Secret Detection

What it detects

Values in .env.example that look like real secrets rather than placeholders. Since .env.example is typically committed to version control, real secrets there are a security risk.

Danger

Leaked secrets are reported as errors. A real API key in .env.example is visible to anyone with access to the repository.

Detection patterns

Flagged as suspicious

• Values starting with known secret prefixes: sk_, pk_, tok_, key_, ghp_, gho_, github_pat_, xoxb-, xoxp-, AKIA (AWS), whsec_
• Base64-like strings of 20+ characters (long alphanumeric strings)
• Strings longer than 12 characters with mixed case, digits, and special characters

Not flagged (safe values)

• Common placeholders: your-key-here, changeme, TODO, CHANGE_ME, placeholder, secret, password, example, test, dummy, fake, xxx, null, empty
• Empty values
• Boolean-like values: true, false, 1, 0
• Localhost URLs, 127.0.0.1, example.com domains
• Short strings (8 characters or fewer)
• Slug-like identifiers with 3+ hyphen-separated parts (e.g. claude-sonnet-4-20250514, us-east-1a)

Example

Given .env.example:

# Safe — these are fine
API_KEY=your-key-here
DB_HOST=localhost
DEBUG=true

# Dangerous — these look like real secrets
STRIPE_KEY=sk_live_abc123def456ghi789
GITHUB_TOKEN=ghp_1234567890abcdefghij
AWS_ACCESS_KEY=AKIAIOSFODNN7EXAMPLE1

envaudit reports:

Possible secrets in example file
  ✗ STRIPE_KEY has a value that looks like a real secret
  ✗ GITHUB_TOKEN has a value that looks like a real secret
  ✗ AWS_ACCESS_KEY has a value that looks like a real secret

Fix

Replace real secrets in .env.example with descriptive placeholders:

# Before
STRIPE_KEY=sk_live_abc123def456ghi789

# After
STRIPE_KEY=your-stripe-secret-key

If the secret was ever committed to version control, rotate it immediately — removing it from the file doesn’t remove it from Git history.