Validate your .env file against .env.example before you deploy.
Project description
dotguard
Validate your .env file against .env.example before you deploy.
The problem
AI-assisted coding is fast. It's also quietly shipping placeholder credentials, empty secrets, and misconfigured environments to production every day.
Your .env file is the last line of defense — and most teams never validate it.
dotguard does.
What it catches
| Check | Severity |
|---|---|
Key in .env.example missing from .env |
ERROR |
| Sensitive key with an empty value | ERROR |
Sensitive key with a placeholder value (e.g. your-key-here) |
ERROR |
.env file tracked or staged in git |
ERROR |
| Non-sensitive key with a placeholder value | WARNING |
Key in .env not documented in .env.example |
WARNING |
| Non-sensitive key with an empty value | WARNING |
Install
pip install dotguard
Usage
dotguard # Validate .env against .env.example
dotguard --strict # Treat warnings as errors (recommended for CI)
dotguard --fail-on errors # Exit 1 on errors only (default)
dotguard --fail-on warnings # Exit 1 on warnings only
dotguard --fail-on all # Exit 1 on any issue
dotguard --no-extras # Treat undocumented keys as errors
dotguard --no-git-check # Skip git tracking check
dotguard --quiet # Silent — exit code only
dotguard init # Generate .env.example from your .env
dotguard init --force # Overwrite an existing .env.example
Exit codes
| Code | Meaning |
|---|---|
0 |
All checks passed |
1 |
One or more errors |
2 |
File not found |
CI integration
Drop dotguard into your pipeline to catch environment issues before they reach production.
GitHub Actions (reusable workflow)
The easiest way to integrate dotGuard is via the reusable workflow. Add this to your own repo's workflow file:
jobs:
dotguard:
uses: Vengeance-us/dotguard/.github/workflows/dotguard.yml@main
with:
fail_on: "errors" # "errors" | "warnings" | "all" (default: "errors")
env_file: ".env" # path to your .env file (default: ".env")
example_file: ".env.example" # path to your .env.example (default: ".env.example")
pr_comment: true # post findings as a PR comment (default: false)
If no
.envfile is found in the repository, dotGuard skips gracefully and the workflow passes.
GitHub Actions (inline)
Prefer to inline it directly in your own workflow?
- name: Validate environment
run: |
pip install dotguard
dotguard --fail-on errors
Pre-commit hook
# .git/hooks/pre-commit
dotguard --quiet || { echo "dotguard: fix .env errors before committing"; exit 1; }
Getting started
If you don't have a .env.example yet, generate one from your existing .env:
dotguard init
This creates a .env.example with all your keys present but values scrubbed — safe to commit, ready to share with your team.
Then validate any time:
dotguard
License
Built for developers who ship with confidence.
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file dotguard-0.4.0.tar.gz.
File metadata
- Download URL: dotguard-0.4.0.tar.gz
- Upload date:
- Size: 9.5 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
eb4d47e9073c8175cc0a4b04ea8ded9ca2beabdcb0410b6f6d8c2b20d92ff7b7
|
|
| MD5 |
4626a1dfb62d48162c2266bd13e7f071
|
|
| BLAKE2b-256 |
ce14e1f6191e51388a1a46e83d5fe8053528d9fb24cba159ca09aee36c71a45d
|
Provenance
The following attestation bundles were made for dotguard-0.4.0.tar.gz:
Publisher:
publish.yml on Vengeance-us/dotguard
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
dotguard-0.4.0.tar.gz -
Subject digest:
eb4d47e9073c8175cc0a4b04ea8ded9ca2beabdcb0410b6f6d8c2b20d92ff7b7 - Sigstore transparency entry: 1810882906
- Sigstore integration time:
-
Permalink:
Vengeance-us/dotguard@18b139df316b2a2922d2e89a59a16e075796bb3c -
Branch / Tag:
refs/tags/v0.4.0 - Owner: https://github.com/Vengeance-us
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@18b139df316b2a2922d2e89a59a16e075796bb3c -
Trigger Event:
release
-
Statement type:
File details
Details for the file dotguard-0.4.0-py3-none-any.whl.
File metadata
- Download URL: dotguard-0.4.0-py3-none-any.whl
- Upload date:
- Size: 8.3 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
143172c5d3ca14f622627dbec1a4dcc9121af3eabe11ca9cea0d7b454d3dacc5
|
|
| MD5 |
eee62b5a6e142cbbc93bb0007e0dac7c
|
|
| BLAKE2b-256 |
d462b236d16a93e6944b0877b45ae24edfe5cd07a18ca87b38ce346b75b54178
|
Provenance
The following attestation bundles were made for dotguard-0.4.0-py3-none-any.whl:
Publisher:
publish.yml on Vengeance-us/dotguard
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
dotguard-0.4.0-py3-none-any.whl -
Subject digest:
143172c5d3ca14f622627dbec1a4dcc9121af3eabe11ca9cea0d7b454d3dacc5 - Sigstore transparency entry: 1810882913
- Sigstore integration time:
-
Permalink:
Vengeance-us/dotguard@18b139df316b2a2922d2e89a59a16e075796bb3c -
Branch / Tag:
refs/tags/v0.4.0 - Owner: https://github.com/Vengeance-us
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@18b139df316b2a2922d2e89a59a16e075796bb3c -
Trigger Event:
release
-
Statement type: