What does the environment security scanner check?

The scanner analyzes .env files and environment variable configurations for exposed secrets, weak passwords, insecure defaults, and missing security-critical variables like CORS origins and session secrets.

Does it send my environment variables to a server?

No. All scanning happens entirely in your browser. No environment variables or secrets are transmitted anywhere.

What types of secrets does it detect?

The scanner detects API keys, database connection strings, JWT secrets, AWS credentials, OAuth tokens, and other common secret patterns using regex-based rules.

Can I use this in CI/CD?

The web tool is for manual checks. For CI/CD integration, use the ReleaseRun CLI which includes environment scanning as part of its security audit.

.env Security Scanner

Paste your .env content and get an instant risk report for exposed secrets, weak values, cloud token formats, and dangerous runtime flags. Everything runs in your browser.

Client-side only No signup Large file friendly Shareable report URL

Risk profile

Findings

Line	Key	Severity	Reason

.env Security Scanner

Risk profile

Findings

Remediation plan

Safe .env.example template

Related Resources

.env Security Scanner

Risk profile

Findings

Remediation plan

Safe .env.example template

Related Resources

</> Embed .env Security Scanner