How I built EnvGuard: a CLI tool to stop leaking .env secrets to git

It happened on a Tuesday morning. I pushed a commit, went to get coffee, came back to find an AWS bill alert for $847. A crypto miner had been running on my dime for six hours — because my .env file with real AWS keys had just been committed to a public GitHub repo. I rotated the keys, cleaned up the history with git filter-branch , filed a support ticket with AWS (they were actually great about it), and spent the rest of the day feeling sick. That was the day I decided to build EnvGuard . What EnvGuard does EnvGuard is a CLI tool that audits your .env files and catches dangerous secrets before they make it into git. npm install -g envguard envguard audit It detects: 🔴 AWS Access Key IDs and Secret Keys 🔴 Stripe live/test secret keys 🔴 GitHub tokens (ghp_, ghs_, ghx_, etc.) 🔴 Slack tokens and webhook URLs 🔴 Database URLs with embedded credentials (postgres://user:pass@host) 🔴 PEM private keys 🟠 JWT tokens 🟡 Generic API keys ⚠️ Weak placeholder values (chan