Environment Security Analyzer
Detect secrets, passwords, API keys, and credentials in .env files with automatic masking and security scoring
Enter your .env file contents to scan for exposed secrets. Warn at 500KB, maximum 5MB.
What is the Environment Security Analyzer?
The Environment Security Analyzer scans .env file contents for exposed
secrets, credentials, and sensitive data. It detects AWS access keys, GitHub tokens,
JWT tokens, private keys, database connection strings, passwords, and API keys — then
masks values automatically and calculates a security score to help you assess risk.
How to Use
- Paste your
.envfile contents into the input field - Click "Analyze" or wait for automatic processing
- Review detected secrets with severity ratings and masked values
- Use "Show Values" to temporarily reveal original secret values
- Follow recommendations to migrate secrets to a proper secrets manager
Example: Insecure .env File
This environment file contains several exposed secrets:
DB_HOST=localhost
DB_USER=admin
DB_PASSWORD=SuperSecret123!
AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
GITHUB_TOKEN=ghp_ABCDEFGhijklmnopqrstuvwxyz1234567890
REDIS_URL=redis://default:mypassword@redis.example.com:6379What Secrets Are Detected?
- AWS Access Keys — Keys starting with AKIA followed by 16 alphanumeric characters
- AWS Secret Keys — 40-character base64 strings on known AWS key names
- GitHub Tokens — Personal access tokens (ghp_, gho_, ghs_, ghr_ prefixes)
- JWT Tokens — Base64url-encoded tokens with header.payload.signature format
- Private Keys — RSA, EC, DSA, and OpenSSH private key blocks
- Database DSNs — MySQL, PostgreSQL, Redis, MongoDB, and AMQP connection strings with credentials
- URLs with Credentials — HTTP/HTTPS URLs containing user:password@host patterns
- Passwords and API Keys — Variables with key names like PASSWORD, SECRET, API_KEY, TOKEN
Security Scoring
Each analysis receives a score from 0 to 100 based on detected secrets. Severity weights: Critical (25 points deducted per finding), High (15 points), Medium (8 points), Low (3 points). The score maps to a letter grade: A (90+), B (75+), C (60+), D (40+), F (below 40).
Best Practices for .env Files
- Always add
.envto.gitignoreto prevent committing secrets - Use an
.env.examplefile with placeholder values as documentation - Migrate secrets to a dedicated secrets manager (AWS Secrets Manager, HashiCorp Vault, Doppler)
- Use environment-specific secrets (dev, staging, prod) with different credentials
- Rotate credentials immediately if they have been committed to version control
- Use IAM roles instead of access keys where possible
- Prefer fine-grained tokens with minimal permissions over broad access
Privacy and Security
All analysis happens entirely in your browser using JavaScript. Your environment file contents — which typically contain production credentials and API keys — are never transmitted to any server. No data is stored, logged, or shared. Detected values are masked by default to prevent accidental exposure on screen.
Frequently Asked Questions
What types of secrets does the Environment Security Analyzer detect?
The analyzer detects AWS access keys (AKIA...), GitHub tokens (ghp_, gho_, ghs_, ghr_), JWT tokens (eyJ...), private keys (-----BEGIN PRIVATE KEY-----), database connection strings (mysql://, postgres://, redis://, mongodb://, amqp://), URLs with embedded credentials (user:pass@host), and variables with password-like key names (PASSWORD, SECRET, API_KEY, etc.).
How are detected secrets masked?
Detected values are masked by default, showing only the first 4 characters followed by ****. For example, 'AKIAabcdef123456789' becomes 'AKIA****'. Values of 4 characters or fewer are fully masked as '****'. You can toggle visibility in the UI to reveal the original values if needed.
Is my .env file sent to a server for analysis?
No. All analysis happens entirely in your browser using JavaScript. Your environment file contents never leave your device and are not stored, logged, or transmitted to any server. This is especially important since .env files often contain production credentials and API keys.
How is the security score calculated?
The score starts at 100 and deducts points based on finding severity: Critical secrets (AWS keys, private keys, GitHub tokens) deduct 25 points each, High severity (passwords, database DSNs) deduct 15 points, Medium (generic tokens) deduct 8 points, and Low deduct 3 points. The final score is clamped between 0 and 100.
What .env file format is supported?
The tool parses standard .env format: KEY=VALUE pairs (one per line), comments starting with #, empty lines, and values with single or double quotes. It handles files from dotenv, docker-compose, and similar tools.
Why is my AWS key detected even without a password key name?
AWS access keys have a distinctive pattern (starting with 'AKIA' followed by 16 uppercase alphanumeric characters) that the analyzer recognizes regardless of the variable name. This pattern-based detection catches secrets even when using non-standard key names.
What should I do if secrets are detected?
First, add the .env file to .gitignore if it is not already. Then migrate secrets to a dedicated secrets manager (AWS Secrets Manager, HashiCorp Vault, Doppler, or your CI/CD platform secrets). Create an .env.example file with placeholder values as documentation for your team.
What is the maximum input size?
The tool warns when input exceeds 500KB and rejects input larger than 5MB. Most .env files are well under 10KB. If you encounter the size limit, consider splitting the analysis or checking only the relevant portions.
Does it detect secrets in comments?
No, commented lines (starting with #) are skipped during analysis. Only active KEY=VALUE pairs are scanned for secrets. However, it is still a best practice to avoid putting real secrets in comments.