Skip to content

secenv-org/.github

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
README.md
README.md
 
 

Repository files navigation

secenv

Make .env secure again. Commit to GitHub without fear.

secenv encrypts your environment variables so you can safely commit them to version control. It's .env you can actually share—without the security headaches.

Why secenv?

  • Zero wrapper needed — Import and use secrets directly in your code
  • Lightning fast — Cold start <50ms, cached access <1ms
  • Battle-tested encryption — AEAD encryption via age
  • CI/CD ready — Works seamlessly with GitHub Actions and other pipelines
  • Defense-first — Private fields prevent memory-scanning attacks

Quick Start

# Install
npm install secenv

# Initialize (one-time setup)
npx secenv init

# Add a secret
npx secenv set API_KEY "your-secret-key"

# Use in code
import { env } from 'secenv';

const apiKey = await env.API_KEY;

CLI Commands

secenv init              # Initialize identity and project
secenv set KEY VALUE     # Set a secret (encrypted)
secenv get KEY           # Get a secret (decrypted)
secenv list              # List all keys
secenv rotate KEY        # Rotate a secret
secenv delete KEY        # Delete a secret
secenv doctor            # Verify setup and encryption
secenv key export        # Export private key for CI

SDK Usage

Basic Access

import { env } from 'secenv';

const dbUrl = await env.DATABASE_URL;
const apiKey = await env.API_KEY;

Fallback to process.env

The SDK checks process.env first, then falls back to your .secenv file:

// In production, set DATABASE_URL in your deployment platform
// Locally, use .secenv
const dbUrl = await env.DATABASE_URL;

Error Handling

import { env, SecretNotFoundError } from 'secenv';

try {
  const key = await env.MISSING_KEY;
} catch (e) {
  if (e instanceof SecretNotFoundError) {
    console.error('Secret not found in .secenv');
  }
}

Programmatic API

import { createSecenv } from 'secenv';

const sdk = await createSecenv();
await sdk.set('API_KEY', 'secret-value');
const value = await sdk.get('API_KEY');

The .secenv File

Store secrets in .secenv in your project root:

# Encrypted values (auto-decrypted)
API_KEY=enc:age:AGE-SECRET-KEY-1XYZ...

# Plaintext values (non-sensitive config)
PORT=3000
NODE_ENV=development

Use --base64 flag for binary values like certificates:

secenv set TLS_CERT --base64 < server.crt

CI/CD Integration

1. Export your identity

secenv key export

2. Add to CI secrets

Add the output as SECENV_ENCODED_IDENTITY in your CI provider (GitHub Secrets, etc.).

3. Use in CI

# GitHub Actions example
- name: Run app
  env:
    SECENV_ENCODED_IDENTITY: ${{ secrets.SECENV_ENCODED_IDENTITY }}
  run: npm run start

Security

  • AEAD encryption — Each secret is encrypted separately with age
  • Private fields — JavaScript private class fields protect against memory-scanning
  • Constant-time lookups — Prevents timing attacks
  • Symlink protection — Blocks symlink attacks

For full security details, see SECURITY.md.

Requirements

  • Node.js 18+
  • No external dependencies (age encryption bundled)

License

MIT

About

No description, website, or topics provided.

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors