Parse .env files and detect / redact sensitive values. Zero dependencies. Works in Node.js and the browser.
Detects 35+ secret patterns: API keys, tokens, passwords, connection strings, JWTs, private keys, and high-entropy values (Stripe, OpenAI, Anthropic, GitHub, AWS, Azure, GCP, Twilio, SendGrid, and more).
🖥️ Prefer a UI? The same engine powers the free browser tool at aarunyaapps.com/env-sanitizer — 100% client-side, nothing leaves your machine.
No install needed:
# Redact .env to stdout
npx @aarunyaapps/env-redact
# Generate a .env.example (keys only)
npx @aarunyaapps/env-redact --example --write .env.example
# CI guard: exit 1 if a file contains live secrets
npx @aarunyaapps/env-redact .env.production --check# .github/workflows/ci.yml
- name: Check for committed secrets in env files
run: npx @aarunyaapps/env-redact .env.example --check| Option | Description |
|---|---|
[file] |
Input file (default .env, - for stdin) |
--example |
Output keys only, all values stripped |
--check |
Exit 1 if sensitive values found (CI mode) |
--write <file> |
Write output to a file instead of stdout |
--placeholder <str> |
Replacement text (default REDACTED) |
--json |
JSON summary: { total, sensitive, keys } |
npm install @aarunyaapps/env-redactimport { parseEnv, buildSanitized, buildExample, countSensitive } from "@aarunyaapps/env-redact"
const lines = parseEnv(envFileContent)
buildSanitized(lines) // DATABASE_URL=REDACTED
buildSanitized(lines, { placeholder: "***" }) // DATABASE_URL=***
buildExample(lines) // DATABASE_URL=
countSensitive(lines) // 4parseEnv(content: string): EnvLine[]— parse into typed lines (blank | comment | entry | invalid); entries carrykey,value,sensitivebuildSanitized(lines, { placeholder? })— sensitive values replaced, everything else byte-identicalbuildExample(lines)— all values stripped (for.env.example)buildDiff(lines)— line-level diff of what would changecountSensitive(lines)/countTotal(lines)isSensitiveKey(key)/isSensitiveValue(value)— use the detection heuristics directly
Supports KEY=value and KEY: value styles, //-commented-out secrets (// API_KEY=... is still flagged), and multi-line colon syntax.
This package performs no network calls, no telemetry, no file access beyond what you pass it. The browser version runs entirely client-side.
MIT © Aarunya Apps