Skip to main content

Scan a codebase for environment variables and generate documented .env.example

Project description

English | 中文

env-audit

Scan a codebase for environment variables and generate a documented .env.example.

The Problem

Every project has environment variables. Few have documentation. You join a project, clone the repo, and then spend 30 minutes hunting through code to figure out what env vars you need.

env-audit fixes this in one command.

Features

  • 🔍 Multi-language scanning - Python, Node, Go, Rust, Ruby, Shell, Docker
  • 🧠 Smart extraction - Finds default values, marks required vs optional
  • 🔒 Sensitive detection - Flags SECRET, KEY, PASSWORD, TOKEN vars
  • CI-friendly - --check mode for automated verification
  • 📝 Multiple formats - .env, TypeScript types, Zod schemas
  • 🤖 MCP Server - Agent-friendly tools for Claude, Cursor, etc.

Quick Start

# Scan current directory
python env_audit.py

# Scan a specific path
python env_audit.py /path/to/project

# Save to file
python env_audit.py -o .env.example

# Get JSON output (for tooling)
python env_audit.py --json > env-vars.json

# Just show stats
python env_audit.py --stats

CI Integration

Use --check mode to fail CI if there are undocumented env vars:

# In your CI pipeline
python env_audit.py --check

# Exit codes:
# 0 = all vars documented
# 1 = undocumented vars found

Example GitHub Actions workflow:

- name: Check env vars are documented
  run: python env_audit.py --check

Output Formats

Default (.env.example)

python env_audit.py -o .env.example

Generates:

# Database connection string (required, sensitive)
# Found in: src/db/connect.py, src/models/user.py
DATABASE_URL=postgresql://user:pass@localhost:5432/dbname

# Server port number (optional, default: 3000)
# Found in: src/server.py
PORT=3000

TypeScript Types

python env_audit.py --format=typescript -o env.d.ts

Generates:

declare namespace NodeJS {
  interface ProcessEnv {
    /** Database connection string | @sensitive */
    DATABASE_URL: string;
    /** Server port number | @default 3000 */
    PORT?: string;
  }
}

Zod Schema

python env_audit.py --format=zod -o envSchema.ts

Generates:

import { z } from 'zod';

export const envSchema = z.object({
  DATABASE_URL: z.string().describe("Database connection string"),
  PORT: z.string().default("3000").describe("Server port number"),
});

export type Env = z.infer<typeof envSchema>;

JSON Output

For tooling integration, use --json:

python env_audit.py --json

Returns:

{
  "DATABASE_URL": {
    "name": "DATABASE_URL",
    "category": "database",
    "files": ["src/db.py", "src/models.py"],
    "occurrences": 5,
    "required": true,
    "sensitive": true,
    "default": null
  },
  "PORT": {
    "name": "PORT",
    "category": "api",
    "files": ["src/server.py"],
    "occurrences": 2,
    "required": false,
    "sensitive": false,
    "default": "3000"
  }
}

MCP Server (for AI Agents)

env-audit includes an MCP server for integration with Claude, Cursor, and other AI tools.

Setup

pip install fastmcp

Add to Claude Desktop

Add to ~/.config/claude/claude_desktop_config.json:

{
  "mcpServers": {
    "env-audit": {
      "command": "python",
      "args": ["/path/to/env-audit/mcp_server.py"]
    }
  }
}

Available Tools

Tool Description
env_audit_scan Scan a project for all env vars
env_audit_check Check if all vars are documented
env_audit_add Add a variable to .env.example

Example Usage

Claude or other agents can:

> What environment variables does this project need?
[uses env_audit_scan]

> Are all env vars documented?
[uses env_audit_check]

> Add STRIPE_SECRET_KEY to the env example
[uses env_audit_add]

Supported Languages

Language Patterns
Python os.environ.get(), os.getenv(), os.environ[]
Node.js process.env.VAR, process.env["VAR"], process.env.VAR || "default"
Go os.Getenv()
Rust std::env::var(), env::var()
Ruby ENV[], ENV.fetch(), ENV["VAR"] || "default"
Shell $VAR, ${VAR}, ${VAR:-default}
Docker docker-compose.yml, Dockerfile

Smart Detection

Default Values

env-audit extracts default values from common patterns:

# Python
os.getenv('PORT', '3000')  # → default: 3000

# Node.js
process.env.PORT || '3000'  # → default: 3000

# Shell
${PORT:-3000}  # → default: 3000

Variables with defaults are marked as optional.

Sensitive Variables

Variables containing these keywords are flagged as sensitive:

  • SECRET, KEY, PASSWORD, TOKEN, CREDENTIAL, PRIVATE, AUTH

Categories

Variables are auto-categorized:

  • database: DATABASE, DB_, POSTGRES, MYSQL, MONGO, REDIS
  • auth: AUTH, JWT, SECRET, TOKEN, PASSWORD, API_KEY
  • api: API_, ENDPOINT, URL, HOST, PORT
  • cloud: AWS_, GCP_, AZURE_, S3_
  • email: SMTP, EMAIL, MAIL, SENDGRID
  • logging: LOG_, DEBUG, SENTRY
  • feature: FEATURE_, ENABLE_, DISABLE_, FLAG_

Installation

pip install indiekit-env-audit

# Or just run directly
python env_audit.py /path/to/project

# With MCP server support
pip install fastmcp

Why This Exists

Saw this pattern across many projects:

  • New dev joins → spends hours figuring out env vars
  • .env.example exists but is outdated
  • Code has new env vars not in the template

This tool can be run in CI to catch undocumented env vars before they cause onboarding pain.

License

MIT

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

indiekit_env_audit-0.2.0.tar.gz (13.5 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

indiekit_env_audit-0.2.0-py3-none-any.whl (12.4 kB view details)

Uploaded Python 3

File details

Details for the file indiekit_env_audit-0.2.0.tar.gz.

File metadata

  • Download URL: indiekit_env_audit-0.2.0.tar.gz
  • Upload date:
  • Size: 13.5 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.12.3

File hashes

Hashes for indiekit_env_audit-0.2.0.tar.gz
Algorithm Hash digest
SHA256 24c87dadbee5defd2cf3fa78c83ed7fa7259dc924a2eb6d7987ac190eeb6f7c5
MD5 41a7ee6a8061608cd2a477ba8a19fd22
BLAKE2b-256 1f166824cf42d5ad0288866f7f3d51894504fa22d686746ec8c23a842f86402f

See more details on using hashes here.

File details

Details for the file indiekit_env_audit-0.2.0-py3-none-any.whl.

File metadata

File hashes

Hashes for indiekit_env_audit-0.2.0-py3-none-any.whl
Algorithm Hash digest
SHA256 a90ebbf9a668a507c7193cd014ee931712a44d613e5f450794809f5eca405a74
MD5 532608f6040b9d41714235372bb07e1f
BLAKE2b-256 92a759b09f844173d2120d5276d1f30e46760e654d221f1c5df7c23439ba0e13

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page