envaudit
MIT License
GitHub Stars
Built in Rust

Stop committing secrets.
Catch .env drift before it
breaks production.

envaudit is a fast, zero-dependency Rust CLI that detects missing keys, validates environment files against your template, and scans for secrets before they leave your machine.

$cargo install envaudit

Free forever. No accounts. No telemetry. Just a tool that does its job.

Features

Three tools, one command away

envaudit covers the full spectrum of environment file hygiene: drift, validation, and secret detection.

Drift Detection

Compare .env files across staging, production, and local environments. Surface missing or mismatched keys before they cause incidents.

Baseline Validation

Validate any .env file against its .env.example. Get a clear report of missing required keys and undocumented variables.

Secret Scanning

Detect accidentally committed secrets using pattern matching. Catches API keys, tokens, and credentials before they reach version control.

Getting Started

Up and running in three steps

No configuration files. No accounts. No runtime dependencies. Just install and run.

01

Install

One command with Cargo. Runs on Linux, macOS, and Windows. No runtime dependencies.

$ cargo install envaudit
02

Run

Point envaudit at your project root. It finds your .env files automatically.

$ envaudit scan
03

Fix

Get a clear, actionable report. Pipe to JSON for CI integration or use exit codes to fail the build.

$ envaudit check --format json
Live Demo

See what envaudit catches

Sample output from a real project. envaudit reports clearly and exits with the right code for CI pipelines.

Drift Detection
$ envaudit scan
Scanning environment files...
Found: .env.local, .env.staging, .env.production
Drift Report
MISSING in .env.production:
DATABASE_POOL_SIZE (present in .env.local)
FEATURE_FLAG_BETA (present in .env.staging)
EXTRA in .env.staging:
LEGACY_API_ENDPOINT (not in other envs)
2 drift issues found.
$ _
Baseline Validation
$ envaudit check
Validating .env against .env.example...
Validation Report
MISSING required keys:
STRIPE_SECRET_KEY (required, not set)
SENDGRID_API_KEY (required, not set)
UNDOCUMENTED keys:
MY_LOCAL_DEBUG=true (not in .env.example)
2 missing keys, 1 undocumented.
$ _
Secret Scanning
$ envaudit secrets
Scanning for committed secrets...
Secret Scan Report
DETECTED in .env.example:
Line 14: STRIPE_KEY=sk_live_a1b2c3... [stripe-secret-key]
Line 22: AWS_SECRET=AKIA... [aws-access-key]
2 secrets detected.
Replace with placeholder values immediately.
$ _

Open source. Free forever. No catches.

envaudit is MIT licensed and built by Phono Technologies. Star it on GitHub, open an issue, or contribute a fix. That's the whole deal.

$cargo install envaudit