CleanUtils

.env Validator and Secret Scanner

Paste a dotenv file, catch duplicate or malformed keys, and generate a safer example file locally.

Also useful for: .env validator dotenv linter env validator .env Validator and Secret Scanner

.env Validator and Secret Scanner

Runs in your browser. Inputs are not uploaded.
Input
Results 
Summary: 3 unique keys scanned. 1 error, 3 warnings.

Stats
- Keys: 3

Issues
- Critical, line 4: Line is not valid KEY=value dotenv syntax.
- Warning, line 1: API_KEY looks sensitive. Keep it out of shared examples and tickets.
- Warning, line 3: Duplicate key "API_KEY" also appears on line 1.
- Warning, line 3: API_KEY looks sensitive. Keep it out of shared examples and tickets.

Output
API_KEY=
DATABASE_URL=
API_KEY=
PUBLIC_URL=

.env Validator and Secret Scanner Example Run

Find dotenv syntax mistakes before sharing an example file.

Sample inputs
API_KEY=sk-live-1234567890abcdef
DATABASE_URL="postgres://user:pass@example.com/db"
API_KEY=duplicate
BAD LINE
PUBLIC_URL=https://example.com

Generated result
Summary: 3 unique keys scanned. 1 error, 3 warnings.

Stats
- Keys: 3

Issues
- Critical, line 4: Line is not valid KEY=value dotenv syntax.
- Warning, line 1: API_KEY looks sensitive. Keep it out of shared examples and tickets.
- Warning, line 3: Duplicate key "API_KEY" also appears on line 1.
- Warning, line 3: API_KEY looks sensitive. Keep it out of shared examples and tickets.

Output
API_KEY=
DATABASE_URL=
API_KEY=
PUBLIC_URL=

What the .env Validator and Secret Scanner Checks

  • Dotenv assignment syntax

    Lines are checked for KEY=value shape while comments and blank lines are tolerated.

  • Duplicate keys

    Repeated keys are reported with line numbers because later values can silently override earlier ones.

  • Sensitive-looking values

    API keys, tokens, passwords, and database URLs are flagged with conservative heuristics.

  • .env.example export

    The generated example keeps keys and comments but removes values that should not be shared.

  • Local processing

    Secrets are scanned in the browser and are not uploaded for remote analysis.

.env Validator and Secret Scanner Questions

  • Q: Does the .env validator and secret scanner upload my .env file? A: No. Inputs are processed in your browser, and pasted content is not sent to analytics or a server.
  • Q: What should I paste into the .env validator and secret scanner? A: Paste dotenv-style KEY=value lines. Comments and simple quoted values are supported.
  • Q: What can I copy or download? A: You can copy the lint report or download a safer .env.example with values removed.
  • Q: What does the .env validator and secret scanner not verify? A: Secret detection is heuristic. It cannot prove a value is safe, detect every custom token format, or rotate leaked credentials.

Related Tools

Updates

  • v1.0.0 New 2026-05-17: Initial dotenv lint, duplicate detection, secret warnings, and example export added.

Use .env Validator and Secret Scanner with an LLM

Copy the prompt or pass the llms.txt contract link to your assistant.

Prompt 
Use the CleanUtils .env Validator and Secret Scanner tool for this request.
Tool contract: https://cleanutils.com/developer-tools/env-validator-secret-scanner/llms.txt

Read the llms.txt contract, ask me for any missing required input, then follow the contract exactly. If the contract includes JavaScript, run `runCleanUtilsTool(userInput)` in a sandboxed JavaScript runtime and return the result with any warnings or errors.
llms.txt https://cleanutils.com/developer-tools/env-validator-secret-scanner/llms.txt