In 2025, GitGuardian found 12.8 million hardcoded secrets in public GitHub repos. API keys, private keys, passwords â all sitting in plain text for anyone to find.
Don't be part of that statistic.
The Problem
You create a .env file. You add API_KEY=sk-live-abc123.... You commit. You push. You're screwed.
# .env â DO NOT COMMIT THIS FILE
DATABASE_URL=postgres://user:password@localhost:5432/db
STRIPE_SECRET=sk_live_abc123def456
AWS_ACCESS_KEY=AKIAIOSFODNN7EXAMPLE
Even if you add .env to .gitignore, what about .env.production, .env.local, env.backup?
The 1-Command Fix
npx @wuchunjie/dotguard /your/project
Output:
đ Scanning: /your/project
đ .env (3 issues)
â ī¸ L2 | Hardcoded password
DATABASE_URL=postgres://user:password@localhost...
â ī¸ L3 | API key
STRIPE_SECRET=sk_live_abc123def456
â ī¸ L4 | Access token
AWS_ACCESS_KEY=AKIAIOSFODNN7EXAMPLE
âââââââââââââââââââââââââââââ
â ī¸ 3 potential secrets exposed!
đĄ Add .env to .gitignore & use .env.example instead.
That's it. Zero config. Zero dependencies. Pure Node.js.
What It Scans For
-
API keys â anything matching
api_key=...,token=... -
Private keys â
BEGIN RSA PRIVATE KEY,BEGIN OPENSSH PRIVATE KEY -
Hardcoded passwords â
password=something -
Database URLs â
mysql://,postgres://,mongodb://with credentials - Long random strings â likely tokens or secrets
Integrate Into Your Workflow
# Pre-commit hook
npx @wuchunjie/dotguard . || exit 1
# CI pipeline
npx @wuchunjie/dotguard . && echo "â
No secrets found"
# Check before every push
alias pushsafe='npx @wuchunjie/dotguard . && git push'
Bonus: What's Missing?
dotguard also checks for commonly recommended but missing env vars:
âšī¸ L0 | Missing NODE_ENV
Consider adding: NODE_ENV=production
âšī¸ L0 | Missing PORT
Consider adding: PORT=3000
Try It Now
npx @wuchunjie/dotguard .
Found this useful? Buy me a coffee â â building open-source security tools
Top comments (0)