Skip to main content

Detective for env vars in Python code. Parses your source with AST, finds every os.getenv/os.environ usage, and tells you what's missing from your .env file.

Project description

envsleuth

tests pypi python license

🕵️ The detective for env vars in Python code. Parses your source with AST, finds every os.getenv() / os.environ[] / os.environ.get(), and tells you what's missing from your .env file.

No more shipping to prod and realising you forgot STRIPE_API_KEY.

envsleuth demo

Install

pip install envsleuth

Usage

# scan current directory, check against ./.env
envsleuth scan

# specific directory, specific env file
envsleuth scan --path ./src --env .env.production

# CI mode — exits 1 if anything is missing
envsleuth scan --strict

# generate a .env.example from your code
envsleuth generate

# machine-readable output
envsleuth scan --json

Example output

Found 6 variables in code
checking against .env

⚠️  AWS_SECRET — not in .env but has default in code (probably ok)
✅ DATABASE_URL
✅ DEBUG
❌ REDIS_URL — missing from .env
     at src/app.py:7
✅ SECRET_KEY
❌ STRIPE_API_KEY — missing from .env
     at src/app.py:6

⚠️  1 dynamic usage (variable name computed at runtime, can't check statically)
     src/app.py:12  →  getenv(name)

ℹ  1 variable in .env not referenced in code: UNUSED_VAR

3 ok  1 with default  2 missing

What it detects

Works with all three common patterns:

import os

a = os.getenv("A")              # required — must be in .env
b = os.getenv("B", "fallback")  # has default — warned but not required
c = os.environ["C"]             # required (would raise KeyError without)
d = os.environ.get("D")         # required

Also handles aliased imports:

from os import getenv, environ
import os as sys_os

a = getenv("A")
b = environ["B"]
c = sys_os.getenv("C")

Variables with names computed at runtime (e.g. os.getenv(f"PREFIX_{x}")) can't be checked statically — they're reported in a separate warning section so you know they exist.

envsleuth generate

Scans your code and writes a .env.example with every variable found, a comment pointing at where it's used, and the default value from code if there is one:

$ envsleuth generate
Wrote 6 variables to .env.example

$ cat .env.example
# Generated by envsleuth — edit this file before committing.
# Each variable below is used somewhere in your code.

# used at src/app.py:8
AWS_SECRET=default-value

# used at src/app.py:3
DATABASE_URL=

# used at src/app.py:5
DEBUG=false
...

Use --force to overwrite an existing file, --output path/to/file to write elsewhere.

.envignore

Exclude variables from the "missing" check with glob patterns — one per line:

# .envignore
TEST_*
LEGACY_*
DEBUG_TOOL

Great for vars that come from CI, Docker, or your shell rc files rather than the local .env.

CI usage

GitHub Actions:

- name: Check env vars
  run: |
    pip install envsleuth
    envsleuth scan --env .env.example --strict

pre-commit:

# .pre-commit-config.yaml
- repo: local
  hooks:
    - id: envsleuth
      name: envsleuth
      entry: envsleuth scan --strict
      language: system
      pass_filenames: false

CLI reference

envsleuth scan

Flag Description
--path, -p Directory or file to scan. Default: .
--env Path to .env file. Default: ./.env
--envignore Path to .envignore. Default: ./.envignore if present
--strict Exit with code 1 if vars are missing
--json JSON output for CI pipelines
--no-color Disable ANSI colors (also honours NO_COLOR env var)
--exclude DIR Extra directory name to skip. Can be repeated
--ext .EXT Extra file extension to scan (e.g. .pyi). Can be repeated
--verbose, -v Show usage locations for every variable

envsleuth generate

Flag Description
--path, -p Directory or file to scan. Default: .
--output, -o Where to write. Default: ./.env.example
--force, -f Overwrite existing output file
--no-color Disable ANSI colors in the success message
--exclude, --ext Same as in scan

How it compares

envsleuth dotenv-linter python-decouple
Scans your code for env var usages
Lints the .env file itself
Runtime config reader with casting
Generates .env.example from code
Language Python Rust Python

envsleuth is the only tool here that understands your source code. The others either look at your .env file in isolation, or read env vars at runtime.

Dependencies

  • click — CLI
  • python-dotenv.env parsing
  • flashbar — progress bar (a tiny zero-dep lib I wrote; envsleuth uses it when scanning 20+ files)

The scanner itself uses only the Python standard library (ast).

License

MIT

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

envsleuth-0.1.1.tar.gz (25.9 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

envsleuth-0.1.1-py3-none-any.whl (19.3 kB view details)

Uploaded Python 3

File details

Details for the file envsleuth-0.1.1.tar.gz.

File metadata

  • Download URL: envsleuth-0.1.1.tar.gz
  • Upload date:
  • Size: 25.9 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.13

File hashes

Hashes for envsleuth-0.1.1.tar.gz
Algorithm Hash digest
SHA256 84718c4e1dd470ae9a4ca7a1704f769b7be1e88094d9e80a166295c8712bdad3
MD5 ebe8cd35db10b1af52b0fb29d2d219d5
BLAKE2b-256 b8605807ba7be7f113cb3cebba74fc652ce983808a09d2936409d8559a4de4d4

See more details on using hashes here.

File details

Details for the file envsleuth-0.1.1-py3-none-any.whl.

File metadata

  • Download URL: envsleuth-0.1.1-py3-none-any.whl
  • Upload date:
  • Size: 19.3 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.13

File hashes

Hashes for envsleuth-0.1.1-py3-none-any.whl
Algorithm Hash digest
SHA256 9bf6531c671620f5188223fc8d540543a312bb426224a8344cf160acf8eb0698
MD5 09f0711df4efe655acd292539e2dbb92
BLAKE2b-256 b3b162440b8030a503b857cf48960601709c0a410c0f3fb0489b7133da3ec73b

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page