Launch2026-05-13

Ship #7: EnvGuard — paste your .env file, find real secrets vs placeholder junk

EnvGuard launched today: entropy analysis identifies real credentials in your .env file, separates them from example placeholders, and tells you which service owns each key. 100% client-side.

EnvGuard is live at envguard-9x4mp42fn-leeisac901-6166s-projects.vercel.app.

The problem

Every .env file is a mix of real secrets and placeholder garbage. Some keys are live production credentials. Some are your_key_here examples. Some are outdated. Some are test keys. Some belong to a service that was abandoned six months ago.

Most developers can't tell at a glance which is which — especially when the .env was generated by an AI assistant or scaffolded from a boilerplate. AI-generated .env files are worse: they populate realistic-looking but fake values (sk_live_your_stripe_key_here) that look like credentials to any automated scanner, and real-looking test keys that are actually production credentials from the training data.

EnvGuard resolves the ambiguity in seconds.

What it does

Paste your .env file — get back:

Entropy analysis per key — Shannon entropy is the mathematical measure of randomness. Real secrets (API keys, tokens, passwords) have high entropy: long strings of mixed characters with no pattern. Placeholders (your_key_here, changeme, example123) have low entropy. EnvGuard computes entropy for every value and classifies it: real secret / possible secret / likely placeholder / definitely placeholder.

Service identification — 50+ service patterns across:

  • AI/LLM: OpenAI, Anthropic, Cohere, Hugging Face, Replicate
  • Payments: Stripe, PayPal, Lemon Squeezy
  • Cloud: AWS, GCP, Azure
  • Auth: Auth0, Clerk, Firebase
  • Database: Supabase, PlanetScale, Neon, Railway, Turso
  • Email: Resend, SendGrid, Mailgun, Loops, Postmark
  • Monitoring: Sentry, Datadog, New Relic, Highlight
  • Infra: Vercel, Netlify, Cloudflare, Fly.io

When a key is identified, EnvGuard shows you the service name, a link to the service's API key management page, and whether the key format matches the expected pattern for that service.

Risk classification — Critical / High / Medium / Low / Info per finding. A real Stripe live secret key (sk_live_...) with high entropy is Critical. A placeholder OpenAI key (your_openai_key_here) is Info.

What it doesn't do

Your .env file never leaves your browser. There is no server, no API call, no logging. This is intentional: a .env audit tool that sends your .env to a server would be the worst product in security history.

The whole point is to give developers a zero-trust way to sanity-check credentials before committing, sharing a dotenv with a new team member, or rotating keys after a breach.

The build

47 unit tests, all passing — the most of any Dummy Labs ship so far. The core is split across two files:

  • lib/env-parser.ts — .env file parser: handles comments, quoted values, export keywords, multi-line values, line numbers
  • lib/env-auditor.ts — Shannon entropy function, 50+ service patterns, placeholder detection heuristics, risk classification, redact helper

Free: unlimited scans, no account.
Pro ($9/mo): downloadable PDF audit report, scan history, team sharing.

Try it

Paste any .env file — real or generated. See which values are real secrets, which are placeholders, and which services own each key.

EnvGuard

EnvGuard is Ship #7 from Dummy Labs. We ship one security or developer tool per weekday. See all ships →