ToolBelt

Env File Doctor

Lint .env files for duplicates, malformed lines, inline comments and likely secret leaks.

Open tool

Overview

Paste the contents of a .env file and the doctor flags duplicate keys, malformed lines (missing =, stray quotes), inline # comments that some loaders treat as part of the value, and patterns that look like leaked credentials - AWS keys, GitHub tokens, generic long random strings.

It's for backend and DevOps engineers who manage app secrets through .env files and want a fast check before committing or sharing. Reach for it during code review, when triaging a 12-factor migration, or before publishing an .env.example to make sure no live secret slipped through.

How it works

.env syntax isn't standardised - dotenv libraries in Node, Python, Ruby, and Go all disagree on edge cases. The doctor parses against the most permissive common grammar: KEY=value per line, optional quotes around the value, blank lines and # comments allowed at line start.

Heuristics flag suspected secrets using prefix matchers (AKIA for AWS access keys, ghp_ and gho_ for GitHub tokens, xoxb- for Slack), plus a Shannon-entropy threshold for long random strings. The intent is to catch obvious leaks, not to be a full secret scanner.

Examples

  • Duplicate key: 
    DB_HOST=localhost
DB_HOST=db.internal   # warning: DB_HOST defined twice
  • Inline comment confusion: 
    PORT=3000 # listen here   # warning: trailing comment becomes part of value
  • Likely AWS key: 
    AWS_KEY=AKIAIOSFODNN7EXAMPLE   # error: looks like an AWS access key
  • Unquoted spaces: 
    NAME=Hello World   # warning: quote values containing spaces

FAQ

Why is my inline comment flagged?

Different dotenv libraries disagree on whether KEY=val # note strips the comment or keeps it as part of the value. The doctor warns so you know your config could behave differently between Node, Python, and Bash.

Is this a secret scanner?

It's a screening pass for obvious patterns. For full coverage, run a dedicated scanner like git-secrets, gitleaks, or trufflehog in CI.

Does it handle multi-line values?

Multi-line values with quoted line continuations work, but feature support varies wildly between dotenv libraries. The doctor uses the dotenv-Node 16+ rules; YMMV on other runtimes.

What about export prefix?

export KEY=value is accepted - the export is stripped during parsing. It's compatible with sourcing the file from Bash but ignored by most library loaders.

Try Env File Doctor

An unhandled error has occurred. Reload ×