Scan your codebase for exposed secrets and API keys before committing
Project description
env-guard ๐
Catch secrets on your machine โ before they ever reach GitHub.
$ env-guard scan .
env-guard scan report
Path : .
Scanned : 42 files
Found : 1 potential secret(s)
โ HIGH Stripe Live Secret Key
File : config/settings.py:12
Code : STRIPE_KEY = "sk_live_abc123..."
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
1 HIGH
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Scan failed โ secrets detected. Do not commit.
GitHub already scans for secrets. So why env-guard?
GitHub has a feature called Secret Scanning. It's good. But it has one fundamental problem:
It runs after you push.
By the time GitHub catches your exposed API key, it has already left your machine, traveled over the internet, and landed on GitHub's servers. If your repo is public โ even for 30 seconds โ automated bots scrape it instantly. GitHub will alert you, but the key is already compromised. You have to rotate it, audit usage, and hope nothing was abused.
env-guard is different. It runs on your machine, before the commit, as a git pre-commit hook. The secret never leaves your laptop.
Without env-guard:
code โ commit โ push โ GitHub scans โ alert โ key already exposed โ
With env-guard:
code โ commit blocked โ fix locally โ push clean code โ
Think of GitHub Secret Scanning as your last line of defense. env-guard is your first.
Who is this for
- Developers who work with API keys, database URLs, or credentials locally
- Teams that want to enforce secret hygiene without relying on GitHub's post-push detection
- Anyone who has ever accidentally committed a
.envfile and had a bad day
Install
pip install env-guard
Requires Python 3.8+
Quickstart
# Scan your current project
env-guard scan .
# Install as a pre-commit hook (runs automatically on every git commit)
env-guard install-hook
That's it. After install-hook, you never have to think about it again. Every commit is scanned automatically.
Usage
Scan a directory
env-guard scan .
env-guard scan /path/to/project
Only show HIGH severity findings
env-guard scan . --severity HIGH
JSON output (for scripts and CI pipelines)
env-guard scan . --format json
Scan without blocking (reporting mode)
env-guard scan . --no-fail
Git pre-commit hook
# Install โ run this once inside your project repo
env-guard install-hook
# Remove
env-guard uninstall-hook
After installing, every git commit triggers a scan automatically:
env-guard: scanning for secrets...
env-guard: commit blocked. Remove secrets before committing.
env-guard: to skip this check (NOT recommended): git commit --no-verify
The commit is fully blocked until the secret is removed. No secret reaches git history.
Ignore false positives
Create .envguardignore in your project root:
# Ignore specific files
tests/fixtures/sample.env
# Ignore by extension
*.log
# Ignore entire directories
docs/
Same concept as .gitignore โ one pattern per line.
What env-guard detects
| Category | Examples |
|---|---|
| AWS | Access Key ID, Secret Access Key, Session Token |
| API Key, OAuth Client Secret, Service Account | |
| GitHub | Personal Access Token, OAuth Token, App Token |
| Stripe | Live and Test Secret Keys, Publishable Keys |
| Slack | Bot Token, User Token, Webhook URL |
| OpenAI | API Key |
| Anthropic | API Key |
| Twilio | Account SID, Auth Token |
| SendGrid | API Key |
| Database | PostgreSQL, MySQL, MongoDB, Redis connection strings |
| Private Keys | RSA, EC, PGP, OpenSSH |
| Django | SECRET_KEY |
| Generic | Passwords, tokens, API key assignments |
| And more | Razorpay, NPM, PyPI, Heroku, Netlify, Cloudinary |
54 detection rules total. More added with every release.
CI/CD integration
env-guard also works in CI pipelines as a second checkpoint โ useful for PRs from external contributors who may not have the hook installed locally.
GitHub Actions
Create .github/workflows/secret-scan.yml in your repo:
name: Secret Scan
on: [push, pull_request]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/setup-python@v4
with:
python-version: '3.11'
- run: pip install env-scan-cli
- run: env-guard scan .
env-guard vs GitHub Secret Scanning
| env-guard | GitHub Secret Scanning | |
|---|---|---|
| When it runs | Before commit, on your machine | After push, on GitHub's servers |
| Blocks the secret | Yes โ commit is blocked | No โ secret is already pushed |
| Works offline | Yes | No |
| Custom ignore rules | Yes, via .envguardignore |
Limited |
| Free | Yes | Yes (public repos) |
| Requires GitHub | No | Yes |
Use both. They solve different parts of the problem.
Development
git clone https://github.com/siyadhkc/env-guard.git
cd env-guard
pip install -e ".[dev]"
pytest tests/ -v
License
MIT
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file env_scan_cli-0.1.0.tar.gz.
File metadata
- Download URL: env_scan_cli-0.1.0.tar.gz
- Upload date:
- Size: 18.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
ed36359bc53a33d7718aaecb3dfd90be5bb6775de0cf7c0bf7a5313daf25cedf
|
|
| MD5 |
15f7862976b21bdd20b8173fc3c6287e
|
|
| BLAKE2b-256 |
8496e787fc0acb912369f1bb4449fab9018cbb662f4d96df210075e4f3c8a09e
|
Provenance
The following attestation bundles were made for env_scan_cli-0.1.0.tar.gz:
Publisher:
publish.yml on siyadhkc/env-guard
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
env_scan_cli-0.1.0.tar.gz -
Subject digest:
ed36359bc53a33d7718aaecb3dfd90be5bb6775de0cf7c0bf7a5313daf25cedf - Sigstore transparency entry: 1435677673
- Sigstore integration time:
-
Permalink:
siyadhkc/env-guard@c4639b1a82cb6a8e3b6d0a89a066913449da9a2d -
Branch / Tag:
refs/tags/v0.1.0 - Owner: https://github.com/siyadhkc
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@c4639b1a82cb6a8e3b6d0a89a066913449da9a2d -
Trigger Event:
push
-
Statement type:
File details
Details for the file env_scan_cli-0.1.0-py3-none-any.whl.
File metadata
- Download URL: env_scan_cli-0.1.0-py3-none-any.whl
- Upload date:
- Size: 14.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
556757cda60129ec9e463ef4af3defc184e608cf81c1d7220c657e633eec3375
|
|
| MD5 |
488d642bb12675483eb4cf6a43830b0c
|
|
| BLAKE2b-256 |
d87fe1c00c5bf41ab9c39034766c4e340dc6b53e6646f7a2f4ca5bf43060be32
|
Provenance
The following attestation bundles were made for env_scan_cli-0.1.0-py3-none-any.whl:
Publisher:
publish.yml on siyadhkc/env-guard
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
env_scan_cli-0.1.0-py3-none-any.whl -
Subject digest:
556757cda60129ec9e463ef4af3defc184e608cf81c1d7220c657e633eec3375 - Sigstore transparency entry: 1435677682
- Sigstore integration time:
-
Permalink:
siyadhkc/env-guard@c4639b1a82cb6a8e3b6d0a89a066913449da9a2d -
Branch / Tag:
refs/tags/v0.1.0 - Owner: https://github.com/siyadhkc
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@c4639b1a82cb6a8e3b6d0a89a066913449da9a2d -
Trigger Event:
push
-
Statement type: