.env validator CLI — tools.voiddo/envguard vs dotenv-linter
Both validate .env files in CI and pre-commit. dotenv-linter enforces consistent formatting. envguard validates value types and formats (url, uuid, semver, ip…), scans for leaked secrets, and checks gitignore coverage.
tools.voiddo/envguard
- 21 typed validators: url, uuid, semver, duration, json, ip, email, hostname, enum, secret, integer, float, boolean, port, hex, base64, jwt…
- min/max constraints on numeric values
- Secret-leak scanner: high-entropy strings, AWS/GitHub/Stripe patterns
- gitignore check: warns if .env files would be committed
- JSON Schema support for .env schemas
- Pre-commit / CI friendly (non-zero exit on failure)
- MIT licensed, Node 14+, zero deps
dotenv-linter
- Format enforcement: no trailing spaces, no duplicate keys, alphabetical key order
- Rust binary — no Node.js or Python required
- Extremely fast, even on large .env files
- Auto-fix mode for formatting violations
- No value type validation; no secret scanning; no schema
- Widely used in DevOps pipelines, Docker images
Feature comparison
| Feature | tools.voiddo/envguard | dotenv-linter |
|---|---|---|
| Detect duplicate keys | ✓ | ✓ |
| Detect trailing spaces | ✓ | ✓ |
| Enforce alphabetical ordering | — | ✓ |
| Auto-fix formatting violations | — | ✓ --fix flag |
| Validate value as URL | ✓ type: url | ✗ |
| Validate value as UUID | ✓ type: uuid | ✗ |
| Validate value as semver | ✓ type: semver | ✗ |
| Validate value as IP address | ✓ ipv4, ipv6 | ✗ |
| Validate integer range (min/max) | ✓ | ✗ |
| Validate enum values | ✓ type: enum, values: [...] | ✗ |
| Validate regex pattern match | ✓ type: regex | ✗ |
| Secret leak scanner | ✓ patterns + entropy | ✗ |
| gitignore coverage check | ✓ | ✗ |
| JSON Schema for .env spec | ✓ | ✗ |
| Required/optional variables | ✓ | ✗ |
| CI-friendly (non-zero exit) | ✓ | ✓ |
| Pre-commit hook integration | ✓ | ✓ |
| No Node.js required | Node 14+ needed | ✓ Rust binary |
| Open source | ✓ MIT | ✓ MIT |
Comparison based on publicly observable behavior as of 2026-05. For teams that want consistent .env formatting with auto-fix and a Rust binary, dotenv-linter is ideal. For teams that need type validation, secret scanning, and a schema contract, envguard fills the gap.
FAQ
Can envguard catch a PORT variable that is not a valid port number?
Yes. In your .env.schema, declare
PORT: { type: port } and envguard will reject any value outside 1–65535. You can also constrain it further with min: 1024, max: 49151 to enforce user-space ports only. dotenv-linter would accept any value for PORT.How does the secret-leak scanner work?
envguard checks each value against a set of high-risk patterns: AWS access key format (
AKIA[0-9A-Z]{16}), GitHub personal access tokens, Stripe API key prefixes, and high-entropy strings (measured by Shannon entropy) that look like randomly generated credentials. If any match is found, it reports the variable name and pattern — without printing the secret value itself.Should I use both dotenv-linter and envguard?
Yes, they are complementary. dotenv-linter enforces formatting consistency and has an auto-fix mode. envguard validates types and scans for secrets. A complete pre-commit pipeline might run dotenv-linter first (format check), then envguard (type + security check). Both are CI-safe with non-zero exit codes on failure.
How do I create a .env schema for envguard?
Create a
.env.schema JSON file listing each variable with its type and constraints: {"DATABASE_URL": {"type": "url", "required": true}, "PORT": {"type": "port"}, "LOG_LEVEL": {"type": "enum", "values": ["debug", "info", "warn", "error"]}}. Run envguard validate .env --schema .env.schema. Any variable present in the schema but missing in .env (and marked required) will fail validation.Does envguard check that .env is in .gitignore?
Yes. envguard reads the .gitignore files in the current directory and warns if the validated .env file (or any .env.* it finds) is not excluded. This prevents accidentally committing secrets when a new .env variant is added but the gitignore is not updated.
When would I choose dotenv-linter over envguard?
Use dotenv-linter when: (1) you want a Rust binary with zero Node.js dependency; (2) you need auto-fix mode to enforce alphabetical ordering automatically; (3) you work in a polyglot repo where Node.js is not present. dotenv-linter is also faster for large .env files. envguard is the better choice when you need value validation and security scanning.
Try tools.voiddo/envguard
Validate .env files with 21 typed validators, secret-leak scanning, and gitignore checks. Pre-commit and CI friendly. Zero deps.
Competitor names and trademarks belong to their respective owners. This comparison reflects publicly observable tool behavior.