envy.sh — .env linter & secret scanner

envy.sh

Paste a .env file. Get an instant lint report with weak-secret detection, leaked-credential fingerprinting and a safety score.
The file never leaves your browser.

100% CLIENT-SIDE · NO UPLOADS · NO COOKIES

INPUT · .env

· 0 lines

0 bytes

REPORT

· no input yet

—

Safety

Status

Awaiting input

0 errors

0 warnings

0 info

0 clean

.env

Paste a file or hit LOAD SAMPLE to see envy.sh in action.

What envy.sh checks for

ENV001

Duplicate keys

Same variable defined twice — the last wins, earlier ones are dead code and usually bugs.

ENV002

Weak secrets

Short values, dictionary passwords, placeholders like change-me or secret, and low-entropy strings.

ENV003

Leaked credentials

Regex fingerprints for AWS, GitHub, Slack, Stripe, GCP, SendGrid, Mailgun, Twilio and JWT tokens.

ENV004

Invalid syntax

Malformed lines, invalid key names, missing =, unquoted values with spaces or #.

ENV005

Privileged hosts

Hardcoded localhost, raw IPs or ports in production-looking configs — a 12-factor smell.

ENV006

Empty values

Keys declared with no value — usually a typo that will silently break at runtime.

ENV007

Private keys inline

PEM blocks (BEGIN PRIVATE KEY, BEGIN RSA PRIVATE KEY) pasted directly into the file.

ENV008

Casing convention

Non-UPPER_SNAKE_CASE keys flagged — most loaders treat env vars as case-sensitive.

Your secrets never leave this tab.

envy.sh is a single static HTML file. There is no backend — every lint rule, regex match and Shannon-entropy calculation runs in your browser. You can open DevTools and verify no network requests are made. You can also save this page offline and run it air-gapped.