DEV Community: Daniel The latest articles on DEV Community by Daniel (@danielox_83). https://dev.to/danielox_83 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3775594%2F02087504-dd83-43b9-b0d1-370edf0be9b0.png DEV Community: Daniel https://dev.to/danielox_83 en How to Prevent 'Undefined Environment Variable' Errors in Production (+ CI/CD Integration) Daniel Mon, 16 Feb 2026 11:42:47 +0000 https://dev.to/danielox_83/how-to-prevent-undefined-environment-variable-errors-in-production-cicd-integration-1d8b https://dev.to/danielox_83/how-to-prevent-undefined-environment-variable-errors-in-production-cicd-integration-1d8b <p>We've all been there - your Node.js app works perfectly locally, you deploy to production, and suddenly:</p> <p><code>Error: Cannot read property 'API_KEY' of undefined</code></p> <p>Or worse - your app starts but silently fails because <code>process.env.DATABASE_URL</code> is undefined, and you only notice when users start complaining.</p> <p>Here's how to catch these issues before they reach production.</p> <h2> The Problem </h2> <p>Environment variables are essential for Node.js apps, but they're easy to mess up:</p> <ul> <li> <strong>Typos</strong>: <code>process.env.API_KEy</code> instead of <code>process.env.API_KEY</code> </li> <li> <strong>Unused variables</strong> cluttering your .env file (security risk)</li> <li> <strong>Missing variables</strong> in production that exist locally</li> <li> <strong>Variables defined but never used</strong> (confusing for new team members)</li> <li> <strong>AWS Secrets Manager mismatches</strong> - your code expects variables that don't exist in Parameter Store</li> </ul> <h3> Real-World Example </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// In your code</span> <span class="kd">const</span> <span class="nx">dbHost</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">AURORA_HOST</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">dbPort</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">AURORA_PORT</span><span class="p">;</span> <span class="c1">// In your serverless.yml</span> <span class="nl">environment</span><span class="p">:</span> <span class="nl">AURORA_HOST</span><span class="p">:</span> <span class="nx">$</span><span class="p">{</span><span class="nl">self</span><span class="p">:</span><span class="nx">custom</span><span class="p">.</span><span class="nx">secrets_AURORA</span><span class="p">.</span><span class="nx">host</span><span class="p">}</span> <span class="nl">AURORA_PORT</span><span class="p">:</span> <span class="nx">$</span><span class="p">{</span><span class="nl">self</span><span class="p">:</span><span class="nx">custom</span><span class="p">.</span><span class="nx">secrets_AURORA</span><span class="p">.</span><span class="nx">port</span><span class="p">}</span> <span class="c1">// But did you actually create those nested keys in AWS Secrets Manager?</span> <span class="c1">// You won't know until deployment fails... 💥</span> </code></pre> </div> <h2> Solutions </h2> <h3> Manual Approach </h3> <p>Create a checklist, review .env files before each deployment, manually verify AWS resources... boring, error-prone, and doesn't scale.</p> <h3> Automated Verification </h3> <p>I built a tool to automate this (because I kept making these mistakes):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install</span> <span class="nt">-g</span> @danielszlaski/envguard envguard scan </code></pre> </div> <p><strong>What it catches:</strong></p> <p>✅ Variables used in code but not defined<br><br> ✅ Variables defined but never used<br><br> ✅ Typos in variable names<br><br> ✅ Missing fallback handling </p> <p><strong>Example output:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>❌ Missing Variables: • DATABASE_URL (used in src/db/connection.js:12) • API_KEY (used in src/services/api.js:8) ⚠ Unused Variables: • OLD_LEGACY_VAR (defined in .env but never used) </code></pre> </div> <h2> Taking It Further: CI/CD Integration </h2> <p>Finding issues on your laptop is good. <strong>Preventing them from reaching your repo is better.</strong></p> <h3> Git Hooks (Pre-Commit/Pre-Push) </h3> <p>The pro version includes automatic Git hook installation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Install pre-commit hook</span> envguard install-hook <span class="c"># Install pre-push hook instead</span> envguard install-hook <span class="nt">--type</span> pre-push </code></pre> </div> <p>Now every commit/push automatically runs validation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Running envguard scan... ❌ Missing Variables: • NEW_FEATURE_FLAG (used in src/features/new.js:5) Pre-commit hook failed. Fix the issues above or use --no-verify to skip. </code></pre> </div> <h3> GitHub Actions / CI Pipeline </h3> <p>Add to your <code>.github/workflows/ci.yml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Validate Environment Variables</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">npm install -g @danielszlaski/envguard</span> <span class="s">envguard scan --ci</span> </code></pre> </div> <p>The <code>--ci</code> flag makes the command exit with code 1 if issues are found, failing your pipeline.