● Open-source core · Pro features

Validate your env vars.
Ship with confidence.

Catch missing environment variables before they hit production. SARIF reports, AWS SSM validation, and smart fallback detection — all in one CLI tool.

Get started →
npm install ./path/to/file.tgz
What's included

Everything you need

A complete toolkit for environment variable hygiene — from local dev to production CI.

📄

SARIF Output

Generate machine-readable SARIF reports that plug directly into the GitHub Security tab — zero configuration needed.

☁️

AWS SSM Validation

Validate that every env var exists in Parameter Store or Secrets Manager before you deploy.

📝

Shell Script Env Files

Parse export statements from shell scripts and include them in your scan automatically.

🔍

Fallback Detection

Automatically distinguishes between warnings (vars with fallbacks) and errors (vars that will crash). Prioritise what matters.

⚙️

CI/CD Ready

The --ci flag exits non-zero on errors, making it a drop-in gate for any pipeline.

Strict Mode

Surface every env var reference — including known runtime vars — for full visibility when you need it.

Choose your edition

EnvGuard Free vs Pro

Free nails the basics. Pro is for teams that need SARIF, AWS validation, and shell-script driven env sources.

Capability EnvGuard Free EnvGuard Pro
Source availability Fully open source under MIT Distributed via npm with protected sources
Custom shell env files Not supported (reads `.env` inputs only) `envFiles` lets you import reusable `.sh` snippets like `set-env.sh`
SARIF output `--format sarif` integrates with GitHub Security
AWS validation `--aws`, `--aws-deep`, profiles, and prefixes for SSM + Secrets

Stick with the free edition when you only need local `.env` analysis. Go Pro when you want CI-ready outputs, AWS guardrails, or the ability to load environment variables from curated shell scripts that the rest of your org already uses.

.envguardrc.json 
{
	  "envFiles": ["set-env.sh", "another-env.sh"]
	}
CLI 
$ envguard scan --env-files set-env.sh

Free Edition

Great for quickly checking the obvious env blocks inside serverless.yml.

  • provider.environment Reads top-level variables like DATABASE_URL.
  • functions.*.environment Checks each function block for custom values before deploy.
  • !
    Resources & secrets Stops before the AWS resources section, so custom ECS/Lambda containers and deeper secret references stay invisible.

Pro Edition

Purpose-built for teams that rely on AWS infrastructure-as-code and want total coverage.

  • +
    Every env source Sweeps the provider block, each function, and the AWS resources section so ECS, Lambda, and Step Functions containers stay honest.
  • +
    Nested secret lookups Understands chained Secrets Manager values (think aurora.host) and confirms the actual key that will load in prod.
  • +
    Smart AWS context Resolves SSM paths, understands stages, and tells you which resource owns a missing variable so fixes are fast.
Workflow

How it works

From install to insight in seconds.

1

Install

One npm install and you're set — global or project-local.

2

Configure

Drop a .envguardrc.json in your project root or add options to package.json.

3

Scan

Run envguard scan. It statically analyses every file in your project.

4

Act

Errors and warnings are reported — fix, ignore, or push straight to GitHub Security via SARIF.

Git Hooks

Catch env issues before commit or push

EnvGuard Pro can install Git hooks that automatically run envguard scan --ci before each commit or push, catching environment variable issues before they reach your repository.

  • The hook script runs npx envguard scan --ci (plus any flags passed via --scan-args) automatically before the Git operation.
  • If issues are found, the operation is blocked and the hook prints the scan output.
  • To bypass the hook for a single operation, use the standard Git escape hatch: --no-verify.
Note: uninstall-hook will only remove hooks that were created by EnvGuard. If a hook exists but was written by another tool, it will be left untouched.
terminal — envguard hook commands
# Install a hook $ envguard install-hook $ envguard install-hook --type pre-push $ envguard install-hook --force $ envguard install-hook --scan-args "--aws" $ envguard install-hook --scan-args "--aws --aws-deep" $ envguard install-hook --scan-args "--aws --aws-deep --no-detect-fallbacks" # Uninstall a hook $ envguard uninstall-hook $ envguard uninstall-hook --type pre-push # Bypass for a single operation $ git commit --no-verify $ git push --no-verify
Scan output

Scan output you can actually act on

EnvGuard doesn't just list every variable — it tells you which ones will crash and which ones are safely handled.

  • Errors — vars that are missing and have no fallback. These will crash at runtime.
  • Warnings — vars that are missing but have a fallback defined. Low priority.
  • Unused & skipped — variables defined but never referenced, plus known runtime vars like AWS_REGION filtered out by default.
terminal — envguard scan --ci
$ envguard scan --ci Loaded config from .envguardrc.json Scanning env sources: serverless.yml ✖ Missing (not defined in any env source): CUSTOM_VAR Used in: index.js ⚠ Missing (not defined, but has fallback): SOURCE Used in: index.js Unused variables: NODE_ENV STAGE Skipped known runtime/ignored variables (use --strict to show): AWS Lambda: AWS_REGION Custom (from config/CLI): LOCALHOST, STAGE ────────────────────────────────────────── Errors: 1 Warnings: 1 Info: 2
terminal — envguard scan --aws --aws-deep
$ envguard scan --aws --aws-deep ✔ All AWS resources validated Secrets Manager (1): myapp/dev/aurora └─ host └─ port Parameter Store (2): /myapp/prod/API_KEY /myapp/prod/DB_HOST
AWS Integration

Validate against the source of truth

Don't guess. Confirm that every parameter and secret your app needs actually exists in AWS — before deploy day.

