Skip to content
This repository was archived by the owner on Feb 14, 2026. It is now read-only.

kriskimmerle/envguard

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
tests
tests
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
envguard.py
envguard.py
 
 

Repository files navigation

envguard

Dead-simple secret leak scanner for git repos. Zero config. One command.

39 million secrets were leaked on GitHub in 2024. Most developers don't run any scanner because existing tools are heavy and config-intensive. envguard fixes that.

Install

pip install envguard

Or just copy the single file — it has zero dependencies.

Usage

Scan a directory

envguard scan .

Scan specific files

envguard scan config.py .env deploy.sh

Scan only git-staged files

envguard scan --staged

Install as pre-commit hook (one command)

envguard init

Now secrets are caught automatically before every commit.

Remove the hook

envguard uninstall

JSON output (for CI)

envguard scan --json .

What It Catches

High severity (blocks commits)

Pattern Example
AWS Access Keys AKIA...
AWS Secret Keys aws_secret_access_key = ...
GitHub Tokens ghp_..., gho_..., ghs_...
Slack Tokens xoxb-...
Slack Webhooks https://hooks.slack.com/...
Stripe Secret Keys sk_live_...
Google API Keys AIza...
Private Keys -----BEGIN RSA PRIVATE KEY-----
Database URLs postgres://user:pass@host
Dangerous files .env, id_rsa, .pem, etc.

Medium severity (warns, doesn't block)

Pattern Example
Generic API keys api_key = "abc123..."
Generic tokens token = "xyz..."
Generic passwords password = "..."
JWT tokens eyJ...
Hex secrets secret = "a1b2c3..."

Example Output

============================================================
🔒 ENVGUARD — Secret Scan Results
============================================================

🚨 HIGH  AWS Access Key
   config.py:12
   AWS_ACCESS_KEY_ID = "AKIA..."

🚨 HIGH  Database URL
   settings.py:45
   DATABASE_URL = "postgres://admin:pass@..."

⚠️ MEDIUM  Generic API Key
   utils.py:8
   api_key = "a1b2c3d4e5..."

------------------------------------------------------------
🚨 2 high  |  ⚠️  1 medium  |  Total: 3

❌ Commit blocked. Remove secrets before committing.

Smart Defaults

  • Skips binaries (images, fonts, archives, PDFs)
  • Skips large files (>1 MB)
  • Skips comments (lines starting with #, //, /*)
  • Skips noise dirs (.git, node_modules, __pycache__, venv)
  • One finding per line (no spam)

How the Hook Works

envguard init writes a tiny pre-commit hook into .git/hooks/. On every git commit:

  1. Scans only staged files (--staged)
  2. If any high severity secrets found → commit is blocked (exit 1)
  3. Medium findings are shown as warnings but don't block

That's it. No YAML config. No framework. No token needed.

Requirements

  • Python 3.6+
  • Zero dependencies

Compared To

Tool Config needed Language Zero-dep
envguard None Python
gitleaks TOML Go binary
trufflehog Flags Go binary
detect-secrets .secrets.baseline Python
git-secrets Shell setup Bash

envguard trades flexibility for simplicity. If you need custom regex or enterprise features, use gitleaks. If you want something that works in 10 seconds, use envguard.

License

MIT

About

Dead-simple secret leak scanner for git repos. Zero config. One command.

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages