ckmtools / envscan / for GitHub Actions

envscan for GitHub Actions

GitHub Actions workflows reference env vars that aren’t in .env.example, aren’t in your README, and fail silently when they’re missing. envscan scans your source files and CI YAML to find all of them — automatically.

$ envscan scan --include-yaml .github/workflows/
Found 12 environment variables:
  DATABASE_URL     type: url     src/db.ts:12
  PORT             type: number  src/server.ts:5
  JWT_SECRET       type: secret  src/auth.ts:8
  NODE_ENV         type: string  src/config.ts:2
  GH_TOKEN         type: token   .github/workflows/deploy.yml:15
  SLACK_WEBHOOK    type: url     .github/workflows/notify.yml:8
  AWS_REGION       type: string  .github/workflows/deploy.yml:22
  NPM_TOKEN        type: token   .github/workflows/publish.yml:11
  SENTRY_DSN       type: url     src/errors.ts:4
  API_RATE_LIMIT   type: number  src/middleware.ts:9
  SMTP_HOST        type: string  src/mailer.ts:15
  LOG_LEVEL        type: string  src/logger.ts:7

Missing from .env.example: JWT_SECRET, GH_TOKEN, SLACK_WEBHOOK (3/12 undocumented)
Exit code: 1
Join the waitlist

Free — we’ll email you when it launches

Why GitHub Actions env vars get undocumented

Workflow YAML files reference secrets (${{ secrets.GH_TOKEN }}) and env vars (env: PORT: ${{ env.PORT }}) that live outside your codebase in GitHub’s secrets store. Nobody updates .env.example when a workflow adds a new secret — it’s a different file in a different context, maintained by different people.

When a new engineer forks the repo, runs npm start, and gets “Error: JWT_SECRET is not defined” — that’s often a workflow secret that was never documented. The app works in CI because the secret exists in GitHub’s store, but breaks locally because nobody wrote it down.

Manual audits mean grepping through every YAML file and every source file, then cross-referencing against .env.example. That takes hours in a medium-sized repo. envscan makes it one command.

What envscan finds

Source file scanning

Parses every .js and .ts file for process.env.VAR_NAME references. Infers type from naming conventions: _PORT → number, _SECRET / _KEY / _TOKEN → secret (redacted in .env.example), _URL → url, everything else → string.

GitHub Actions YAML support

When you pass --include-yaml, envscan also scans .github/workflows/*.yml for ${{ env.VAR }}, ${{ secrets.VAR }}, and hardcoded env: blocks. Maps each var back to the file and line where it’s referenced.

.env.example generation

Generates a documented .env.example with comments showing where each var is used. Secret and token vars are redacted so you never accidentally commit real values. Run in CI to verify new vars are documented before merge.

Run it in your pipeline

# .github/workflows/validate-env.yml
name: Validate environment variables
on: [pull_request]
jobs:
  envscan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: '20'
      - name: Audit env var documentation
        run: npx envscan scan --include-yaml .github/workflows/ --fail-on-undocumented

Add envscan to your PR workflow. When a developer adds process.env.NEW_SECRET or a new workflow secret without updating .env.example, the check fails with a clear error — before it reaches main.

Join the waitlist

envscan is in development. Join the waitlist and we’ll email you when it’s ready. Free tier planned: scan unlimited repos, GitHub Actions CI check for up to 3 repos.

Notify Me When It’s Ready

Free — no credit card required

← Back to envscan overview