envaudit

Detect .env drift, missing secrets, and accidentally committed credentials across your environments.

Built with Rust for speed. Scans in milliseconds.

---

Features

• scan — Compare multiple .env* files side-by-side and surface drift (variables missing in some environments)
• check — Validate that all keys in .env.example exist in .env (CI-friendly, exits 1 on failure)
• secrets — Heuristic scan for values that look like real secrets accidentally committed to source control

---

Installation

From source (requires Rust)

git clone https://github.com/mateenali/envaudit
cd envaudit/envaudit-cli
cargo install --path .

Pre-built binaries

Download from the releases page.

---

Usage

envaudit scan — Drift detection

Compare all .env* files in the current directory:

envaudit scan

Compare specific files:

envaudit scan --envs .env,.env.staging,.env.production

Scan a different directory:

envaudit scan --dir /path/to/project

Output:

  envaudit scan

  Comparing 3 files: .env, .env.staging, .env.production
  22 total variables, 3 with drift

  KEY                       .env       .env.staging   .env.production
  ─────────────────────────────────────────────────────────────────────
  FEATURE_BETA_API            ✓             ✗               ✓
  SESSION_SECRET              ✓             ✗               ✓
  STRIPE_WEBHOOK_SECRET       ✓             ✗               ✓

  ⚠ 3 variable(s) differ across environments.

---

envaudit check — Baseline validation

Ensure all keys in .env.example are present in .env:

envaudit check

Use custom file paths:

envaudit check --baseline .env.example --target .env.local

Output (with missing keys):

  envaudit check

  Baseline : .env.example
  Target   : .env
  Keys in baseline: 21

  ✗ 1 key(s) missing from .env:

    → REQUIRED_BUT_MISSING

  Add these keys to your .env file before deploying.

Exit codes:

• 0 — All keys present
• 1 — One or more keys missing

Great for CI pipelines:

# .github/workflows/ci.yml
- name: Check .env completeness
  run: envaudit check --baseline .env.example --target .env

---

envaudit secrets — Secret detection

Scan for potentially dangerous values committed to source control:

envaudit secrets

Scan a specific file:

envaudit secrets --file .env.staging

Detects:

• Known prefixes: sk_live_, sk_test_ (Stripe), AKIA (AWS), ghp_ (GitHub), xoxb- (Slack), SG. (SendGrid), and more
• Sensitive key names: any key with SECRET, PASSWORD, API_KEY, TOKEN, etc. that has a non-placeholder value
• High-entropy strings: values ≥ 20 characters with Shannon entropy > 4.5 bits/char

Output:

  envaudit secrets

  File: .env.production
  Keys scanned: 25

  ⚠ 3 potential secret(s) detected:

  [HIGH  ]  STRIPE_SECRET_KEY
            Value matches pattern: Stripe live secret key

  [MEDIUM]  AWS_ACCESS_KEY_ID
            Key name suggests a secret (AWS_ACCESS_KEY_ID)

  [MEDIUM]  AWS_SECRET_ACCESS_KEY
            High-entropy value (5.1 bits/char, len 40)

  Note: This is a heuristic scan. Review each finding manually.
  Secrets should not be committed to source control.

The secrets command always exits 0 — it's a warning, not a hard failure.

---

JSON Output

All commands support --format json for scripting and CI integration:

envaudit scan --format json
envaudit check --format json
envaudit secrets --format json

Example check JSON output:

{
  "baseline": ".env.example",
  "target": ".env",
  "baseline_keys": 21,
  "missing_keys": ["REQUIRED_BUT_MISSING"],
  "status": "fail"
}

---

Exit Codes

Code	Meaning
0	Clean — no issues found
1	Issues found (missing keys, drift detected)
2	Fatal error (file not found, parse failure)

---

What it doesn't do (yet)

• Connect to AWS Secrets Manager, Vault, or GitHub Secrets (coming in v0.2)
• Detect unused variables (variable defined in .env but never referenced in code)
• Watch for changes in real-time
• Dashboard / web UI (SaaS tier, coming soon)

---

Contributing

Pull requests welcome. Please open an issue first for significant changes.

---

License

MIT