🔐

Secrets Manager

Validates top-level secrets and, with --aws-deep, checks nested JSON keys too.

📦

Parameter Store

Auto-discovers SSM paths from your serverless.yml or uses a prefix for fallback scanning.

🎯

Profile & Region aware

Picks up AWS_REGION and profile settings automatically — or override via flags.

PRO feature

SARIF export for GitHub Security

One flag. Machine-readable output that plugs directly into GitHub's Security tab for compliance tracking — no extra tooling required.

  • Each missing variable becomes a SARIF rule with a precise file + line location.
  • Errors and warnings map to different severity levels — GitHub surfaces them accordingly.
  • Drop into any CI step: --format sarif --output results.sarif
results.sarif
{ "results": [{ "ruleId": "env-missing", "level": "warning", "message": { "text": "DB_USER: Used in code with fallback/default but not defined in .env" }, "locations": [{ "physicalLocation": { "artifactLocation": { "uri": "handler.js" } } }] }] }

What it looks like in GitHub Security

Real SARIF views from GitHub — click any image to zoom.

Transparency

Built on trust

Pro is a closed-source extension of an open-source core. Here's exactly what that means.

🔓

Open-source foundation

The core scanner is fully open at github.com/szlaskidaniel/envguard. Audit it freely.

🚫

No telemetry

Zero data collection. No analytics, no phone-home. The only network calls are explicit AWS SDK operations when you opt in.

Verified scope

Published under the @danielszlaski npm scope with verified ownership.

🛡️

Sandboxable

Not comfortable? Audit network traffic or run it in a sandboxed environment. Full flexibility is yours.

Help

FAQ

Quick answers to common questions about EnvGuard Pro.

Is EnvGuard Pro intended for beginners?

This tool is intended for professionals. Remember to back up your data before using it.

What AWS IAM permissions are required for --aws / --aws-deep?

Required IAM Permissions:

  • ssm:GetParameter — for SSM Parameter Store validation (--aws)
  • secretsmanager:DescribeSecret — for Secrets Manager validation (--aws)
  • secretsmanager:GetSecretValue — required for --aws-deep (reads the secret JSON to validate nested keys like host and port)

Use --aws-deep to validate that the referenced nested keys actually exist within the secret JSON.

We do not store or log retrieved secret values — they are used only in-memory to check presence and report validation results.

Why is the source code obfuscated?

EnvGuard Pro is distributed with obfuscated sources to protect intellectual property while keeping full functionality. The open-source core is available on GitHub.

Does EnvGuard Pro collect telemetry or send data anywhere?

No. There is no telemetry or data collection. The only network calls are explicit AWS SDK operations when you opt in via --aws / --aws-deep.

How do I configure EnvGuard Pro?

Use .envguardrc.json (or package.json) for config. CLI flags override configuration values.

Common overrides:

  • --strict to enable strict mode regardless of config
  • --no-detect-fallbacks to treat missing vars as errors (ignore fallbacks)
  • --env-files set-env.sh to add shell env sources without editing config
{
  "ignoreVars": ["MY_COMPANY_VAR", "PLATFORM_VAR"],
  "strict": false,
  "detectFallbacks": true,
  "exclude": ["**/build/**", "**/tmp/**"],
  "envFiles": ["set-env.sh", "another-env.sh"]
}
What is fallback detection?

Fallback detection distinguishes between warnings (env vars used with fallbacks) and errors (env vars that will crash when missing). Disable it with --no-detect-fallbacks or set detectFallbacks to false in config.

How do I use EnvGuard Pro in CI?

Use --ci to integrate EnvGuard Pro into CI/CD. It sets the exit code so your pipeline can fail fast.

What happens with --ci:

  • Exits with code 1 if any missing environment variables (errors) are found
  • Exits with code 1 if any AWS resources are missing (when using --aws)
  • Exits with code 0 if only warnings or info-level issues are found

Examples:

  • envguard scan --ci
  • envguard scan --ci --strict (fail on any issue including warnings)
  • envguard scan --ci --aws (include AWS validation)
  • envguard scan --ci --no-detect-fallbacks (treat fallbacks as errors)
Can it scan env vars defined in shell scripts?

Yes. Use envFiles in .envguardrc.json or pass --env-files to include export-based variables from shell scripts like set-env.sh.

How do I generate a SARIF report for GitHub Security?

Run envguard scan --format sarif --output results.sarif and upload the SARIF to GitHub Security in your CI pipeline.

Ready to stop guessing about your env vars?

Install in seconds. Catch issues in minutes. Ship with the confidence that your environment is solid.

Install now →