Manage, validate, and secure environment variables across your projects.
EnvGuard is a CLI tool that brings order to the chaos of .env files. It validates your environment variables against a schema, catches missing or malformed values before they reach production, encrypts sensitive files, and lets you switch between environment profiles (dev/staging/prod) with a single command.
# Quick start
envguard init # Bootstrap a schema from your existing .env
envguard validate # Check everything is in order
envguard doctor # Full health audit of your env setupEvery developer has been bitten by:
- A missing
DATABASE_URLthat takes 30 minutes to debug .env.examplethat's hopelessly out of date with the actual.env- Accidentally committing secrets to git
- Sharing
.envfiles over Slack (encrypted? never.) - Juggling different env setups for dev, staging, and CI
EnvGuard solves all of this in one lightweight, dependency-minimal CLI.
pip install envguardpipx install envguardgit clone https://github.com/AFS-Agentics/envguard.git
cd envguard
pip install .- Python 3.10+
- cryptography library (installed automatically with pip)
Scans your project's .env files and generates a .env.schema file with inferred types.
cd my-project
envguard initThis creates .env.schema:
# EnvGuard .env.schema
# Format: KEY type required "description" # default: value
DATABASE_URL str true "PostgreSQL connection string"
API_KEY str true "API key for external service"
DEBUG bool false "Enable debug mode (0/1, true/false, yes/no)"
PORT int false "Server port (default: 8080)"
Options:
| Flag | Description |
|---|---|
--path, -p |
Project directory (default: auto-detect from cwd) |
--force, -f |
Overwrite existing .env.schema |
--merge, -m |
Merge new entries into existing .env.schema |
Checks all .env files against the schema β type validation, required fields, extra variables.
envguard validateOutput:
β All 5 schema entries validated cleanly across .env.
Or, when there are issues:
β .env: missing required 'DATABASE_URL' (PostgreSQL connection string)
β .env: optional 'DEBUG' not set (Enable debug mode)
β .env: 'PORT' is not a valid integer
2 errors + 1 warning found.
Options:
| Flag | Description |
|---|---|
--path, -p |
Project directory |
--strict, -s |
Treat warnings as errors (non-zero exit) |
--silent |
Exit codes only, no output |
Exit codes:
0β all good1β errors found (or warnings in strict mode)
Generates a documented .env.example from your schema.
envguard generateOptions:
| Flag | Description |
|---|---|
--path, -p |
Project directory |
--force, -f |
Overwrite existing .env.example |
--fill |
Fill in default values from the schema |
Protect sensitive environment files with AES-256-GCM encryption + PBKDF2 key derivation.
envguard encrypt .env --password "your-secret-password"
# Creates .env.encryptedOptions:
| Flag | Description |
|---|---|
file |
Path to .env file (positional, required) |
--output, -o |
Output path (default: <file>.encrypted) |
--password |
Encryption password (uses ENVGUARD_PASSWORD env var, or prompts) |
--force, -f |
Overwrite existing output |
envguard decrypt .env.encrypted --password "your-secret-password" --output .envOptions:
| Flag | Description |
|---|---|
file |
Path to encrypted file (positional, required) |
--output, -o |
Output path (default: print to stdout) |
--password |
Decryption password |
--force, -f |
Overwrite existing output |
Runs a comprehensive check on your project's environment setup:
envguard doctorChecks:
- β
.env.schemaexists - β
.env.exampleexists - β Env files present
- β
.gitignorecovering.envfiles - β Schema validation passes
- β Encrypted files tracked
Save and switch between named environment configurations.
# Save current .env as a profile
envguard profile pin development
# List saved profiles
envguard profile list
# Show profile contents
envguard profile show development
# Switch to a profile (copies profile β .env)
envguard profile switch stagingSub-commands:
| Command | Description |
|---|---|
pin <name> |
Save current .env as a named profile |
list |
List all saved profiles |
show <name> |
Display profile contents (with secret masking) |
switch <name> |
Activate a profile (backups existing .env) |
EnvGuard is configured entirely through CLI flags and environment variables:
| Environment Variable | Purpose |
|---|---|
ENVGUARD_PASSWORD |
Default password for encrypt/decrypt (avoids prompt) |
.env.schema uses a simple, human-readable format:
# KEY type required "description" # default: value
DATABASE_URL str true "PostgreSQL connection string"
API_KEY str true "API key for external service"
DEBUG bool false "Enable debug mode"
PORT int false "Server port" # default: 8080
MAX_RETRIES int false "Max retry attempts" # default: 3
LOG_LEVEL str false "Logging level"
REDIS_URL url false "Redis connection URL"
ADMIN_EMAIL email false "Admin notification email"
FEATURE_FLAGS json false "Feature flag configuration"
DATA_DIR path false "Data directory path"
Supported types:
| Type | Description | Validation |
|---|---|---|
str |
String | Any non-empty value |
int |
Integer | Must parse as integer |
float |
Float | Must parse as float |
bool |
Boolean | 1/0, true/false, yes/no, on/off |
url |
URL | Must start with http://, https://, ftp://, etc. |
email |
Basic email format check | |
json |
JSON | Must parse as valid JSON |
path |
File path | Non-empty, no null bytes |
envguard/
βββ LICENSE
βββ README.md
βββ pyproject.toml # Package metadata + dependencies
βββ envguard/
β βββ __init__.py # Package init, version
β βββ __main__.py # python -m envguard support
β βββ cli.py # CLI entrypoint, argument parsing
β βββ schema.py # Schema parsing, validation, generation
β βββ crypto.py # AES-256-GCM encrypt/decrypt
β βββ profiles.py # Profile management
βββ tests/
βββ test_envguard.py # 58 unit tests
- Encryption: AES-256-GCM (authenticated encryption β tampering is detected)
- Key derivation: PBKDF2-HMAC-SHA256 with 600,000 iterations and random salt
- No plaintext leakage: Encrypted files contain a magic header (
EGCM) plus salt + nonce + ciphertext; no plaintext is ever written to disk - Profiles are plain files: Profile
.envfiles are stored in.envguard/β add this to your.gitignore
git clone https://github.com/AFS-Agentics/envguard.git
cd envguard
pip install -e ".[dev]"
pytest tests/ -vMIT License β see LICENSE for details.
Built by AFS Agentics.
