Python-native validator for .env / config files.
Catch misconfig and secret leaks before they hit production.
python-dotenv only loads env files — it won't tell you API_URL is missing or
PORT is "abc". dotenv-linter is a great Rust CLI, but there is no Python
library + no hosted service combining schema validation, secret-leak scanning,
and drift history. envguard does all three, self-hostable in 30 seconds.
# from git (not yet on PyPI)
pip install git+https://github.com/Hontaa/envguard.gitfrom envguard import parse_env, validate, find_leaks, diff_envs
text = "API_URL=not-a-url\nPORT=abc\nAWS_KEY=AKIAIOSFODNN7EXAMPLE"
env = parse_env(text)
schema = {
"API_URL": {"required": True, "type": "url"},
"PORT": {"required": True, "type": "int"},
}
result = validate(env, schema)
print(result.ok) # False
for e in result.errors:
print(e.key, e.message)
print(find_leaks(env)) # [('AWS_KEY', 'AWS_ACCESS_KEY')]staging = parse_env("A=1\nB=2")
prod = parse_env("A=1\nB=9\nC=3")
print(diff_envs(staging, prod))
# {'added': {'C': '3'}, 'removed': {}, 'changed': {'B': ('2', '9')}}envguard check .env --schema schema.json # schema validation
envguard scan .env # secret-leak scan
envguard diff staging.env prod.env # drift between environmentsENVGUARD_KEYS=sk_demo uvicorn api_server:app --port 8000| Endpoint | Auth | Purpose |
|---|---|---|
POST /v1/validate |
none (open core) | schema validation |
POST /v1/scan |
API key | secret-leak scan |
POST /v1/drift |
API key | snapshot + compare, stores history |
Example response (POST /v1/validate):
{
"ok": false,
"errors": [
{"key": "API_URL", "message": "must be a valid URL"},
{"key": "PORT", "message": "expected int, got 'abc'"}
]
}The open core is MIT. The hosted dashboard adds, behind an API key:
- team alerting when a secret leaks into a pushed
.env - historical drift timeline across environments
- CI integration (fail the build on new
unknownkeys)
Self-host the API above, or use the managed service (link in releases).
MIT