ShieldX is a blazing-fast CLI tool to compare, sync, validate, audit, and scan your environment/config files. It helps developers avoid missing variables, catch hardcoded secrets in code, and keep configs consistent across environments.
Short. Secure. Smart. — That's ShieldX.
- 🔍 Compare: Check differences between
.envfiles (e.g.,.envvs.env.production) - ⚡ Generate: Create a
.env.exampleautomatically from an existing.env - 🛡️ Scan: Detect hardcoded secrets (API keys, tokens, DB URLs) with severity levels
- 🔧 Fix: Interactively move hardcoded secrets to
.envand replace them in code - ✅ Validate: Ensure
.envfiles have all required variables - 🔎 Audit: Run a full security health check with a scored report
- 📊 JSON Output: Perfect for CI/CD pipelines
- 🚫 Smart Ignoring: Use
.shieldxignoreto skip files - 🎯 Exit Codes: Non-zero exit on issues for CI/CD integration
- 📦 Lightweight: Zero bloat
- 🔒 Security-first: 30+ secret pattern detectors with severity levels
Use it instantly with npx (no install required):
npx shieldx compare .env .env.exampleOr install globally:
npm install -g shieldxCompare files and see missing/extra variables:
shieldx compare .env .env.productionOptions:
-j, --json- Output in JSON format-v, --verbose- Show detailed output
Example output:
📊 Comparison: .env vs .env.production
❌ Missing in .env.production (2):
- SECRET_KEY
- API_TOKEN
⚠️ Extra in .env.production (1):
+ NEW_FEATURE_FLAG
Total: 10 keys in .env, 9 keys in .env.production
CI/CD Integration:
# Exit code 1 if files don't match
shieldx compare .env .env.example --json > comparison.jsonCreate a template file with keys only (no sensitive values):
shieldx generate .envOptions:
-o, --output <file>- Custom output path (default:.env.example)-f, --force- Overwrite existing file-j, --json- Output in JSON format-v, --verbose- List all generated keys
Examples:
# Generate with custom output
shieldx generate .env -o .env.template
# Force overwrite
shieldx generate .env --force
# See what keys were generated
shieldx generate .env --verboseDetect hardcoded API keys, passwords, tokens, and more:
shieldx scan ./srcOptions:
-j, --json- Output in JSON format for parsing-v, --verbose- Show skipped files-q, --quiet- Only show errors
Security Patterns Detected:
- ✅ Stripe API keys (live & test)
- ✅ AWS credentials
- ✅ GitHub tokens
- ✅ Google API keys
- ✅ Database connection strings
- ✅ JWT tokens
- ✅ Private keys (RSA, PEM, SSH)
- ✅ OAuth tokens (Slack, Facebook, Google)
- ✅ Bearer tokens
- ✅ And 20+ more patterns!
Severity Levels:
- 🔴 CRITICAL - Private keys, credentials with immediate risk
- 🟠 HIGH - API keys, tokens, passwords
- 🟡 MEDIUM - Session IDs, JWTs
- 🔵 LOW - Potential secrets, long strings
Example output:
🔍 Scanning ./src for hardcoded secrets...
🚨 [HIGH] Stripe Live Key in src/payment.js:15
const key = "sk_live_abcd1234..."
