Audit Your .env for Leaked Secrets
Check your project for accidentally committed secrets, exposed API keys, and misconfigured environment variables.
MVC TeamLaunchQuick WinDeveloperFounder
Prompt Template
Audit my project for leaked secrets and misconfigured environment variables. Check these files and patterns: 1. .env files: are any committed to git? (check .gitignore) 2. Source code: search for hardcoded API keys, tokens, passwords, or connection strings (patterns: sk_, pk_, api_key, secret, password, token, DATABASE_URL) 3. Config files: check next.config.js, vercel.json, docker-compose.yml for embedded secrets 4. Client-side exposure: are any server-only secrets prefixed with NEXT_PUBLIC_ or VITE_ (making them visible in the browser)? 5. Git history: have secrets been committed in past commits even if they're now in .gitignore? For each issue found: - Severity: critical (actively leaked) / warning (potential risk) / info (best practice) - Location: file and line - Fix: what to do about it - If a key was leaked: steps to rotate it Here are my files to check: [paste .gitignore, relevant config files, or describe your project structure] Do NOT suggest adding a secrets scanning tool. Just do the audit now." **Output format:** Audit report with severity, location, and fix for each issue.
The specific patterns to search for (sk_, pk_, DATABASE_URL) catch real secrets. Checking git history catches the common mistake of removing a secret from the file but not from version control.
Before every deployment. Monthly for active projects.