HEXL
Catalog/security-env-leak

Security

.env secret & weak-value scanner API

Parses a PROVIDED dotenv-format string and flags leaked secrets and weak values: provider-recognised credentials (AWS/Stripe/GitHub/etc.), secret-bearing keys (SECRET/TOKEN/KEY/PASSWORD/DSN) holding real or short values, weak/placeholder values ('changeme','123456'), connection strings with embedded creds, and enabled insecure flags (DEBUG, disabled TLS verification), returning per-line findings + severity + remediation and a 0-100 score. Answers 'Are there secrets in my .env?','Is my .env using weak defaults?'.

Price$0.01per request
MethodPOST
Route/v1/security/env-leak
StatusLive
MIME typeapplication/json
Rate limit120/minute
CacheNo cache
securitydotenvenvsecretscredentialsweak-passwordleakscoring
API URLhttps://x402.hexl.dev/v1/security/env-leak
Integration docs
Example request
{
  "env": "NODE_ENV=production\nDB_PASSWORD=changeme\nSTRIPE_SECRET=sk_live_abc123def456ghi789jkl0\nDEBUG=true"
}
Example response
{
  "score": 33,
  "clean": false,
  "pairsParsed": 4,
  "findingsCount": 4,
  "criticalFindings": 1,
  "findings": [
    {
      "id": "provider-stripe-secret",
      "severity": "critical",
      "key": "",
      "title": "Stripe credential present (sk_l***l0)",
      "remediation": "Rotate and remove this Stripe credential from the .env; load it from a secrets manager.",
      "line": 3
    },
    {
      "id": "weak-value",
      "severity": "high",
      "key": "DB_PASSWORD",
      "title": "Secret key 'DB_PASSWORD' uses a weak/placeholder value ('changeme')",
      "remediation": "Replace with a strong random value (>=16 chars) and store outside the repo.",
      "line": 2
    },
    {
      "id": "secret-present",
      "severity": "high",
      "key": "STRIPE_SECRET",
      "title": "Secret key 'STRIPE_SECRET' holds a real value (sk_***l0, entropy 4.57)",
      "remediation": "Ensure this .env is git-ignored; load secrets from a manager rather than committing them.",
      "line": 3
    },
    {
      "id": "insecure-flag-on",
      "severity": "medium",
      "key": "DEBUG",
      "title": "Insecure flag 'DEBUG' is enabled",
      "remediation": "Disable 'DEBUG' in production.",
      "line": 4
    }
  ]
}
Input schema
{
  "type": "object",
  "required": [
    "env"
  ],
  "properties": {
    "env": {
      "type": "string",
      "minLength": 1,
      "description": "Raw .env file contents.",
      "examples": [
        "NODE_ENV=production\nDB_PASSWORD=changeme\nSTRIPE_SECRET=sk_live_abc123def456ghi789jkl0\nDEBUG=true"
      ]
    }
  }
}
Output schema
{
  "type": "object",
  "additionalProperties": true
}