ev
evnx
0 incidents since evnx
v0.2.1 · MIT · Rust

Stop leakingsecrets.

evnx is a blazing-fast Rust CLI for validating, scanning, converting, and securing your environment files — before they become incidents.

Install evnxGitHubQuick start →
Open sourceMIT LicensemacOS · Linux · WindowsBuilt with Rust 🦀
Incident Report

The night that
cost $847
and a phone call.

I pushed a hotfix at 11:47 PM. I typed git add . when I meant git add src/. I didn't notice .env was tracked.

The key was live for 22 minutes. An automated scanner found it in four. By the time I woke up to the alerts, three services were down and someone was mining crypto in three AWS regions on my account.

The billing was painful. The call with my development lead at midnight was worse.

Three years and zero incidents later.

evnx is the pre-commit hook, the CI gate, and the doctor diagnostic I wish had existed that night.

Read the full storyPrevention guide →
incident-log — Thu Mar 14 2024

// features

Everything your .env
workflow needs.

From secret detection to cloud migration — evnx handles the entire .env lifecycle.

01

Secret Scanning

Detects AWS keys, Stripe secrets, GitHub tokens, and high-entropy strings before they leave your machine.

02

Validation

Catches placeholders, weak secrets, boolean string traps, and localhost in production configs.

03

14+ Format Targets

JSON, YAML, Kubernetes, Terraform, GitHub Actions, Doppler, Infisical, Heroku, Vercel, and more.

04

Stack Blueprints

Init with pre-wired templates for Django, Next.js, FastAPI, Laravel, Rust, and more frameworks.

05

Bidirectional Sync

Keep .env and .env.example aligned — both directions, automatically.

06
NEW

Add Variables

Manage your .env entirely from the CLI. No manual file editing, no format mistakes.

07
EXPERIMENTAL

Cloud Migration

Push directly to AWS Secrets Manager, Doppler, Infisical, or GitHub Actions secrets.

08

CI/CD Native

SARIF output for GitHub Security tab. Inline PR annotations. Exits 1 on findings.

09

Doctor Diagnostics

Health check everything: gitignore coverage, file permissions, .env.example sync, project structure.

10

Template Engine

Dynamic config generation with filters — |int, |bool, |upper — for multi-environment setups.

11

Encrypted Backups

AES-256-GCM encryption with Argon2 key derivation. Your backups are yours alone.

12
FUTURE

Zero Config

Works out of the box in any project. .evnx.toml unlocks team-level customization.

// install

Running in
under two minutes.

Single static binary. No runtime, no dependencies. Works on macOS, Linux, and Windows.

01

Install

One curl command or cargo install

02

Run doctor

evnx doctor — checks gitignore, permissions, .env.example sync

03

Add pre-commit hook

Blocks any commit containing a secret

Full installation guide
$curl -fsSL https://dotenv.space/install.sh | bash
$ evnx --version
evnx 0.2.1
$ evnx doctor
[OK] Environment looks healthy
[OK] .env is in .gitignore
[OK] .env.example is present and in sync

// commands

Built for your workflow.

All guides
evnx init

Initialize .env and .env.example in your project

$ evnx init
evnx scan

Detect secrets and sensitive data

$ evnx scan --path ./config --format sarif
evnx validate

Catch misconfiguration before deployment

$ evnx validate --strict --exit-code
evnx sync

Two way sync .env <-> .env.example

$ evnx sync --direction forward
evnx convert

Export to 14+ secret manager formats

$ evnx convert --from .env --to kubernetes
evnx addNEW

Manage variables without touching files

$ evnx add DATABASE_URL "postgres://..."
evnx doctor

Full environment health check

$ evnx doctor --fix
evnx migrateEXPERIMENTAL

Push secrets to a cloud manager

$ evnx migrate --to aws-secrets-manager
evnx diff

Provide diff between .env and .env.example

$ evnx diff

// integrations

Ship with confidence.

evnx runs everywhere your code does.

GitHub Actions.github/workflows/scan.yml
YAML
name: evnx security scanon: [pull_request, push] jobs:  scan:    runs-on: ubuntu-latest    steps:      - uses: actions/checkout@v4      - run: curl -fsSL https://dotenv.space/install.sh | bash      - run: evnx scan --format github --exit-code
Pre-commit Hook.pre-commit-config.yaml
YAML
repos:  - repo: local    hooks:      - id: evnx-scan        name: Scan for secrets        entry: evnx scan --exit-code        language: system        files: '\.env'
DockerDockerfile
Dockerfile
FROM rust:slim AS buildRUN cargo install evnx COPY .env .envRUN evnx validate --strict  && evnx scan --exit-code
Full GitHub Actions guide →

// get started

Don't wait for
your incident.

Install evnx, run evnx doctor, add the pre-commit hook. Five minutes of setup to avoid the worst conversation of your career.

Install evnx — it's free5-minute quick start
$ curl -fsSL https://dotenv.space/install.sh | bash
✓ evnx 0.2.1 installed
$ evnx init
✓ Created.env and .env.example
✓ Added to .gitignore
$ evnx doctor
✓ All checks passed
$ evnx scan
✓ No secrets detected
✓ You're protected