</p> <h3> SARIF Output for GitHub Security Tab </h3> <p>For compliance and security tracking:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>envguard scan <span class="nt">--format</span> sarif <span class="nt">--output</span> results.sarif </code></pre> </div> <p>Then upload to GitHub Security:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Upload SARIF results</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">github/codeql-action/upload-sarif@v2</span> <span class="na">with</span><span class="pi">:</span> <span class="na">sarif_file</span><span class="pi">:</span> <span class="s">results.sarif</span> </code></pre> </div> <p>Now environment variable issues appear in your Security tab alongside other vulnerabilities.</p> <h2> AWS Integration: The Missing Piece </h2> <p>Here's a scenario I've seen too many times:</p> <ol> <li>You define variables in <code>serverless.yml</code> referencing AWS Secrets Manager</li> <li>You deploy successfully (because Serverless just reads the config)</li> <li>Your app starts but <strong>crashes at runtime</strong> because the secrets don't exist in AWS</li> </ol> <h3> Solution: Pre-Deployment AWS Validation </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Validate that AWS resources exist</span> envguard scan <span class="nt">--aws</span> <span class="c"># Also validate nested keys within secrets (deep validation)</span> envguard scan <span class="nt">--aws</span> <span class="nt">--aws-deep</span> </code></pre> </div> <p><strong>Example serverless.yml:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">custom</span><span class="pi">:</span> <span class="na">secrets_AURORA</span><span class="pi">:</span> <span class="s">${ssm:/aws/reference/secretsmanager/myapp/dev/aurora}</span> <span class="na">provider</span><span class="pi">:</span> <span class="na">environment</span><span class="pi">:</span> <span class="na">AURORA_HOST</span><span class="pi">:</span> <span class="s">${self:custom.secrets_AURORA.host}</span> <span class="na">AURORA_PORT</span><span class="pi">:</span> <span class="s">${self:custom.secrets_AURORA.port}</span> <span class="na">AURORA_USER</span><span class="pi">:</span> <span class="s">${self:custom.secrets_AURORA.username}</span> </code></pre> </div> <p><strong>Without validation:</strong> Deploy → Runtime crash → "Secret key 'username' not found"</p> <p><strong>With <code>--aws-deep</code>:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>✔ All AWS resources validated successfully Secrets Manager (1): • myapp/dev/aurora ├─ host ✔ ├─ port ✔ └─ username ✘ MISSING ❌ Missing Secret Keys: • myapp/dev/aurora.username (used by AURORA_USER) </code></pre> </div> <p>You catch the issue <strong>before deployment</strong>.</p> <h3> Required IAM Permissions </h3> <p>For basic validation (<code>--aws</code>):</p> <ul> <li><code>ssm:GetParameter</code></li> <li><code>secretsmanager:DescribeSecret</code></li> </ul> <p>For deep validation (<code>--aws-deep</code>):</p> <ul> <li> <code>secretsmanager:GetSecretValue</code> (to fetch and parse JSON)</li> </ul> <h2> Smart Fallback Detection </h2> <p>Not all missing variables are critical. EnvGuard detects defensive coding patterns:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// These are warnings (not errors)</span> <span class="kd">const</span> <span class="nx">apiUrl</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">API_URL</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">https://default-api.com</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">timeout</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">TIMEOUT</span> <span class="o">??</span> <span class="mi">5000</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">debug</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">DEBUG</span> <span class="p">?</span> <span class="kc">true</span> <span class="p">:</span> <span class="kc">false</span><span class="p">;</span> <span class="c1">// This is an error (no fallback)</span> <span class="kd">const</span> <span class="nx">dbUrl</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">DATABASE_URL</span><span class="p">;</span> <span class="c1">// Will be undefined!</span> </code></pre> </div> <p><strong>Why this matters:</strong> You can prioritize fixing actual errors while staying aware of all env var usage.