dotenv-diff 2.1.6 → 2.2.0

package/README.md

@@ -1,8 +1,14 @@
 # dotenv-diff
 
-Easily compare your .env, .env.example, and other environment files (like .env.local, .env.production) to detect missing, extra, empty, or mismatched variables — and ensure they’re properly ignored by Git.
+![Demo](./public/demo.gif)
 
-Or scan your codebase to find out which environment variables are actually used in your code, and which ones are not.
+Easily scan your codebase to detect which environment variables are actually used in your code — and which ones are not.
+
+This package will:
+- Scan your codebase to find environment variables in use.
+- Show statistics about the usage of these variables.
+- Detect missing environment variables.
+- Find potential secrets in your codebase.
 
 Optimized for JavaScript/TypeScript projects and frontend frameworks including Node.js, Next.js, Vite, SvelteKit, Nuxt, Vue, and Deno. Can also be used with other project types for basic .env file comparison.
 
@@ -28,19 +34,17 @@ pnpm add -g dotenv-diff
 ```bash
 dotenv-diff
 ```
-## What it checks
-dotenv-diff will automatically compare all matching .env* files in your project against .env.example, including:
-- `.env`
-- `.env.local`
-- `.env.production`
-- Any other .env.* file
 
-## Scan your codebase for environment variable usage
+This scans your entire codebase to detect which environment variables are actually used in the code — and compare them against your `.env` file.
+
+## Why dotenv-diff?
+
+- **Prevent production issues**: Ensure all required environment variables are defined before deploying.
+- **Avoid runtime errors**: Catch missing or misconfigured variables early in development.
+- **Improve collaboration**: Keep your team aligned on necessary environment variables.
+- **Enhance security**: Ensure sensitive variables are not accidentally committed to version control.
+- **Scale confidently**: Perfect for turbo monorepos and multi-environment setups.
 
-```bash
-dotenv-diff --scan-usage
-``` 
-This scans your entire codebase to detect which environment variables are actually used in the code — and compare them against your `.env` file(s).
 
 ## CI/CD integration with `--ci` option
 You can scan and compare against specific environment file, eg. `.env.example`
@@ -50,30 +54,30 @@ Use the `--ci` flag for automated environments. This enables strict mode where t
 
 And the `--example` option allows you to specify which `.env.example` file to compare against.
 
-### Use it in Github Actions for at turborepo, Example:
+### Use it in Github Actions Example:
 
 ```yaml
 - name: Check environment variables
-  run: dotenv-diff --ci --scan-usage --show-unused --example .env.example --include-files \"./src/**/*,../../packages/**/*\" --ignore VITE_MODE,NODE_ENV
+  run: dotenv-diff --ci --example .env.example --ignore VITE_MODE,NODE_ENV
 ```
 
 You can also change the comparison file by using the `--example` flag to point to a different `.env.example` file. 
 
 ```bash
-dotenv-diff --scan-usage --example .env.example.staging --ci
+dotenv-diff --example .env.example.staging --ci
 ```
 
 ## Use it in a Turborepo Monorepo
 
 In a monorepo setup (e.g. with Turborepo), you often have multiple apps under apps/ and shared packages under packages/.
-You can run dotenv-diff from one app and still include files from sibling apps or packages.
+You can run dotenv-diff from one app and still include files from your packages folder.
 
 For example, if you want to scan from the apps/app1 folder and also include code in packages/auth, you can do:
 
 ```json
 {
   "scripts": {
-    "dotenv-diff": "dotenv-diff --scan-usage --example .env.example --include-files '../../packages/**/*' --ignore VITE_MODE"
+    "dotenv-diff": "dotenv-diff --example .env.example --include-files '../../packages/**/*' --ignore VITE_MODE"
   }
 }
 ```
@@ -81,65 +85,49 @@ For example, if you want to scan from the apps/app1 folder and also include code
 This will:
 - Compare the variables used in your `apps/app1` code against `apps/app1/.env.example`.
 - Also scan files in `../../packages`(like `packages/components/src/..`)
-- Ignore variables like VITE_MODE that you only use in special cases.
+- Ignore variables like VITE_MODE that you only use in special cases (.env.test).
 
 ## Automatic fixes with `--fix`
 
-Use the `--fix` flag to automatically fix missing keys in your `.env` and remove duplicate keys. 
+Use the `--fix` flag to automatically fix missing keys in your `.env`.
 
 ```bash
 dotenv-diff --fix
 ```
 
-This will:
-- Add any missing keys from `.env.example` to your `.env` file with empty values
-- Remove duplicate keys in your `.env` file (keeping the last occurrence)
-
-## Use --fix with scan-usage
-
-You can also combine `--fix` with `--scan-usage` to automatically add any missing keys that are used in your code but not defined in your `.env` file:
-
-```bash
-dotenv-diff --scan-usage --fix
-```
-
-Using `--fix`with `--scan-usage` will not detect duplicate keys, it will only add missing keys.
-
 ### Example workflow
 
-1. You add `process.env.NEW_API_KEY` in your code.
-2. You run `dotenv-diff --scan-usage --fix`.
+1. You have `process.env.NEW_API_KEY` in your code.
+2. You run `dotenv-diff --fix`.
 3. The tool automatically adds `NEW_API_KEY=` to your `.env` file.
 
-## Scan your codebase for environment variables and add it directly to .env.example?
+## Show unused variables
+
+As default, `dotenv-diff` will list variables that are defined in `.env` but never used in your codebase.
 
+To disable this behavior, use the `--no-show-unused` flag:
 ```bash
-dotenv-diff --scan-usage --example .env.example --fix
+dotenv-diff --no-show-unused
 ```
+This will prevent the tool from listing variables that are defined in `.env` but not used in your codebase.
 
-This scans your codebase for environment variable usage and adds any missing keys directly to your `.env.example` file with empty values.
+## Show statistics
 
-## Show unused variables
-
-Use `--show-unused` together with `--scan-usage` to list variables that are defined in `.env` but never used in your codebase:
-```bash
-dotenv-diff --scan-usage --show-unused
-```
-This will show you which variables are defined in your `.env` file but not used in your codebase. This helps you clean up unnecessary environment variables.
+By default, `dotenv-diff` will show statistics about the scan, such as the number of files scanned, variables found, and unique variables used.
 
-## Show scan statistics
+To disable this behavior, use the `--no-show-stats` flag:
 
 ```bash
-dotenv-diff --show-stats
+dotenv-diff --no-show-stats
 ```
-This will display statistics about the scan, such as the number of files scanned, variables found, and any unused variables. It provides a quick overview of your environment variable usage.
+This will prevent the tool from displaying statistics about the scan.
 
 ## include or exclude specific files for scanning
 
 You can specify which files to include or exclude from the scan using the `--include-files` and `--exclude-files` options:
 
 ```bash
-dotenv-diff --scan-usage --include-files '**/*.js,**/*.ts' --exclude-files '**/*.spec.ts'
+dotenv-diff --include-files '**/*.js,**/*.ts' --exclude-files '**/*.spec.ts'
 ```
 
 By default, the scanner looks at JavaScript, TypeScript, Vue, and Svelte files.
@@ -147,32 +135,18 @@ The --include-files and --exclude-files options let you refine this list to focu
 
 ### Override with `--files`
 
-If you want to completely override the default include/exclude logic (for example, to also include test files), you can use --files:
+If you want to completely override the default include/exclude logic (for example, to only include specific files), you can use --files:
 ```bash
-dotenv-diff --scan-usage --files '**/*.js'
+dotenv-diff --files '**/*.js'
 ```
-This will only scan the files matching the given patterns, even if they would normally be excluded.
 
