Catch config drift before deploy
Point it at your repo. It diffs code references against .env.example and exits non-zero when drift would block a deploy.
envguard - Environment Variable Audit
- • 12 references (8 unique keys)
- • .env.example: .env.example
$ envguard --no-wizard
- MISSING missing
NEW_SECRET
app/api.py:42
- UNUSED unused
LEGACY_FLAG
.env.example
- EXTERNAL external
REMOTE_CONTAINER_SECRET
deploy.sh:12
- OPTIONAL optional
LOCAL_TIMEOUT_MS
config.py:8
| TYPE | KEY | STATUS | SOURCE |
|---|---|---|---|
| MISSING | NEW_SECRET | missing | app/api.py:42 |
| UNUSED | LEGACY_FLAG | unused | .env.example |
| EXTERNAL | REMOTE_CONTAINER_SECRET | external | deploy.sh:12 |
| OPTIONAL | LOCAL_TIMEOUT_MS | optional | config.py:8 |
1 missing1 unused+4 more
Demo output · envguard --details for tables
Six findings. One clean audit
The reference below matches the README “Why Use It” table, what each TYPE means when you run envguard --details.
Fails CI by default
| UNUSED | A key exists in .env.example but is not referenced in the scanned code. |
|---|---|
| MISSING | A required key is referenced in code but is not present in .env.example or fetched Supabase secrets. This is blocking by default. |
Advisory - does not fail CI
| OPTIONAL | A defaulted/guarded key is absent from config. This is advisory and does not fail CI. |
|---|---|
| EXTERNAL | A key appears to belong to another runtime/container, such as an embedded script executed over SSH. This is advisory and does not fail CI. |
| IGNORED | A missing key was explicitly ignored by project config or CLI flags. |
| ORPHANED | A Supabase secret exists but is not referenced in code or documented in .env.example. |
_ envguard
Local code.
Remote secrets.
Same report
Include Supabase Edge Function secrets in the audit. Referenced keys count if they exist in .env.example or Supabase.
$ export SUPABASE_ACCESS_TOKEN=…
$ envguard supabase your-project-ref
- ORPHANED orphaned
LEGACY_EDGE_SECRET
Supabase
- MISSING missing
SUPABASE_URL
functions/index.ts:4
| TYPE | KEY | STATUS | SOURCE |
|---|---|---|---|
| ORPHANED | LEGACY_EDGE_SECRET | orphaned | Supabase |
| MISSING | SUPABASE_URL | missing | functions/index.ts:4 |
Summary: 1 missing, 1 orphaned
Demo output · envguard --details for tables
Wizard tokens stay in memory for that run, not written to pyproject.toml.
A guided audit that still fits CI
On an interactive terminal, bare envguard opens the command builder. Use envguard --json or envguard ci in pipelines.
Wizard
envguard wizard
- Project path.
- Dotenv templateconfig/example.env
- Compare Supabase? [Y/n]
Preview
$ envguard --path . --dotenv config/example.env \
--exclude fixtures/**CI
GitHub Actions Annotations
2 errors, 1 warning
- MISSING DATABASE_URL · .env.example:2
- MISSING SUPABASE_ANON_KEY · .env.example:3
- UNUSED LEGACY_FLAG
Prune unused keys from .env.example
envguard --fix interactively removes unused keys with per-key confirmation.
$ envguard --fix
Before
DATABASE_URL= LEGACY_FLAG= SUPABASE_URL=
After
DATABASE_URL= SUPABASE_URL=
✓ Removed 1 unused key(s) from .env.example
Ship with the env you meant
Requires Python 3.9+. The installer uses pipx, then run envguard to start the guided audit.
Install for macOS / Linux
curl -fsSL https://raw.githubusercontent.com/Tresnanda/envguard/main/install.sh | bash