@bhargavmahanta/envguard
v1.1.0
Published
Security linting for env, Docker, CI, and runtime configuration.
Maintainers
Readme
EnvGuard
Security linting for env, Docker, CI, and runtime configuration.
EnvGuard helps developers catch unsafe environment values, risky runtime defaults, Docker/Compose hazards, and CI/CD configuration issues before they reach production. It complements deep secret-history scanners like Gitleaks and TruffleHog rather than replacing them.
Features
- Scan
.env, config, Docker, Compose, and GitHub Actions files - Scan GitLab CI and CircleCI configuration
- Check
.envhygiene and.env.example/.env.schemadrift - Detect real-looking secrets, weak secrets, unsafe runtime settings, and wildcard CORS
- Detect Docker and CI/CD security issues
- Mask secrets by default in terminal, JSON, Markdown, SARIF, and GitHub annotation reports
- Support local CLI usage, pre-commit hooks, and GitHub Actions
- Scan only staged or changed files for fast developer workflows
- Use the included reusable GitHub Action wrapper
- Configure behavior with
envguard.config.ymland.envguardignore
Installation
npx @bhargavmahanta/envguard scan .Or install globally:
npm install -g @bhargavmahanta/envguardQuick Start
envguard scan .
envguard scan . --ci --fail-on high
envguard scan . --format json --output report.json
envguard scan . --format markdown --output report.md
envguard scan --staged
envguard scan --changed origin/main
envguard scan . --format github
envguard baseline audit
envguard init
envguard rules
envguard doctor --jsonOn Windows PowerShell, if script execution blocks the generated envguard.ps1 shim, use the .cmd shim:
envguard.cmd scan .
npx --package @bhargavmahanta/envguard envguard.cmd scan .Example Output
[HIGH] Database URL contains a password (database-url-password)
File: .env:3
Preview: DATABASE_URL=postgres://admin:********@localhost:5432/app
Risk: 100/100 | Confidence: high
Fix: Move database credentials to a secret manager or untracked local env file.Supported Detections
- AWS keys, GitHub tokens, Stripe keys, Slack tokens, Google API keys
- Private keys, JWT tokens, bearer tokens, database URLs with passwords
- Weak JWT/session/API secrets and placeholder values
DEBUG=true, development runtimes, disabled SSL/TLS verification- Wildcard CORS and wildcard CORS with credentials
.envduplicate keys, empty values, malformed lines, invalid keys, and schema drift- Dockerfiles that copy
.env, uselatest, run as root, miss.dockerignore, or use remoteADD - Compose privileged containers, public database ports, host networking, unsafe volumes, inline secrets, and
latesttags - GitHub Actions secret printing,
pull_request_target, floating actions, broad permissions - GitLab CI and CircleCI secret-printing and risky defaults
Configuration
Create starter files:
envguard initExample envguard.config.yml:
severity:
fail_on: high
entropy:
enabled: true
threshold: 4.2
output:
mask: true
rules:
disabled: []
packs:
- node
- python
- docker
- github-actions
- ci
custom: []
allow: []
scan:
max_file_mb: 2
timeout_seconds: 0
include_gitignored: falseExample .envguardignore:
node_modules/
dist/
docs/fixtures/Reports
EnvGuard supports:
terminal
json
markdown
sarif
githubSample Vulnerable Project
Try EnvGuard against the included fake vulnerable project:
npm install
npm run build
node dist/cli.js scan examples/vulnerable-projectLimitations
EnvGuard uses pattern-based and heuristic detection. It may produce false positives or miss some secrets. It does not validate, transmit, or use detected credentials.
Documentation
- Rule catalog
- How EnvGuard compares
- Remediation guide
- GitHub Actions setup
- Pre-commit setup
- Integration examples
- Reporting
- Public API surface
- Release process
- V1.0 release notes
- V1.0 readiness
- Compatibility
- Design notes
- Roadmap
License
MIT
Disclaimer
EnvGuard is a defensive security tool. Only scan repositories you own or have permission to test.