</p> <p>Disable this if you want strict checking:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>envguard scan <span class="nt">--no-detect-fallbacks</span> </code></pre> </div> <h2> Configuration File </h2> <p>Create <code>.envguardrc.json</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"ignoreVars"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"NODE_ENV"</span><span class="p">,</span><span class="w"> </span><span class="s2">"CI"</span><span class="p">],</span><span class="w"> </span><span class="nl">"strict"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="p">,</span><span class="w"> </span><span class="nl">"detectFallbacks"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"exclude"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"**/node_modules/**"</span><span class="p">,</span><span class="w"> </span><span class="s2">"**/dist/**"</span><span class="p">],</span><span class="w"> </span><span class="nl">"envFiles"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"set-env.sh"</span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>Pro tip:</strong> The <code>envFiles</code> option lets you scan shell scripts too:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># In your set-env.sh</span> <span class="nb">export </span><span class="nv">API_KEY</span><span class="o">=</span><span class="s2">"abc123"</span> <span class="nb">export </span><span class="nv">DATABASE_URL</span><span class="o">=</span><span class="s2">"postgres://..."</span> <span class="c"># EnvGuard will pick these up</span> envguard scan <span class="nt">--env-files</span> set-env.sh </code></pre> </div> <h2> Complete CI/CD Workflow </h2> <p>Here's my production setup:</p> <p><strong>1. Local development:</strong> Pre-commit hook catches issues immediately</p> <p><strong>2. GitHub Actions:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">Validate Environment</span> <span class="na">on</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">push</span><span class="pi">,</span> <span class="nv">pull_request</span><span class="pi">]</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">validate</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v3</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Validate env vars</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">npm install -g @danielszlaski/envguard</span> <span class="s">envguard scan --ci --aws --aws-deep</span> <span class="na">env</span><span class="pi">:</span> <span class="na">AWS_REGION</span><span class="pi">:</span> <span class="s">eu-west-1</span> <span class="na">AWS_ACCESS_KEY_ID</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_ACCESS_KEY_ID }}</span> <span class="na">AWS_SECRET_ACCESS_KEY</span><span class="pi">:</span> <span class="s">${{ secrets.AWS_SECRET_ACCESS_KEY }}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Upload SARIF</span> <span class="na">if</span><span class="pi">:</span> <span class="s">always()</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">github/codeql-action/upload-sarif@v2</span> <span class="na">with</span><span class="pi">:</span> <span class="na">sarif_file</span><span class="pi">:</span> <span class="s">results.sarif</span> </code></pre> </div> <p><strong>3. Pre-deployment:</strong> Final check before Serverless deploy<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>envguard scan <span class="nt">--ci</span> <span class="nt">--aws</span> <span class="nt">--aws-deep</span> <span class="o">&amp;&amp;</span> serverless deploy </code></pre> </div> <h2> Best Practices Summary </h2> <ol> <li> <strong>Automate validation</strong> - don't rely on manual checks</li> <li> <strong>Fail fast</strong> - catch issues in Git hooks, not production</li> <li> <strong>Validate AWS resources</strong> - don't assume secrets exist</li> <li> <strong>Track in Security tab</strong> - use SARIF for compliance</li> <li> <strong>Use fallbacks wisely</strong> - but be aware of all env usage</li> <li> <strong>Document required variables</strong> - <code>.envguardrc.json</code> serves as documentation</li> </ol> <h2> Try It Out </h2> <p><strong>Free version:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install</span> <span class="nt">-g</span> @danielszlaski/envguard envguard scan </code></pre> </div> <p><strong>Pro version</strong> (AWS integration, Git hooks, SARIF output):<br><br> <a href="https://envguard.pl" rel="noopener noreferrer">https://envguard.pl</a> - 39 PLN (~€9)</p> <h2> What Environment Variable Nightmares Have You Experienced? </h2> <p>Drop a comment below - I'd love to hear your war stories and add more detection patterns to the tool!</p> <p><strong>Links:</strong></p> <ul> <li>Free version: <a href="https://www.npmjs.com/package/@danielszlaski/envguard" rel="noopener noreferrer">https://www.npmjs.com/package/@danielszlaski/envguard</a> </li> <li>Documentation: <a href="https://envguard.pl" rel="noopener noreferrer">https://envguard.pl</a> </li> <li>GitHub: <a href="https://github.com/szlaskidaniel/envguard" rel="noopener noreferrer">https://github.com/szlaskidaniel/envguard</a> </li> </ul> cicd devops javascript node