EnvScan is a priority security tool designed to identify and rotate environment variables that would have been readable in Vercel projects following the April 2026 breach. It performs 100% client-side analysis to ensure your tokens remain on your machine.
The April 2026 Vercel incident exposed environment variables that were readable through the Vercel API at the time of compromise. EnvScan treats non-sensitive variables as exposed by default and flags sensitive variables as encrypted-at-rest unless your incident response determines otherwise.
EnvScan automates the discovery of these secrets across your entire Vercel account and provides context-aware rotation runbooks to help you secure your production infrastructure in minutes.
- Deep Scanning: Identifies 30+ secret patterns (AWS, Stripe, GitHub, OpenAI, Supabase, etc.).
- Actionable Runbooks: Provides step-by-step checklists and console deep-links for rotation.
- Privacy First: 100% Client-Side. Your Vercel token and environment variables never leave your browser/CLI.
- Dual Mode: Choose between a high-fidelity Web Dashboard or a developer-friendly CLI.
- Reporting: Export findings to GitHub-flavored Markdown checklists or raw JSON.
The fastest way to scan your account and generate a remediation checklist.
- Vercel Access Token: Create a read-only token.
- Node.js: Version 22+.
From the root of this repository:
# Install dependencies
pnpm install
# Run the scan and save a checklist
npm run envscan -- --token <YOUR_TOKEN> --out ROTATION_CHECKLIST.md--token: Your Vercel access token (or interactive prompt).--team: (Optional) Filter by Vercel Team ID.--out: Path to save the Markdown rotation report.--json: Output as raw JSON risk data.
A premium, glassmorphism-inspired interface for interactive risk analysis.
cd packages/web
npm run devOpen http://localhost:5173 to start the visual audit.
packages/scanner-core: The regex engine and risk classifier.packages/adapter-vercel: Vercel REST API integration layer.packages/cli: Terminal interface and Markdown generator.packages/web: React + Tailwind + Framer Motion dashboard.
Vercel Security, Secret Rotation, Environment Variable Exposure, Vercel Breach 2026, AWS Key Rotation, Supabase JWT Rotation, Security Audit Tool.
EnvScan is open-source software licensed under the MIT License.