Protect your repository from accidental secret leaks.
- 🛡️ Pre-commit hook to block leaked secrets
- 🔍 Detects AWS, Stripe, JWT, Mongo, Postgres, API keys
- 📊 Repo scanner CLI
- 🧹 Console.log secret scrubber
- ⚡ Runs 100% offline
- 🤖 Auto-prompt to add .env to .gitignore
Install locally in your project to enable pre-commit hooks:
npm install env-safe-gaurdThe postinstall script automatically sets up git hooks to protect your commits.
Install globally to use env-scan command anywhere:
npm install -g env-safe-gaurdWith local install:
npx env-scanWith global install:
env-scanIf .env files with secrets are detected and not in .gitignore, you'll be prompted to add them automatically.
The pre-commit hook runs automatically when you commit. It will block commits containing secrets:
git commit -m "your message"
# envguard will scan staged files and block if secrets are foundrequire('env-safe-gaurd');
// Console logs with secrets will be automatically scrubbed
console.log('API Key:', 'sk_live_1234567890abcdef');
// Output: API Key: sk_live_***[REDACTED]***const { scanRepo } = require('env-safe-gaurd');
const results = scanRepo();- AWS Access Keys (AKIA...)
- AWS Secret Keys
- Stripe Live/Test Keys
- JWT Tokens
- MongoDB URIs
- PostgreSQL URIs
- Private Keys (PEM format)
- Generic API Keys (16+ alphanumeric characters)
The tool works out of the box with sensible defaults. Customize detection patterns in src/detectors/regexList.js if needed.
- Pre-commit Hook: Scans staged files before commit
- Repository Scanner: Scans all files matching
**/*.{js,ts,json,env}and.env*files - Secret Scrubber: Intercepts console.log calls and redacts detected secrets
- Smart Filtering: Excludes
node_modules,package-lock.json, and detector files
# Install in your project
npm install env-safe-gaurd
# Scan for secrets
npx env-scan
# Try to commit (hook will protect you)
git commit -m "test"MIT