.env Security Scanner

47 key patterns loaded
Paste .env contents0 variables detected

All scanning runs locally in your browser. No data is sent to any server. Values are masked in the report output.

🔒
Paste your .env file above
Detects 47+ API key patterns, insecure defaults, and high-entropy secrets

What This Tool Does

.env Security Scanner is built for deterministic developer and agent workflows.

Detect exposed API keys, high-entropy secrets, and insecure defaults in your .env files. Recognizes 40+ key formats. All analysis in your browser.

Use How to Use for execution steps and FAQ for constraints, policies, and edge cases.

Last updated:

This tool is provided as-is for convenience. Output should be verified before use in any production or critical context.

Agent Invocation

Best Path For Builders

Browser workflow

Runs instantly in the browser with private local processing and copy/export-ready output.

Browser Workflow

This tool is optimized for instant in-browser execution with local data handling. Run it here and copy/export the output directly.

/env-security-scanner/

For automation planning, fetch the canonical contract at /api/tool/env-security-scanner.json.

How to Use .env Security Scanner

  1. 1

    Paste your .env contents

    Copy your .env file contents and paste them into the scanner. The tool parses standard KEY=VALUE format with support for quotes and comments.

  2. 2

    Review per-variable findings

    Each variable is analyzed individually. Detected API keys show the provider name and severity. High-entropy values are flagged as potential secrets. Insecure defaults are highlighted.

  3. 3

    Check the risk score

    The overall risk score (0-100) summarizes your .env security posture. Critical findings like production API keys significantly increase the score.

  4. 4

    Copy the report

    Click Copy Report to get a markdown summary of all findings with recommendations — share with your team or add to your security review process.

Frequently Asked Questions

What is .env Security Scanner?
.env Security Scanner detects exposed API keys, high-entropy secrets, and insecure defaults in environment files. It recognizes 40+ key formats from OpenAI, AWS, Stripe, GitHub, GitLab, and many more providers.
How does it detect API keys?
The tool uses provider-specific regex patterns (e.g., OpenAI keys start with sk-, AWS access keys start with AKIA) and Shannon entropy analysis for detecting high-entropy values that are likely secrets.
Is .env Security Scanner free?
Yes. Completely free with no account or sign-up required.
Does it send my secrets to a server?
Absolutely not. All scanning happens entirely in your browser. Your .env contents — which contain your most sensitive credentials — never leave your device.
What insecure defaults does it catch?
Common defaults like DEBUG=true, PASSWORD=password, SECRET=changeme, API_KEY=your_key_here, and empty values for security-critical variables. Each finding includes a recommendation for the correct approach.