!)
In .gitignore: ⚠️ No
üî¥ [CRITICAL] This file is tracked by git!
‚Üí Fix: git rm --cached .env && echo ".env" >> .gitignore
üî¥ [CRITICAL] Possible AWS Access Key ID in "AWS_ACCESS_KEY_ID" (line 4)
‚Üí Fix: Rotate this credential immediately if real
⚠️ [WARN] Weak value for "JWT_SECRET": looks like a placeholder
‚Üí Fix: Replace with a strong, randomly generated value
Generate a safe .env.example
envguard example
Strips all values, leaves just the keys — safe to commit as a template for your team.
CI / pre-commit hooks
# .git/hooks/pre-commit
envguard audit --strict
Exits with code 1 if any high/critical issues found. Stops the commit before it happens.
Why $12?
I'm selling it for $12 as a one-time purchase. Cheap enough that it's an obvious yes for any developer, and it keeps the lights on so I can keep improving it.
If you've ever had to rotate credentials at 2am or explain to your boss why the AWS bill tripled, you know it's worth it.
→ Get EnvGuard on Gumroad — $12, includes all future updates.
Feedback welcome in the comments — especially if there's a secret type you want me to add detection for.
Top comments (0)