 ## Optional: Check values too
 
 ```bash
-dotenv-diff --check-values
+dotenv-diff --check-values --compare
 ```
 
-When using the `--check-values` option, the tool will also compare the actual values of the variables in `.env` and `.env.example`. It will report any mismatches found and it also compares values if .env.example defines a non-empty expected value.
-
-## Duplicate key warnings
-
-`dotenv-diff` warns when a `.env*` file contains the same key multiple times. The last occurrence wins. Suppress these warnings with `--allow-duplicates`.
-
-## Only show specific categories
-
-Use the `--only` flag to restrict the comparison to specific categories. For example:
-
-```bash
-dotenv-diff --only missing,extra
-```
-This will only show missing and extra keys, ignoring empty, mismatched, duplicate keys and so on.
+When using the `--check-values` option together with `--compare`, the tool will also compare the actual values of the variables in `.env` and `.env.example`. It will report any mismatches found and it also compares values if .env.example defines a non-empty expected value.
 
 ## Ignore specific keys
 
@@ -206,35 +180,40 @@ dotenv-diff --no-color
 
 ## Compare specific files
 
+The `--compare` flag will compare all matching .env* files in your project against .env.example, including:
+- `.env`
+- `.env.local`
+- `.env.production`
+- Any other .env.* file
+
 Override the autoscan and compare exactly two files:
 
 ```bash
-dotenv-diff --env .env.staging --example .env.example.staging
+dotenv-diff --compare --env .env.local --example .env.example.local
 ```
 
 You can also fix only one side. For example, force a particular `.env` file and let the tool find the matching `.env.example`:
 
-```bash
-dotenv-diff --env .env.production
-```
+When using the `--compare` flag, `dotenv-diff` warns when a `.env*` file contains the same key multiple times. The last occurrence wins. Suppress these warnings with `--allow-duplicates`.
 
-Or provide just an example file and let the tool locate the appropriate `.env`:
+Use the `--only` flag to restrict the comparison to specific categories. For example:
 
 ```bash
-dotenv-diff --example .env.example.production
+dotenv-diff --only missing,extra
 ```
+This will only show missing and extra keys, ignoring empty, mismatched, duplicate keys and so on.
 
 ## Automatically create missing files
 
 Run non-interactively in CI environments with:
 
 ```bash
-dotenv-diff --yes    # auto-create missing files without prompts
+dotenv-diff --compare --yes    # auto-create missing files without prompts
 ```
 
 You can also use `-y` as a shorthand for `--yes`.
 
-## Automatic file creation prompts
+### Automatic file creation prompts
 
 If one of the files is missing, `dotenv-diff` will ask if you want to create it from the other:
 
@@ -243,7 +222,7 @@ If one of the files is missing, `dotenv-diff` will ask if you want to create it
 
 This makes it quick to set up environment files without manually copying or retyping variable names.
 
-## Also checks your .gitignore
+### Also checks your .gitignore
 
 `dotenv-diff` will warn you if your `.env` file is **not** ignored by Git.  
 This helps prevent accidentally committing sensitive environment variables.

package/dist/src/cli/program.js

@@ -16,9 +16,11 @@ export function createProgram() {
         .option('--no-color', 'Disable colored output')
         .option('--only <list>', 'Comma-separated categories to only run (missing,extra,empty,mismatch,duplicate,gitignore)')
         .option('--scan-usage', 'Scan codebase for environment variable usage')
-        .option('--include-files <patterns>', '[requires --scan-usage] Comma-separated file patterns to ADD to default scan patterns (extends default)')
-        .option('--files <patterns>', '[requires --scan-usage] Comma-separated file patterns to scan (completely replaces default patterns)')
-        .option('--exclude-files <patterns>', '[requires --scan-usage] Comma-separated file patterns to exclude from scan')
-        .option('--show-unused', '[requires --scan-usage] Show variables defined in .env but not used in code')
-        .option('--show-stats', 'Show statistics (in scan-usage mode: scan stats, in compare mode: env compare stats)');
+        .option('--compare', 'Compare .env and .env.example files')
+        .option('--include-files <patterns>', 'Comma-separated file patterns to ADD to default scan patterns (extends default)')
+        .option('--files <patterns>', 'Comma-separated file patterns to scan (completely replaces default patterns)')
+        .option('--exclude-files <patterns>', 'Comma-separated file patterns to exclude from scan')
+        .option('--no-show-unused', 'Do not list variables that are defined in .env but not used in code')
+        .option('--no-show-stats', 'Do not show statistics')
+        .option('--no-secrets', 'Disable secret detection during scan (enabled by default)');
 }

