Skip to main content

Scan your codebase for exposed secrets and API keys before committing

Project description

env-guard ๐Ÿ”

Catch secrets on your machine โ€” before they ever reach GitHub.

$ env-guard scan .

env-guard scan report
Path    : .
Scanned : 42 files
Found   : 1 potential secret(s)

  โœ– HIGH  Stripe Live Secret Key
  File : config/settings.py:12
  Code : STRIPE_KEY = "sk_live_abc123..."

โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
  1 HIGH
โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€

Scan failed โ€” secrets detected. Do not commit.

GitHub already scans for secrets. So why env-guard?

GitHub has a feature called Secret Scanning. It's good. But it has one fundamental problem:

It runs after you push.

By the time GitHub catches your exposed API key, it has already left your machine, traveled over the internet, and landed on GitHub's servers. If your repo is public โ€” even for 30 seconds โ€” automated bots scrape it instantly. GitHub will alert you, but the key is already compromised. You have to rotate it, audit usage, and hope nothing was abused.

env-guard is different. It runs on your machine, before the commit, as a git pre-commit hook. The secret never leaves your laptop.

Without env-guard:
  code โ†’ commit โ†’ push โ†’ GitHub scans โ†’ alert โ†’ key already exposed โŒ

With env-guard:
  code โ†’ commit blocked โ†’ fix locally โ†’ push clean code โœ…

Think of GitHub Secret Scanning as your last line of defense. env-guard is your first.


Who is this for

  • Developers who work with API keys, database URLs, or credentials locally
  • Teams that want to enforce secret hygiene without relying on GitHub's post-push detection
  • Anyone who has ever accidentally committed a .env file and had a bad day

Install

pip install env-guard

Requires Python 3.8+


Quickstart

# Scan your current project
env-guard scan .

# Install as a pre-commit hook (runs automatically on every git commit)
env-guard install-hook

That's it. After install-hook, you never have to think about it again. Every commit is scanned automatically.


Usage

Scan a directory

env-guard scan .
env-guard scan /path/to/project

Only show HIGH severity findings

env-guard scan . --severity HIGH

JSON output (for scripts and CI pipelines)

env-guard scan . --format json

Scan without blocking (reporting mode)

env-guard scan . --no-fail

Git pre-commit hook

# Install โ€” run this once inside your project repo
env-guard install-hook

# Remove
env-guard uninstall-hook

After installing, every git commit triggers a scan automatically:

env-guard: scanning for secrets...
env-guard: commit blocked. Remove secrets before committing.
env-guard: to skip this check (NOT recommended): git commit --no-verify

The commit is fully blocked until the secret is removed. No secret reaches git history.


Ignore false positives

Create .envguardignore in your project root:

# Ignore specific files
tests/fixtures/sample.env

# Ignore by extension
*.log

# Ignore entire directories
docs/

Same concept as .gitignore โ€” one pattern per line.


What env-guard detects

Category Examples
AWS Access Key ID, Secret Access Key, Session Token
Google API Key, OAuth Client Secret, Service Account
GitHub Personal Access Token, OAuth Token, App Token
Stripe Live and Test Secret Keys, Publishable Keys
Slack Bot Token, User Token, Webhook URL
OpenAI API Key
Anthropic API Key
Twilio Account SID, Auth Token
SendGrid API Key
Database PostgreSQL, MySQL, MongoDB, Redis connection strings
Private Keys RSA, EC, PGP, OpenSSH
Django SECRET_KEY
Generic Passwords, tokens, API key assignments
And more Razorpay, NPM, PyPI, Heroku, Netlify, Cloudinary

54 detection rules total. More added with every release.


CI/CD integration

env-guard also works in CI pipelines as a second checkpoint โ€” useful for PRs from external contributors who may not have the hook installed locally.

GitHub Actions

Create .github/workflows/secret-scan.yml in your repo:

name: Secret Scan

on: [push, pull_request]

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: actions/setup-python@v4
        with:
          python-version: '3.11'
      - run: pip install env-scan-cli
      - run: env-guard scan .

env-guard vs GitHub Secret Scanning

env-guard GitHub Secret Scanning
When it runs Before commit, on your machine After push, on GitHub's servers
Blocks the secret Yes โ€” commit is blocked No โ€” secret is already pushed
Works offline Yes No
Custom ignore rules Yes, via .envguardignore Limited
Free Yes Yes (public repos)
Requires GitHub No Yes

Use both. They solve different parts of the problem.


Development

git clone https://github.com/siyadhkc/env-guard.git
cd env-guard
pip install -e ".[dev]"
pytest tests/ -v

License

MIT

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

env_scan_cli-0.1.1.tar.gz (18.1 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

env_scan_cli-0.1.1-py3-none-any.whl (14.6 kB view details)

Uploaded Python 3

File details

Details for the file env_scan_cli-0.1.1.tar.gz.

File metadata

  • Download URL: env_scan_cli-0.1.1.tar.gz
  • Upload date:
  • Size: 18.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for env_scan_cli-0.1.1.tar.gz
Algorithm Hash digest
SHA256 83baa2b4e06094018eca6e5ada7f0eec5d0f891a41b586f4d128b89334945491
MD5 26baf6aa9d0732618f07db85219922e1
BLAKE2b-256 695a71cbab02ec037c9a41769d71b1872210a3955fdbbb83c78957dd133588f0

See more details on using hashes here.

Provenance

The following attestation bundles were made for env_scan_cli-0.1.1.tar.gz:

Publisher: publish.yml on siyadhkc/env-guard

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file env_scan_cli-0.1.1-py3-none-any.whl.

File metadata

  • Download URL: env_scan_cli-0.1.1-py3-none-any.whl
  • Upload date:
  • Size: 14.6 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for env_scan_cli-0.1.1-py3-none-any.whl
Algorithm Hash digest
SHA256 f2fa1a380e91ab69afb3b10ce50c5d30e38dbb575f391266ded3a23522e3948a
MD5 bfd048520c4062a56282ad803c1bb252
BLAKE2b-256 553f1846f5a0f461986d587f78d5940fe7b5e7db760ecb1655366803fdd955bc

See more details on using hashes here.

Provenance

The following attestation bundles were made for env_scan_cli-0.1.1-py3-none-any.whl:

Publisher: publish.yml on siyadhkc/env-guard

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page