A CLI tool to validate and lint environment variable files (.env) with schema validation and security checks.
- Schema Validation: Define expected environment variables with types and constraints
- Security Checks: Detect exposed secrets, weak passwords, and insecure configurations
- Format Linting: Ensure consistent formatting and naming conventions
- Missing Variable Detection: Identify required variables that are missing
- Type Checking: Validate that values match expected types (string, number, boolean, URL, etc.)
- Duplicate Detection: Find duplicate variable definitions
- Comment Preservation: Maintain comments while validating
npm install -g env-validatorOr use directly with npx:
npx env-validator validate .envenv-validator validate .envenv-validator validate .env --schema .env.schema.jsonenv-validator security .envenv-validator lint .env --fixCreate a .env.schema.json file to define your expected environment variables:
{
"variables": {
"DATABASE_URL": {
"type": "url",
"required": true,
"description": "PostgreSQL connection string"
},
"PORT": {
"type": "number",
"required": false,
"default": 3000,
"min": 1024,
"max": 65535
},
"NODE_ENV": {
"type": "enum",
"required": true,
"values": ["development", "production", "test"]
},
"API_KEY": {
"type": "string",
"required": true,
"pattern": "^sk-[a-zA-Z0-9]{32}$",
"sensitive": true
}
}
}The tool automatically checks for:
- Exposed API keys and tokens
- Weak or default passwords
- Insecure URLs (http instead of https)
- Hardcoded secrets in comments
- Common security misconfigurations
✓ .env validation passed
Found 12 variables
✓ All required variables present
✓ No type mismatches
✓ No security issues detected
⚠ 2 warnings:
LINE 5: DATABASE_URL uses http instead of https
LINE 8: API_KEY appears to be a placeholder value
Create a .envvalidatorrc.json file:
{
"rules": {
"naming-convention": "SCREAMING_SNAKE_CASE",
"require-description": false,
"allow-empty-values": false,
"max-line-length": 120
},
"security": {
"check-entropy": true,
"min-password-length": 12,
"require-https": true
}
}const { validateEnv } = require('env-validator');
const result = validateEnv('.env', {
schema: '.env.schema.json',
strict: true
});
if (!result.valid) {
console.error('Validation failed:', result.errors);
process.exit(1);
}- name: Validate environment files
run: npx env-validator validate .env.example --schema .env.schema.json#!/bin/sh
npx env-validator validate .env --quiet || exit 1MIT
Contributions welcome! Please read CONTRIBUTING.md first.