DEV Community: AnhuiJie The latest articles on DEV Community by AnhuiJie (@anhuijie). https://dev.to/anhuijie https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3965585%2F9e0e6b08-4de6-49fd-9f4e-cf8116c5b786.png DEV Community: AnhuiJie https://dev.to/anhuijie en Stop Leaking Secrets: How EnvGuard Catches API Keys in Your .env Files AnhuiJie Wed, 03 Jun 2026 03:05:15 +0000 https://dev.to/anhuijie/stop-leaking-secrets-how-envguard-catches-api-keys-in-your-env-files-511j https://dev.to/anhuijie/stop-leaking-secrets-how-envguard-catches-api-keys-in-your-env-files-511j <h1> Stop Leaking Secrets: How EnvGuard Catches API Keys in Your .env Files </h1> <blockquote> <p>Every year, thousands of API keys and secrets are accidentally pushed to GitHub. EnvGuard is a zero-dependency CLI tool that catches them before it's too late.</p> </blockquote> <h2> The Problem </h2> <p>We've all been there — you're rushing to deploy, push your code, and suddenly realize your <code>.env</code> file containing AWS keys, database passwords, and GitHub tokens just went public. By the time you notice, automated scrapers have already harvested your credentials.</p> <p>According to GitHub's own research, <strong>over 1.7 million secrets</strong> were leaked on the platform in a single year. The average time to rotate a compromised key? <strong>Hours of downtime and thousands of dollars.</strong></p> <h2> Meet EnvGuard </h2> <p><strong>EnvGuard</strong> is an all-in-one CLI tool for environment variable validation, security scanning, and documentation generation. It's built with zero external dependencies — pure Node.js, no supply chain risk.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install</span> <span class="nt">-g</span> @anhuijie/envguard </code></pre> </div> <h2> The Security Scanner That Catches What You Miss </h2> <p>Let's say you have a <code>.env</code> file like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># .env NODE_ENV=production DATABASE_URL=postgres://admin:s3cretP@ss@db.example.com:5432/mydb AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE GITHUB_TOKEN=ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx STRIPE_SECRET_KEY=sk_live_51Hxxxxxxxxxxxxxxxxxxxxxx APP_SECRET=my-super-secret-jwt-key-2024 </code></pre> </div> <p>Run the scanner:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>envguard check </code></pre> </div> <p>Output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>🔍 Scanning environment variables for secrets... 🔴 CRITICAL: AWS Access Key detected in "AWS_ACCESS_KEY_ID" 🔴 CRITICAL: GitHub Token detected in "GITHUB_TOKEN" 🔴 CRITICAL: Stripe Key detected in "STRIPE_SECRET_KEY" 🔴 CRITICAL: Database URL with Password detected in "DATABASE_URL" 🟠 HIGH: JWT Secret detected in "APP_SECRET" 📊 Summary: 5 findings (4 critical, 1 high) </code></pre> </div> <h3> What It Detects </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Secret Type</th> <th>Severity</th> <th>Pattern</th> </tr> </thead> <tbody> <tr> <td>AWS Access Key</td> <td>Critical</td> <td> <code>AKIA</code> prefix + 16 alphanumeric chars</td> </tr> <tr> <td>AWS Secret Key</td> <td>Critical</td> <td>aws + secret/key context</td> </tr> <tr> <td>GitHub Token</td> <td>Critical</td> <td> <code>ghp_</code> / <code>ghs_</code> prefix</td> </tr> <tr> <td>GitLab Token</td> <td>Critical</td> <td> <code>glpat-</code> prefix</td> </tr> <tr> <td>Slack Token</td> <td>Critical</td> <td> <code>xoxb-</code> / <code>xoxp-</code> prefix</td> </tr> <tr> <td>Stripe Live Key</td> <td>Critical</td> <td> <code>sk_live_</code> prefix</td> </tr> <tr> <td>Private Key</td> <td>Critical</td> <td><code>-----BEGIN PRIVATE KEY-----</code></td> </tr> <tr> <td>JWT Secret</td> <td>High</td> <td>jwt + secret/key context</td> </tr> <tr> <td>Database URL with Password</td> <td>High</td> <td>Connection string with embedded credentials</td> </tr> <tr> <td>Generic API Key / Password / Secret</td> <td>High/Medium</td> <td>Common key name patterns</td> </tr> </tbody> </table></div> <h2> Beyond Scanning: Full Environment Safety </h2> <p>Security scanning is just one piece. EnvGuard also provides:</p> <h3> Schema Validation </h3> <p>Define what your environment variables should look like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// envguard.config.js</span> <span class="nx">module</span><span class="p">.</span><span class="nx">exports</span> <span class="o">=</span> <span class="p">{</span> <span class="na">schema</span><span class="p">:</span> <span class="p">{</span> <span class="na">NODE_ENV</span><span class="p">:</span> <span class="p">{</span> <span class="na">required</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">string</span><span class="dl">'</span><span class="p">,</span> <span class="na">enum</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">development</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">staging</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">production</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">test</span><span class="dl">'</span><span class="p">],</span> <span class="p">},</span> <span class="na">PORT</span><span class="p">:</span> <span class="p">{</span> <span class="na">required</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">port</span><span class="dl">'</span><span class="p">,</span> <span class="na">default</span><span class="p">:</span> <span class="dl">'</span><span class="s1">3000</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="na">DATABASE_URL</span><span class="p">:</span> <span class="p">{</span> <span class="na">required</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">url</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="p">},</span> <span class="p">};</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>envguard validate </code></pre> </div> <p>Catches missing required variables, wrong types, invalid ports, and more — before your app crashes in production.</p> <h3> Auto Documentation </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>envguard docs </code></pre> </div> <p>Generates <code>.env.example</code> and <code>ENV.md</code> from your schema, so your team always knows which variables are needed.</p> <h3> Environment Diff </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>envguard diff .env.development .env.production </code></pre> </div> <p>Compare <code>.env</code> files across environments to find configuration drift before it causes issues.</p> <h2> CI/CD Integration </h2> <p>Add EnvGuard to your GitHub Actions pipeline:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">Env Safety Check</span> <span class="na">on</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">push</span><span class="pi">,</span> <span class="nv">pull_request</span><span class="pi">]</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">check</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/setup-node@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">node-version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">20'</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm install -g @anhuijie/envguard</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Validate environment config</span> <span class="na">run</span><span class="pi">:</span> <span class="s">envguard validate</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Security scan</span> <span class="na">run</span><span class="pi">:</span> <span class="s">envguard check</span> </code></pre> </div> <p>The command exits with code <code>1</code> on validation errors or critical findings, failing the build and preventing secrets from reaching production.</p> <h2> Programmatic API </h2> <p>Use EnvGuard in your own tools:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="p">{</span> <span class="nx">validateEnv</span><span class="p">,</span> <span class="nx">scanForSecrets</span><span class="p">,</span> <span class="nx">generateEnvExample</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">@anhuijie/envguard</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// Validate</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="nf">validateEnv</span><span class="p">(</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">,</span> <span class="nx">schema</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">result</span><span class="p">.</span><span class="nx">valid</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Invalid config:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">result</span><span class="p">.</span><span class="nx">errors</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Scan</span> <span class="kd">const</span> <span class="nx">secrets</span> <span class="o">=</span> <span class="nf">scanForSecrets</span><span class="p">(</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">secrets</span><span class="p">.</span><span class="nx">hasCritical</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Critical secrets detected!</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Generate docs</span> <span class="kd">const</span> <span class="nx">example</span> <span class="o">=</span> <span class="nf">generateEnvExample</span><span class="p">(</span><span class="nx">schema</span><span class="p">);</span> </code></pre> </div> <h2> Why EnvGuard? </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Feature</th> <th>EnvGuard</th> <th>dotenv</th> <th>convict</th> <th>env-schema</th> </tr> </thead> <tbody> <tr> <td>Schema Validation</td> <td>✅</td> <td>❌</td> <td>✅</td> <td>✅</td> </tr> <tr> <td>Secret Scanning</td> <td>✅</td> <td>❌</td> <td>❌</td> <td>❌</td> </tr> <tr> <td>Auto Documentation</td> <td>✅</td> <td>❌</td> <td>❌</td> <td>❌</td> </tr> <tr> <td>Environment Diff</td> <td>✅</td> <td>❌</td> <td>❌</td> <td>❌</td> </tr> <tr> <td>Zero Dependencies</td> <td>✅</td> <td>❌</td> <td>❌</td> <td>❌</td> </tr> <tr> <td>CLI + API</td> <td>✅</td> <td>❌</td> <td>❌</td> <td>❌</td> </tr> </tbody> </table></div> <h2> Get Started </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Install globally</span> npm <span class="nb">install</span> <span class="nt">-g</span> @anhuijie/envguard <span class="c"># Or use without installing</span> npx @anhuijie/envguard init npx @anhuijie/envguard validate npx @anhuijie/envguard check </code></pre> </div> <p><strong>Links:</strong></p> <ul> <li>GitHub: <a href="https://github.com/AnhuiJie/envguard" rel="noopener noreferrer">https://github.com/AnhuiJie/envguard</a> </li> <li>npm: <a href="https://www.npmjs.com/package/@anhuijie/envguard" rel="noopener noreferrer">https://www.npmjs.com/package/@anhuijie/envguard</a> </li> <li>License: MIT</li> </ul> <p><em>Found this useful? Star the repo on <a href="https://github.com/AnhuiJie/envguard" rel="noopener noreferrer">GitHub</a> — it helps others discover it too!</em></p> security node opensource devops