EnvShield scans it for exposed secrets, leaked credentials, and critical misconfigurations — then generates a safe .env.example automatically. Takes 10 seconds. Your file never leaves your browser.
Your file is processed entirely in your browser tab. Open DevTools Network tab to verify zero outbound requests during the scan.
Drop your .env file here
or click to browse your files
Verify yourself: Open DevTools (F12) Network tab, then drop a file. Zero outbound requests.
You already know you should not commit secrets. You have .env in your .gitignore. You are careful.
But how careful, exactly?
Last year, over 12.7 million secrets were found exposed in public GitHub repositories. AWS keys. Database passwords. Stripe live keys. Twilio auth tokens. Most of them were not committed on purpose. They were committed because:
EnvShield gives you a second pair of eyes — one that never forgets a pattern, never gets tired, and operates entirely inside your browser so your secrets stay yours.
Drag your .env file into the browser. No install. No account. No API key for the API key checker (we see the irony). The file is read by your browser's File API and never transmitted anywhere.
EnvShield runs your file through 50+ detection patterns covering AWS, GCP, Azure, Stripe, Twilio, SendGrid, GitHub tokens, database connection strings, private keys, JWT secrets, and more. Shannon entropy analysis catches high-entropy strings that do not match any named pattern.
Your report shows a risk score from 0-100, a prioritized list of findings with severity ratings and remediation steps, and a generated .env.example with all real values safely replaced by format-aware descriptors.
Most security tools process your data on their servers. They have to — that is where their code runs. We took a different approach. EnvShield's scanner is pure JavaScript that runs inside your browser tab. Your .env file is read by the browser's File API, processed in memory, and the results are rendered locally.
You can verify this yourself right now:
You will see zero outbound requests during the scan. Not one.
Team vault features use the browser's native WebCrypto API (AES-256-GCM) for encryption. Not a third-party library. Not our servers. Your browser's own cryptography primitives.
The pattern detection engine is open source and published on GitHub. Security researchers, developers, and anyone curious can read every line of code that runs on your files.
View Source on GitHub →Even our paid team features never expose plaintext secrets to our servers. Templates are encrypted client-side before any data leaves your browser. We store only ciphertext.
AWS Access Keys, GCP service account keys, Azure credentials, Stripe live and test keys, Twilio auth tokens, SendGrid API keys, GitHub personal access tokens (all formats), database connection strings, JWT secrets, RSA and EC private keys, PGP blocks, SSH private keys, generic high-entropy strings.
Every scan produces a composite risk score based on finding severity, count, and contextual modifiers. A single Critical finding floors the score at 66 (High Risk) minimum. The score is designed to be conservative.
Format-aware replacements. A detected Stripe key becomes sk_live_your_stripe_secret_key. A database URL becomes postgresql://username:password@host:5432/database_name. Comments preserved. One-click download.
After every scan, see exactly which pattern categories were checked. Know what was looked for, not just what was found. New patterns added over time are automatically covered on your next scan.
Every finding includes a plain-English explanation of the risk, a link to rotate the specific credential type, and a recommendation for where to store it going forward.
We built the tool so you can prove to yourself it is safe. Open DevTools. Watch the network tab. The proof is there before you decide to trust us.
Upload your production and staging .env files side by side. See which variables exist in one environment but not the other. No values leave your browser — only key names are analyzed.
Define a schema for your project: which variables are required, what type each one should be (string, number, boolean, URL, email, UUID), and what format is expected.
Connect EnvShield to your repositories. Every PR that introduces a new secret pattern gets a failing check. Findings never include actual secret values — only pattern matches and line references.
Upload an approved .env template for your team. All values are stripped client-side. Key names and structure are encrypted with AES-256-GCM before upload. No more "what value goes here?" Slack messages.
Every template upload creates a new version. View who uploaded which version and when. Roll back to any previous version. Up to 10 versions retained per template.
Every template access, download, and modification is logged with a timestamp and user ID. Exportable as CSV. Designed for teams working toward SOC 2 compliance.
We have all done it. A new engineer joins. They need the staging database URL. You paste it into Slack. It lives there forever in message history, in the new hire's downloaded chat logs, in whatever Slack security incident they have next year.
EnvShield's team vault changes the workflow:
The core audit tool is free forever. No trial period. No credit card required. Unlimited scans. The paid plan adds team collaboration and automation features.
For individual developers
$99/year (save 31%)
For individual developers who want automation
$249/year (save 31%)
For teams of up to 10 developers
All prices in USD. Annual billing saves 31% on Pro and 28% on Team. Cancel anytime. No questions asked refund within 30 days of payment.
Yes. The scanning engine is client-side JavaScript that runs entirely in your browser tab. When you drop a file, your browser's File API reads it into memory. The pattern matching, entropy analysis, and risk scoring all happen inside your browser process. The only way to verify this is to open your browser's DevTools (F12 in Chrome), go to the Network tab, then drop your file. You will see zero outbound requests. We built it this way specifically so you can prove it to yourself.
For team features, only encrypted ciphertext is sent to our servers. When you upload a team template, all values are stripped client-side first. Then the key names and metadata are encrypted with AES-256-GCM using a team encryption key that only exists in your browser. Our servers receive and store a blob of ciphertext. We do not have the decryption key. Even if our database were breached, an attacker would get encrypted blobs with no way to decrypt them.
Each variable is processed through a set of rules. If EnvShield detects a known secret type (like a Stripe key or AWS access key), it replaces the value with a format-aware descriptor that tells future developers what format the real value should be. Boolean and numeric values are replaced with type-preserving defaults. Comments from your original file are preserved verbatim.
False positives happen. High-entropy strings and certain variable naming patterns can trigger findings on values that are not credentials. Each finding has a 'Not a secret' feedback button that you can use to dismiss it from your report.
Yes. The core scanner module (envshield-scanner) is published on GitHub under the MIT license. You can read every regex pattern, every entropy calculation, and every scoring weight. Security researchers are encouraged to audit it, contribute new patterns, and report false positives or false negatives via GitHub Issues.
Standard .env format (KEY=value), quoted values (both single and double quotes), multi-line values (using escaped newlines), inline comments, export prefix, and full-line comments. It handles the quirks of the most common parsers including dotenv (Node.js), python-dotenv, godotenv, and phpdotenv.
Yes, with the Pro plan. A CLI tool (npx envshield audit) lets you run the same scan from any terminal or CI environment. It exits with code 1 if Critical findings are detected and code 0 if the scan is clean, making it simple to gate deployments.
EnvShield is a web application, so you need an initial internet connection to load the page. However, since all processing is client-side, once the page is loaded, you could technically disconnect from the internet and the scanning would still work. The open-source scanner module can also be installed via npm and run locally: npm install envshield-scanner.
Drop your .env file. Find out what is actually in there. Free, forever, for individual developers.
Scan Your .env File NowNo account. No install. No data uploaded. Open in your browser right now.