Audit environment variable consistency across a codebase.
Project description
env-check
Audit environment variable consistency across your codebase. Finds vars used in code but missing from .env.example, stale vars nobody references anymore, and required vars with no default value — in any language.
$ envcheck .
envcheck — environment variable audit
──────────────────────────────────────────
✗ 3 undocumented variables (in code, missing from .env.example)
DATABASE_URL src/db/connection.py:14
STRIPE_WEBHOOK_SECRET src/payments/webhook.py:8, src/payments/webhook.py:31
REDIS_URL src/cache.py:22
⚠ 2 stale variables (in .env.example, not found in code)
OLD_PAYMENT_KEY
DEPRECATED_FEATURE_FLAG
○ 2 variables with no default value (empty in .env.example)
SECRET_KEY
JWT_SECRET
⚡ 1 dynamic reference (runtime key construction — cannot audit statically)
src/config/loader.py:45 → process.env[configKey]
──────────────────────────────────────────
Result: FAIL (exit code 1)
Why
Your .env.example is a contract. It tells new contributors what the app needs to run. Over time that contract drifts: someone adds process.env.NEW_KEY to the source and forgets to document it, or removes a feature but leaves the stale key rotting in .env.example. envcheck catches both automatically, in CI, before it becomes someone else's debugging session.
Installation
pip install env-auditor
Requires Python 3.10+. Zero runtime dependencies — pure stdlib.
Usage
# Audit current directory against .env.example (default)
envcheck
# Audit a specific project
envcheck /path/to/project
# Use a different env file
envcheck --env .env.production
# Multiple env files (keys merged — union)
envcheck --env .env.example --env .env.staging
# Strict mode: fail on stale vars too
envcheck --strict
# JSON output for tooling / dashboards
envcheck --format json | jq .undocumented
# Suppress specific sections
envcheck --ignore-stale --ignore-missing
# Exclude extra directories
envcheck --exclude vendor --exclude third_party
Config file
Commit a .envcheckrc at your project root to persist settings for your whole team:
# .envcheckrc
env_files = [".env.example", ".env.staging"]
exclude_dirs = ["vendor", "third_party"]
ignore_stale = false
strict = true
ignore_keys = ["CI", "HOME", "USER"]
required_keys = ["DATABASE_URL", "SECRET_KEY"]
Or add it to pyproject.toml under [tool.envcheck]:
[tool.envcheck]
env_files = [".env.example"]
strict = true
ignore_keys = ["CI"]
CLI flags always override config file values.
Supported languages
| Language | Detected patterns |
|---|---|
| JavaScript / TypeScript | process.env.VAR, process.env['VAR'], process.env["VAR"] |
| Python | os.environ['VAR'], os.environ.get('VAR'), os.getenv('VAR') |
| Go | os.Getenv("VAR"), os.LookupEnv("VAR") |
| Shell | $VAR, ${VAR} (.sh, .bash, .zsh only) |
| Docker | ENV VAR, ARG VAR in Dockerfiles |
| Ruby | ENV['VAR'], ENV["VAR"], ENV.fetch('VAR') |
Dynamic references like process.env[someVariable] are flagged separately — they can't be statically audited.
CLI reference
| Flag | Description | Default |
|---|---|---|
PATH |
Root directory to scan | . |
--env FILE |
Env file(s) as source of truth. Repeatable. | .env.example |
--config FILE |
Path to config file | auto-discover .envcheckrc |
--ignore-stale |
Suppress stale variable report | off |
--ignore-missing |
Suppress empty-value report | off |
--format [text|json] |
Output format | text |
--no-color |
Disable ANSI colors | off |
--exclude DIR |
Extra directories to skip. Repeatable. | — |
--strict |
Exit 1 on stale vars too | off |
--version |
Show version and exit | — |
Exit codes
| Code | Meaning |
|---|---|
0 |
Clean |
1 |
Undocumented vars found (or stale with --strict) |
2 |
Tool error — bad args, missing files, etc. |
CI integration
Block deploys when env vars drift:
# .github/workflows/deploy.yml
jobs:
env-audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with: { python-version: "3.12" }
- run: pip install envcheck
- run: envcheck --strict
Save the report as a CI artifact:
- run: envcheck --format json > envcheck-report.json || true
- uses: actions/upload-artifact@v4
with:
name: envcheck-report
path: envcheck-report.json
For monorepos, run per-service:
- run: envcheck services/api --env services/api/.env.example
- run: envcheck services/worker --env services/worker/.env.example
Security
- Symlinks are never followed
- Files over 1 MB are skipped (with a warning)
- Lines over 2000 characters are skipped (ReDoS protection)
--excludepaths are validated to be within the scan root — path traversal rejected- Actual
.envvalues are never stored, logged, or printed — only key names - No network calls, no telemetry, entirely local
Development
git clone https://github.com/SemTiOne/env-check
cd env-check
pip install -e .
pip install pytest pytest-cov
pytest --cov=envcheck --cov-report=term-missing
License
MIT
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distributions
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file env_auditor-0.1.0-py3-none-any.whl.
File metadata
- Download URL: env_auditor-0.1.0-py3-none-any.whl
- Upload date:
- Size: 21.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
b134e766680edcfeb38dc8e8459024fb639f2c7233e5681c3b658f474c5c41c4
|
|
| MD5 |
8058eb464f9d50036a31b92bb0c06831
|
|
| BLAKE2b-256 |
73341925d9239485f08a46b60f1c938f1e701f7a77ef2e5c1d06d4b061e09970
|
