Skip to content

aarunyatech/env-redact

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

@aarunyaapps/env-redact

Parse .env files and detect / redact sensitive values. Zero dependencies. Works in Node.js and the browser.

Detects 35+ secret patterns: API keys, tokens, passwords, connection strings, JWTs, private keys, and high-entropy values (Stripe, OpenAI, Anthropic, GitHub, AWS, Azure, GCP, Twilio, SendGrid, and more).

🖥️ Prefer a UI? The same engine powers the free browser tool at aarunyaapps.com/env-sanitizer — 100% client-side, nothing leaves your machine.

CLI

No install needed:

# Redact .env to stdout
npx @aarunyaapps/env-redact

# Generate a .env.example (keys only)
npx @aarunyaapps/env-redact --example --write .env.example

# CI guard: exit 1 if a file contains live secrets
npx @aarunyaapps/env-redact .env.production --check

Block secrets in CI

# .github/workflows/ci.yml
- name: Check for committed secrets in env files
  run: npx @aarunyaapps/env-redact .env.example --check

All options

Option Description
[file] Input file (default .env, - for stdin)
--example Output keys only, all values stripped
--check Exit 1 if sensitive values found (CI mode)
--write <file> Write output to a file instead of stdout
--placeholder <str> Replacement text (default REDACTED)
--json JSON summary: { total, sensitive, keys }

Library

npm install @aarunyaapps/env-redact
import { parseEnv, buildSanitized, buildExample, countSensitive } from "@aarunyaapps/env-redact"

const lines = parseEnv(envFileContent)

buildSanitized(lines)                          // DATABASE_URL=REDACTED
buildSanitized(lines, { placeholder: "***" })  // DATABASE_URL=***
buildExample(lines)                            // DATABASE_URL=
countSensitive(lines)                          // 4

API

  • parseEnv(content: string): EnvLine[] — parse into typed lines (blank | comment | entry | invalid); entries carry key, value, sensitive
  • buildSanitized(lines, { placeholder? }) — sensitive values replaced, everything else byte-identical
  • buildExample(lines) — all values stripped (for .env.example)
  • buildDiff(lines) — line-level diff of what would change
  • countSensitive(lines) / countTotal(lines)
  • isSensitiveKey(key) / isSensitiveValue(value) — use the detection heuristics directly

Supports KEY=value and KEY: value styles, //-commented-out secrets (// API_KEY=... is still flagged), and multi-line colon syntax.

Privacy

This package performs no network calls, no telemetry, no file access beyond what you pass it. The browser version runs entirely client-side.

License

MIT © Aarunya Apps

About

Detect and redact secrets in .env files. CLI + zero-dependency library. Powers aarunyaapps.com/env-sanitizer

Resources

License

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors