ShieldX is a blazing-fast CLI tool to compare, sync, validate, and scan your environment/config files. It helps developers avoid missing variables, catch hardcoded secrets in code, and keep configs consistent across environments.
Short. Secure. Smart. β That's ShieldX.
- π Compare: Check differences between
.envfiles (e.g.,.envvs.env.production) - β‘ Generate: Create a
.env.exampleautomatically from an existing.env - π‘οΈ Scan: Detect hardcoded secrets (API keys, tokens, DB URLs) with severity levels
- β
Validate: Ensure
.envfiles have all required variables - π JSON Output: Perfect for CI/CD pipelines
- π« Smart Ignoring: Use
.shieldxignoreto skip files - π― Exit Codes: Non-zero exit on issues for CI/CD integration
- π¦ Lightweight: Zero bloat
- π Security-first: 28+ secret pattern detectors with severity levels
Use it instantly with npx (no install required):
npx shieldx compare .env .env.exampleOr install globally:
npm install -g shieldxCompare files and see missing/extra variables:
shieldx compare .env .env.productionOptions:
-j, --json- Output in JSON format-v, --verbose- Show detailed output
Example output:
π Comparison: .env vs .env.production
β Missing in .env.production (2):
- SECRET_KEY
- API_TOKEN
β οΈ Extra in .env.production (1):
+ NEW_FEATURE_FLAG
Total: 10 keys in .env, 9 keys in .env.production
CI/CD Integration:
# Exit code 1 if files don't match
shieldx compare .env .env.example --json > comparison.jsonCreate a template file with keys only (no sensitive values):
shieldx generate .envOptions:
-o, --output <file>- Custom output path (default:.env.example)-f, --force- Overwrite existing file-j, --json- Output in JSON format-v, --verbose- List all generated keys
Examples:
# Generate with custom output
shieldx generate .env -o .env.template
# Force overwrite
shieldx generate .env --force
# See what keys were generated
shieldx generate .env --verboseDetect hardcoded API keys, passwords, tokens, and more:
shieldx scan ./srcOptions:
-j, --json- Output in JSON format for parsing-v, --verbose- Show skipped files-q, --quiet- Only show errors
Security Patterns Detected:
- β Stripe API keys (live & test)
- β AWS credentials
- β GitHub tokens
- β Google API keys
- β Database connection strings
- β JWT tokens
- β Private keys (RSA, PEM, SSH)
- β OAuth tokens (Slack, Facebook, Google)
- β Bearer tokens
- β And 20+ more patterns!
Severity Levels:
- π΄ CRITICAL - Private keys, credentials with immediate risk
- π HIGH - API keys, tokens, passwords
- π‘ MEDIUM - Session IDs, JWTs
- π΅ LOW - Potential secrets, long strings
Example output:
π Scanning ./src for hardcoded secrets...
π¨ [HIGH] Stripe Live Key in src/payment.js:15
const key = "sk_live_abcd1234..."
π‘ Move this to .env file
β οΈ Security Report:
Total issues: 3
Files scanned: 47
CRITICAL: 1
High: 2
Use .shieldxignore:
Create a .shieldxignore file to skip certain paths:
# ShieldX Ignore Patterns
**/test/**
*.test.js
docs/
Ensure .env files have all required keys:
shieldx validate .env --keys "DATABASE_URL,API_KEY,SECRET"Options:
-k, --keys <keys>- Comma-separated required keys-c, --config <file>- Load required keys from file-j, --json- Output in JSON format-v, --verbose- Show all present keys
Using a config file:
Create required-keys.txt:
DATABASE_URL
API_KEY
SECRET_KEY
Then run:
shieldx validate .env --config required-keys.txtExample output:
π Validating .env
β Missing 2 required variable(s):
β API_KEY
β SECRET_KEY
π‘ Add the missing variables to .env
ShieldX returns exit code 1 on issues, perfect for CI/CD:
# GitHub Actions example
- name: Validate environment
run: |
shieldx compare .env.example .env.production --json
shieldx scan ./src
shieldx validate .env.production --keys "DATABASE_URL,API_KEY"Add to .git/hooks/pre-commit:
#!/bin/bash
shieldx scan ./src --quiet
if [ $? -ne 0 ]; then
echo "β Secrets detected! Fix them before committing."
exit 1
fiAll commands support --json flag:
# Get JSON output for parsing
shieldx scan ./src --json > security-report.json
# Parse with jq
shieldx scan ./src --json | jq '.issuesFound'- Compare
.envfiles - Generate
.env.example - Scan for secrets with severity levels
- Validate required keys
- JSON output for CI/CD
-
.shieldxignoresupport - Exit codes for automation
- GitHub Actions integration
- Auto-fix suggestions
- Sync configs across environments
- VSCode plugin integration
- AI-powered secret detection (v2)
- Encrypt/decrypt
.envfiles
Clone and run locally:
git clone https://github.com/zeemscript/shieldx.git
cd shieldx
npm install
npm linkRun tests:
npm test
npm run test:watchNow you can run:
shieldx compare .env .env.exampleShieldX includes a comprehensive test suite:
# Run all tests
npm test
# Run with coverage
npm test -- --coverage
# Watch mode
npm run test:watchContributions, issues, and feature requests are welcome!
- Fork the repo
- Create your feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
Check issues for ideas!
MIT Β© 2025 zeemscript
Best Practices:
- β
Run
shieldx scanbefore every commit - β
Use
shieldx validatein deployment pipelines - β
Keep
.env.exampleupdated withshieldx generate - β
Never commit
.envfiles (add to.gitignore) - β
Use
.shieldxignorefor test fixtures
Common Workflows:
# Setup new project
shieldx generate .env
git add .env.example
# Before deploying
shieldx validate .env.production --keys "DATABASE_URL,API_KEY"
shieldx compare .env.example .env.production
# Security audit
shieldx scan ./src --verboseMade with β€οΈ by developers, for developers.