Scan a codebase for environment variables and generate documented .env.example
Project description
env-audit
Scan a codebase for environment variables and generate a documented .env.example.
The Problem
Every project has environment variables. Few have documentation. You join a project, clone the repo, and then spend 30 minutes hunting through code to figure out what env vars you need.
env-audit fixes this in one command.
Features
- 🔍 Multi-language scanning - Python, Node, Go, Rust, Ruby, Shell, Docker
- 🧠 Smart extraction - Finds default values, marks required vs optional
- 🔒 Sensitive detection - Flags SECRET, KEY, PASSWORD, TOKEN vars
- ✅ CI-friendly -
--checkmode for automated verification - 📝 Multiple formats - .env, TypeScript types, Zod schemas
- 🤖 MCP Server - Agent-friendly tools for Claude, Cursor, etc.
Quick Start
# Scan current directory
python env_audit.py
# Scan a specific path
python env_audit.py /path/to/project
# Save to file
python env_audit.py -o .env.example
# Get JSON output (for tooling)
python env_audit.py --json > env-vars.json
# Just show stats
python env_audit.py --stats
CI Integration
Use --check mode to fail CI if there are undocumented env vars:
# In your CI pipeline
python env_audit.py --check
# Exit codes:
# 0 = all vars documented
# 1 = undocumented vars found
Example GitHub Actions workflow:
- name: Check env vars are documented
run: python env_audit.py --check
Output Formats
Default (.env.example)
python env_audit.py -o .env.example
Generates:
# Database connection string (required, sensitive)
# Found in: src/db/connect.py, src/models/user.py
DATABASE_URL=postgresql://user:pass@localhost:5432/dbname
# Server port number (optional, default: 3000)
# Found in: src/server.py
PORT=3000
TypeScript Types
python env_audit.py --format=typescript -o env.d.ts
Generates:
declare namespace NodeJS {
interface ProcessEnv {
/** Database connection string | @sensitive */
DATABASE_URL: string;
/** Server port number | @default 3000 */
PORT?: string;
}
}
Zod Schema
python env_audit.py --format=zod -o envSchema.ts
Generates:
import { z } from 'zod';
export const envSchema = z.object({
DATABASE_URL: z.string().describe("Database connection string"),
PORT: z.string().default("3000").describe("Server port number"),
});
export type Env = z.infer<typeof envSchema>;
JSON Output
For tooling integration, use --json:
python env_audit.py --json
Returns:
{
"DATABASE_URL": {
"name": "DATABASE_URL",
"category": "database",
"files": ["src/db.py", "src/models.py"],
"occurrences": 5,
"required": true,
"sensitive": true,
"default": null
},
"PORT": {
"name": "PORT",
"category": "api",
"files": ["src/server.py"],
"occurrences": 2,
"required": false,
"sensitive": false,
"default": "3000"
}
}
MCP Server (for AI Agents)
env-audit includes an MCP server for integration with Claude, Cursor, and other AI tools.
Setup
pip install fastmcp
Add to Claude Desktop
Add to ~/.config/claude/claude_desktop_config.json:
{
"mcpServers": {
"env-audit": {
"command": "python",
"args": ["/path/to/env-audit/mcp_server.py"]
}
}
}
Available Tools
| Tool | Description |
|---|---|
env_audit_scan |
Scan a project for all env vars |
env_audit_check |
Check if all vars are documented |
env_audit_add |
Add a variable to .env.example |
Example Usage
Claude or other agents can:
> What environment variables does this project need?
[uses env_audit_scan]
> Are all env vars documented?
[uses env_audit_check]
> Add STRIPE_SECRET_KEY to the env example
[uses env_audit_add]
Supported Languages
| Language | Patterns |
|---|---|
| Python | os.environ.get(), os.getenv(), os.environ[] |
| Node.js | process.env.VAR, process.env["VAR"], process.env.VAR || "default" |
| Go | os.Getenv() |
| Rust | std::env::var(), env::var() |
| Ruby | ENV[], ENV.fetch(), ENV["VAR"] || "default" |
| Shell | $VAR, ${VAR}, ${VAR:-default} |
| Docker | docker-compose.yml, Dockerfile |
Smart Detection
Default Values
env-audit extracts default values from common patterns:
# Python
os.getenv('PORT', '3000') # → default: 3000
# Node.js
process.env.PORT || '3000' # → default: 3000
# Shell
${PORT:-3000} # → default: 3000
Variables with defaults are marked as optional.
Sensitive Variables
Variables containing these keywords are flagged as sensitive:
- SECRET, KEY, PASSWORD, TOKEN, CREDENTIAL, PRIVATE, AUTH
Categories
Variables are auto-categorized:
- database: DATABASE, DB_, POSTGRES, MYSQL, MONGO, REDIS
- auth: AUTH, JWT, SECRET, TOKEN, PASSWORD, API_KEY
- api: API_, ENDPOINT, URL, HOST, PORT
- cloud: AWS_, GCP_, AZURE_, S3_
- email: SMTP, EMAIL, MAIL, SENDGRID
- logging: LOG_, DEBUG, SENTRY
- feature: FEATURE_, ENABLE_, DISABLE_, FLAG_
Installation
pip install indiekit-env-audit
# Or just run directly
python env_audit.py /path/to/project
# With MCP server support
pip install fastmcp
Why This Exists
Saw this pattern across many projects:
- New dev joins → spends hours figuring out env vars
.env.exampleexists but is outdated- Code has new env vars not in the template
This tool can be run in CI to catch undocumented env vars before they cause onboarding pain.
License
MIT
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file indiekit_env_audit-0.2.0.tar.gz.
File metadata
- Download URL: indiekit_env_audit-0.2.0.tar.gz
- Upload date:
- Size: 13.5 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
24c87dadbee5defd2cf3fa78c83ed7fa7259dc924a2eb6d7987ac190eeb6f7c5
|
|
| MD5 |
41a7ee6a8061608cd2a477ba8a19fd22
|
|
| BLAKE2b-256 |
1f166824cf42d5ad0288866f7f3d51894504fa22d686746ec8c23a842f86402f
|
File details
Details for the file indiekit_env_audit-0.2.0-py3-none-any.whl.
File metadata
- Download URL: indiekit_env_audit-0.2.0-py3-none-any.whl
- Upload date:
- Size: 12.4 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
a90ebbf9a668a507c7193cd014ee931712a44d613e5f450794809f5eca405a74
|
|
| MD5 |
532608f6040b9d41714235372bb07e1f
|
|
| BLAKE2b-256 |
92a759b09f844173d2120d5276d1f30e46760e654d221f1c5df7c23439ba0e13
|