Skip to main content

Scan your codebase for exposed secrets and API keys before committing

Project description

env-guard ๐Ÿ”

Catch secrets on your machine โ€” before they ever reach GitHub.

$ env-guard scan .

env-guard scan report
Path    : .
Scanned : 42 files
Found   : 1 potential secret(s)

  โœ– HIGH  Stripe Live Secret Key
  File : config/settings.py:12
  Code : STRIPE_KEY = "sk_live_abc123..."

โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
  1 HIGH
โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€

Scan failed โ€” secrets detected. Do not commit.

GitHub already scans for secrets. So why env-guard?

GitHub has a feature called Secret Scanning. It's good. But it has one fundamental problem:

It runs after you push.

By the time GitHub catches your exposed API key, it has already left your machine, traveled over the internet, and landed on GitHub's servers. If your repo is public โ€” even for 30 seconds โ€” automated bots scrape it instantly. GitHub will alert you, but the key is already compromised. You have to rotate it, audit usage, and hope nothing was abused.

env-guard is different. It runs on your machine, before the commit, as a git pre-commit hook. The secret never leaves your laptop.

Without env-guard:
  code โ†’ commit โ†’ push โ†’ GitHub scans โ†’ alert โ†’ key already exposed โŒ

With env-guard:
  code โ†’ commit blocked โ†’ fix locally โ†’ push clean code โœ…

Think of GitHub Secret Scanning as your last line of defense. env-guard is your first.


Who is this for

  • Developers who work with API keys, database URLs, or credentials locally
  • Teams that want to enforce secret hygiene without relying on GitHub's post-push detection
  • Anyone who has ever accidentally committed a .env file and had a bad day

Install

pip install env-guard

Requires Python 3.8+


Quickstart

# Scan your current project
env-guard scan .

# Install as a pre-commit hook (runs automatically on every git commit)
env-guard install-hook

That's it. After install-hook, you never have to think about it again. Every commit is scanned automatically.


Usage

Scan a directory

env-guard scan .
env-guard scan /path/to/project

Only show HIGH severity findings

env-guard scan . --severity HIGH

JSON output (for scripts and CI pipelines)

env-guard scan . --format json

Scan without blocking (reporting mode)

env-guard scan . --no-fail

Git pre-commit hook

# Install โ€” run this once inside your project repo
env-guard install-hook

# Remove
env-guard uninstall-hook

After installing, every git commit triggers a scan automatically:

env-guard: scanning for secrets...
env-guard: commit blocked. Remove secrets before committing.
env-guard: to skip this check (NOT recommended): git commit --no-verify

The commit is fully blocked until the secret is removed. No secret reaches git history.


Ignore false positives

Create .envguardignore in your project root:

# Ignore specific files
tests/fixtures/sample.env

# Ignore by extension
*.log

# Ignore entire directories
docs/

Same concept as .gitignore โ€” one pattern per line.


What env-guard detects

Category Examples
AWS Access Key ID, Secret Access Key, Session Token
Google API Key, OAuth Client Secret, Service Account
GitHub Personal Access Token, OAuth Token, App Token
Stripe Live and Test Secret Keys, Publishable Keys
Slack Bot Token, User Token, Webhook URL
OpenAI API Key
Anthropic API Key
Twilio Account SID, Auth Token
SendGrid API Key
Database PostgreSQL, MySQL, MongoDB, Redis connection strings
Private Keys RSA, EC, PGP, OpenSSH
Django SECRET_KEY
Generic Passwords, tokens, API key assignments
And more Razorpay, NPM, PyPI, Heroku, Netlify, Cloudinary

54 detection rules total. More added with every release.


CI/CD integration

env-guard also works in CI pipelines as a second checkpoint โ€” useful for PRs from external contributors who may not have the hook installed locally.

GitHub Actions

Create .github/workflows/secret-scan.yml in your repo:

name: Secret Scan

on: [push, pull_request]

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: actions/setup-python@v4
        with:
          python-version: '3.11'
      - run: pip install env-scan-cli
      - run: env-guard scan .

env-guard vs GitHub Secret Scanning

env-guard GitHub Secret Scanning
When it runs Before commit, on your machine After push, on GitHub's servers
Blocks the secret Yes โ€” commit is blocked No โ€” secret is already pushed
Works offline Yes No
Custom ignore rules Yes, via .envguardignore Limited
Free Yes Yes (public repos)
Requires GitHub No Yes

Use both. They solve different parts of the problem.


Development

git clone https://github.com/siyadhkc/env-guard.git
cd env-guard
pip install -e ".[dev]"
pytest tests/ -v

License

MIT

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

env_scan_cli-0.1.0.tar.gz (18.0 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

env_scan_cli-0.1.0-py3-none-any.whl (14.6 kB view details)

Uploaded Python 3

File details

Details for the file env_scan_cli-0.1.0.tar.gz.

File metadata

  • Download URL: env_scan_cli-0.1.0.tar.gz
  • Upload date:
  • Size: 18.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for env_scan_cli-0.1.0.tar.gz
Algorithm Hash digest
SHA256 ed36359bc53a33d7718aaecb3dfd90be5bb6775de0cf7c0bf7a5313daf25cedf
MD5 15f7862976b21bdd20b8173fc3c6287e
BLAKE2b-256 8496e787fc0acb912369f1bb4449fab9018cbb662f4d96df210075e4f3c8a09e

See more details on using hashes here.

Provenance

The following attestation bundles were made for env_scan_cli-0.1.0.tar.gz:

Publisher: publish.yml on siyadhkc/env-guard

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file env_scan_cli-0.1.0-py3-none-any.whl.

File metadata

  • Download URL: env_scan_cli-0.1.0-py3-none-any.whl
  • Upload date:
  • Size: 14.6 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for env_scan_cli-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 556757cda60129ec9e463ef4af3defc184e608cf81c1d7220c657e633eec3375
MD5 488d642bb12675483eb4cf6a43830b0c
BLAKE2b-256 d87fe1c00c5bf41ab9c39034766c4e340dc6b53e6646f7a2f4ca5bf43060be32

See more details on using hashes here.

Provenance

The following attestation bundles were made for env_scan_cli-0.1.0-py3-none-any.whl:

Publisher: publish.yml on siyadhkc/env-guard

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page