💡 Move this to .env file
⚠️ Security Report:
Total issues: 3
Files scanned: 47
CRITICAL: 1
High: 2
Use .shieldxignore:
Create a .shieldxignore file to skip certain paths:
# ShieldX Ignore Patterns
**/test/**
*.test.js
docs/
Ensure .env files have all required keys:
shieldx validate .env --keys "DATABASE_URL,API_KEY,SECRET"Options:
-k, --keys <keys>- Comma-separated required keys-c, --config <file>- Load required keys from file-j, --json- Output in JSON format-v, --verbose- Show all present keys
Using a config file:
Create required-keys.txt:
DATABASE_URL
API_KEY
SECRET_KEY
Then run:
shieldx validate .env --config required-keys.txtExample output:
🔍 Validating .env
❌ Missing 2 required variable(s):
✗ API_KEY
✗ SECRET_KEY
💡 Add the missing variables to .env
Interactively move secrets from your code to .env:
shieldx fix ./srcOptions:
--auto- Move all High/Critical secrets automatically--dry-run- Preview changes without modifying files--env-file <file>- Target.envfile (default:.env)
Example:
ShieldX will find a secret:
const KEY = "sk_live_12345";
And replace it with:
const KEY = process.env.STRIPE_LIVE_KEY;
While adding the following to your .env:
STRIPE_LIVE_KEY="sk_live_12345"
Run a comprehensive security health check across your entire project:
shieldx auditOptions:
-j, --json- Output in JSON format for CI/CD-s, --strict- Fail on any issue (even warnings)-d, --dir <path>- Directory to scan (default:.)--env-file <file>- Path to .env file (default:.env)
What it checks:
| Check | Description |
|---|---|
| 🔒 Gitignore Safety | Ensures .env is in .gitignore |
| 📄 Env Files Exist | Verifies .env and .env.example are present |
| 🔄 Env Sync | Compares .env vs .env.example for drift |
| 🛡️ Secret Scan | Scans codebase for hardcoded secrets |
| 📋 Empty Values | Flags .env keys with no value |
Example output:
╔══════════════════════════════════════╗
║ 🛡️ ShieldX Security Audit ║
╚══════════════════════════════════════╝
╭────────────────────────────────────────────────────────╮
│ CHECK RESULTS │
├────────────────────────────────────────────────────────┤
│ ● PASS 🔒 Gitignore Safety │
│ .env is protected in .gitignore │
│ ● PASS 📄 Env Files Exist │
│ .env and .env.example both present │
│ ● WARN 🔄 Env Sync │
│ 2 keys not in .env.example │
│ ● FAIL 🛡️ Secret Scan │
│ 3 issue(s) found (1 critical, 2 high) │
├────────────────────────────────────────────────────────┤
│ SECURITY SCORE │
│ ██████████████░░░░░░░░░░░░░░░░ C 55/100 │
│ NEEDS ATTENTION │
╰────────────────────────────────────────────────────────╯
CI/CD Integration:
# Fail pipeline on any critical/high issues
shieldx audit --json > audit-report.json
# Strict mode: fail on ANY issue
shieldx audit --strictShieldX returns exit code 1 on issues, perfect for CI/CD:
# GitHub Actions example
- name: Validate environment
run: |
shieldx compare .env.example .env.production --json
shieldx scan ./src
shieldx validate .env.production --keys "DATABASE_URL,API_KEY"Add to .git/hooks/pre-commit:
#!/bin/bash
shieldx scan ./src --quiet
if [ $? -ne 0 ]; then
echo "❌ Secrets detected! Fix them before committing."
exit 1
fiAll commands support --json flag:
# Get JSON output for parsing
shieldx scan ./src --json > security-report.json
# Parse with jq
shieldx scan ./src --json | jq '.issuesFound'- Compare
.envfiles - Generate
.env.example - Scan for secrets with severity levels
- Validate required keys
- JSON output for CI/CD
-
.shieldxignoresupport - Exit codes for automation
- GitHub Actions integration
- Auto-fix suggestions
- Full project security audit with scoring
- Sync configs across environments
- VSCode plugin integration
- AI-powered secret detection (v2)
- Encrypt/decrypt
.envfiles
Clone and run locally:
git clone https://github.com/zeemscript/shieldx.git
cd shieldx
npm install
npm linkRun tests:
npm test
npm run test:watchNow you can run:
shieldx compare .env .env.exampleShieldX includes a comprehensive test suite:
# Run all tests
npm test
# Run with coverage
npm test -- --coverage
# Watch mode
npm run test:watchContributions, issues, and feature requests are welcome!
- Fork the repo
- Create your feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
Check issues for ideas!
MIT © 2025 zeemscript
Best Practices:
- ✅ Run
shieldx scanbefore every commit - ✅ Use
shieldx validatein deployment pipelines - ✅ Keep
.env.exampleupdated withshieldx generate - ✅ Never commit
.envfiles (add to.gitignore) - ✅ Use
.shieldxignorefor test fixtures
Common Workflows:
# Setup new project
shieldx generate .env
git add .env.example
# Before deploying
shieldx validate .env.production --keys "DATABASE_URL,API_KEY"
shieldx compare .env.example .env.production
# Security audit
shieldx scan ./src --verboseMade with ❤️ by developers, for developers.