Audit Your .env for Leaked Secrets
Check your project for accidentally committed secrets, exposed API keys, and misconfigured environment variables.
5 min|Beginner
LaunchQuick WinDeveloperFounder
Prompt Template
Audit my project for leaked secrets and misconfigured environment variables. Check these files and patterns: 1. .env files: are any committed to git? (check .gitignore) 2. Source code: search for hardcoded API keys, tokens, passwords, or connection strings (patterns: sk_, pk_, api_key, secret, password, token, DATABASE_URL) 3. Config files: check next.config.js, vercel.json, docker-compose.yml for embedded secrets 4. Client-side exposure: are any server-only secrets prefixed with NEXT_PUBLIC_ or VITE_ (making them visible in the browser)? 5. Git history: have secrets been committed in past commits even if they're now in .gitignore? For each issue found: - Severity: critical (actively leaked) / warning (potential risk) / info (best practice) - Location: file and line - Fix: what to do about it - If a key was leaked: steps to rotate it Here are my files to check: [paste .gitignore, relevant config files, or describe your project structure] Do NOT suggest adding a secrets scanning tool. Just do the audit now." **Output format:** Audit report with severity, location, and fix for each issue.
The specific patterns to search for (sk_, pk_, DATABASE_URL) catch real secrets. Checking git history catches the common mistake of removing a secret from the file but not from version control.
Before every deployment. Monthly for active projects.