Install
openclaw skills install envguardenvguard
Pre-commit secret detection — block leaked credentials, API keys, and .env files before they hit git
EnvGuard — Pre-Commit Secret Detection
EnvGuard scans your code for leaked secrets, credentials, API keys, and .env file contents before they reach git. It uses regex-based pattern matching against 50+ secret formats from 20+ services, lefthook for git hook integration, and produces SARIF-compatible reports for compliance workflows.
Commands
Free Tier (No license required)
envguard scan [file|directory]
One-shot secret scan of files or directories.
How to execute:
bash "<SKILL_DIR>/scripts/envguard.sh" scan [target]
What it does:
- Accepts a file path or directory (defaults to current directory)
- Finds all text files (excluding .git/, node_modules/, dist/, build/, vendor/, pycache)
- Runs 50+ secret detection patterns against each file
- Respects .envguardignore exclusions (gitignore syntax)
- Outputs findings with: file, line number, pattern matched, severity, redacted match
- Exit code 0 if clean, exit code 1 if critical/high findings detected
Example usage scenarios:
- "Scan this repo for leaked secrets" -> runs
envguard scan . - "Check this file for API keys" -> runs
envguard scan src/config.ts - "Are there any secrets in my source code?" -> runs
envguard scan src/
Pro Tier ($19/user/month -- requires ENVGUARD_LICENSE_KEY)
envguard hooks install
Install git pre-commit hooks that scan staged files for secrets before every commit.
How to execute:
bash "<SKILL_DIR>/scripts/envguard.sh" hooks install
What it does:
- Validates Pro+ license
- Copies lefthook config to project root
- Installs lefthook pre-commit hook
- On every commit: scans all staged files for secrets, blocks commit if secrets found, shows remediation advice
envguard hooks uninstall
Remove EnvGuard git hooks.
bash "<SKILL_DIR>/scripts/envguard.sh" hooks uninstall
envguard allowlist [add|remove|list] [pattern]
Manage false positive patterns. Allowlisted patterns are skipped during scanning.
bash "<SKILL_DIR>/scripts/envguard.sh" allowlist add "EXAMPLE_API_KEY_FOR_TESTS"
bash "<SKILL_DIR>/scripts/envguard.sh" allowlist remove "EXAMPLE_API_KEY_FOR_TESTS"
bash "<SKILL_DIR>/scripts/envguard.sh" allowlist list
What it does:
- Validates Pro+ license
- Reads/writes allowlist in ~/.openclaw/openclaw.json (envguard.config.allowlist)
- Allowlisted patterns are treated as known-safe and skipped during scans
envguard diff
Scan only staged changes (git diff --cached) for secrets.
bash "<SKILL_DIR>/scripts/envguard.sh" diff
What it does:
- Validates Pro+ license
- Gets staged changes via
git diff --cached - Scans only added/modified lines for secrets
- Ideal for pre-commit checks on large repos
Team Tier ($39/user/month -- requires ENVGUARD_LICENSE_KEY with team tier)
envguard history [directory]
Full git history scan -- finds secrets in all previous commits.
bash "<SKILL_DIR>/scripts/envguard.sh" history [directory]
What it does:
- Validates Team+ license
- Walks entire git log using
git log -p - Scans every diff for secrets across all commits
- Reports: commit hash, author, date, file, line, pattern matched
- Critical for onboarding repos that may have had secrets committed in the past
envguard report [directory]
Generate a SARIF-compatible or markdown compliance report.
bash "<SKILL_DIR>/scripts/envguard.sh" report [directory]
What it does:
- Validates Team+ license
- Runs full scan of the directory
- Generates a formatted markdown report with severity breakdown
- Includes remediation steps for each finding category
- Output suitable for compliance audits and security reviews
envguard policy [directory]
Custom secret patterns and enforcement rules.
bash "<SKILL_DIR>/scripts/envguard.sh" policy [directory]
What it does:
- Validates Team+ license
- Loads custom patterns from ~/.openclaw/openclaw.json (envguard.config.customPatterns)
- Enforces organization-specific secret rules (e.g., internal token formats)
- Combines custom patterns with built-in patterns for comprehensive scanning
Detected Secret Types
EnvGuard detects 50+ secret patterns across 20+ services:
| Category | Examples | Severity |
|---|---|---|
| AWS Credentials | AKIA* keys, aws_secret_access_key | Critical |
| Stripe Keys | sk_live_, sk_test_, rk_live_, whsec_ | Critical |
| GitHub Tokens | ghp_, gho_, ghu_, ghs_, ghr_* | Critical |
| GitLab Tokens | glpat-* | Critical |
| Private Keys | RSA, OPENSSH, DSA, EC, PGP private keys | Critical |
| Slack Tokens | xoxb-, xoxp-, xoxo-, xapp- | High |
| Google API Keys | AIza* | High |
| JWT Tokens | eyJ* (long base64 tokens) | High |
| Database URIs | postgres://, mysql://, mongodb://, redis:// | High |
| Twilio Keys | SK* account SIDs | High |
| SendGrid Keys | SG.* | High |
| Firebase/Supabase | API keys and service tokens | High |
| npm Tokens | npm_* | High |
| Heroku API Keys | Heroku token patterns | Medium |
| DigitalOcean | dop_v1_, doo_v1_ | Medium |
| Azure Keys | Azure subscription/account keys | Medium |
| Cloudflare | API tokens and keys | Medium |
| Docker Hub | Docker auth tokens | Medium |
| Mailgun/Postmark | API keys | Medium |
| Generic Secrets | api_key=, password=, secret=, token= | Low |
| .env Leaks | KEY=value patterns in source files | Low |
Configuration
Users can configure EnvGuard in ~/.openclaw/openclaw.json:
{
"skills": {
"entries": {
"envguard": {
"enabled": true,
"apiKey": "YOUR_LICENSE_KEY_HERE",
"config": {
"severityThreshold": "high",
"allowlist": [],
"customPatterns": [],
"excludePatterns": ["**/node_modules/**", "**/dist/**", "**/.git/**"],
"reportFormat": "markdown"
}
}
}
}
}
Important Notes
- Free tier works immediately with no configuration
- All scanning happens locally -- no code or secrets are sent to external servers
- License validation is offline -- no phone-home or network calls
- Supports .envguardignore files (gitignore syntax) to exclude paths
- Matches are always redacted in output (first/last 4 chars only)
- Git hooks use lefthook which must be installed (see install metadata above)
- Exit codes: 0 = clean, 1 = findings detected (for CI/CD integration)
Error Handling
- If lefthook is not installed and user tries
hooks install, prompt to install it - If license key is invalid or expired, show clear message with link to https://envguard.pages.dev/renew
- If a file is binary, skip it automatically with no warning
- If .envguardignore is malformed, warn and continue with default excludes
- If no files found in target, report clean scan with info message
When to Use EnvGuard
The user might say things like:
- "Scan for leaked secrets"
- "Check if any API keys are in my code"
- "Set up secret scanning on my commits"
- "Are there any credentials in this repo?"
- "Generate a security report for compliance"
- "Scan git history for leaked passwords"
- "Block secrets from being committed"
- "Check my staged files for secrets"
- "Add a false positive to the allowlist"