.env Security Scanner

No. Everything is parsed and analysed in your browser using JavaScript. Your file contents — including values — never leave your device. We only inspect key names.

We check key names for patterns that indicate sensitive credentials (passwords, API keys, tokens), cloud provider secrets (AWS, GCP), database connection strings, crypto material (private keys, certificates), environment-leak risks (DEV/STAGING in key names), duplicate keys, malformed key names, and empty values.

You start at 100 points. Each Critical issue (cloud credentials, private keys) deducts 25 points. High issues (database credentials, API keys) deduct 15. Medium issues (generic secrets) deduct 8. Low issues (environment leaks, empty values) deduct 3. The minimum score is 0.

No. The scanner only analyses key names — the left-hand side of each KEY=VALUE line. Values are parsed to detect empty values and for display, but are never transmitted, stored, or used for pattern matching beyond that.