package/dist/src/cli/run.js

@@ -14,7 +14,8 @@ export async function run(program) {
     if (opts.noColor) {
         chalk.level = 0; // disable colors globally
     }
-    if (opts.scanUsage) {
+    // DEFAULT: scan-usage unless --compare is set
+    if (!opts.compare) {
         const envPath = opts.envFlag || (fs.existsSync('.env') ? '.env' : undefined);
         const { exitWithError } = await scanUsage({
             cwd: opts.cwd,
@@ -30,6 +31,7 @@ export async function run(program) {
             showStats: opts.showStats,
             isCiMode: opts.isCiMode,
             files: opts.files,
+            secrets: opts.secrets,
         });
         process.exit(exitWithError ? 1 : 0);
     }
@@ -105,7 +107,6 @@ export async function run(program) {
         isCiMode: opts.isCiMode,
     });
     if (res.shouldExit) {
-        // For JSON mode, emit an empty report to keep output machine-friendly (optional; safe).
         if (opts.json)
             console.log(JSON.stringify([], null, 2));
         process.exit(res.exitCode);

package/dist/src/commands/compare.js

@@ -50,9 +50,6 @@ export async function compareMany(pairs, opts) {
                 },
             });
         }
-        else {
-            // still call to keep previous hints? No—masked by --only.
-        }
         // Duplicate detection (skip entirely if --only excludes it)
         let dupsEnv = [];
         let dupsEx = [];

package/dist/src/commands/scanUsage.d.ts

@@ -34,6 +34,12 @@ export interface ScanJsonEntry {
     }>;
     comparedAgainst?: string;
     totalEnvVariables?: number;
+    secrets?: Array<{
+        file: string;
+        line: number;
+        message: string;
+        snippet: string;
+    }>;
 }
 /**
  * Scans codebase for environment variable usage and compares with .env file

package/dist/src/commands/scanUsage.js

@@ -125,6 +125,10 @@ export async function scanUsage(opts) {
         console.log(chalk.green('✅ Auto-fix applied: no changes needed.'));
         console.log();
     }
+    if (scanResult.missing.length > 0 && !opts.json && !opts.fix) {
+        console.log(chalk.gray('💡 Tip: Run with `--fix` to add missing keys'));
+        console.log();
+    }
     return result;
 }
 /**
@@ -172,6 +176,14 @@ function createJsonOutput(scanResult, opts, comparedAgainst, totalEnvVariables)
         missing: missingGrouped,
         unused: scanResult.unused,
     };
+    if (scanResult.secrets?.length) {
+        output.secrets = scanResult.secrets.map((s) => ({
+            file: s.file,
+            line: s.line,
+            message: s.message,
+            snippet: s.snippet,
+        }));
+    }
     // Add comparison info if we compared against a file
     if (comparedAgainst) {
         output.comparedAgainst = comparedAgainst;
@@ -198,15 +210,15 @@ function outputToConsole(scanResult, opts, comparedAgainst) {
     }
     // Show stats if requested
     if (opts.showStats) {
-        console.log(chalk.bold('📊 Scan Statistics:'));
-        console.log(chalk.gray(`   Files scanned: ${scanResult.stats.filesScanned}`));
-        console.log(chalk.gray(`   Total usages found: ${scanResult.stats.totalUsages}`));
-        console.log(chalk.gray(`   Unique variables: ${scanResult.stats.uniqueVariables}`));
+        console.log(chalk.blue('📊 Scan Statistics:'));
+        console.log(chalk.blue.dim(`   Files scanned: ${scanResult.stats.filesScanned}`));
+        console.log(chalk.blue.dim(`   Total usages found: ${scanResult.stats.totalUsages}`));
+        console.log(chalk.blue.dim(`   Unique variables: ${scanResult.stats.uniqueVariables}`));
         console.log();
     }
     // Always show found variables when not comparing or when no missing variables
     if (!comparedAgainst || scanResult.missing.length === 0) {
-        console.log(chalk.green(`✅ Found ${scanResult.stats.uniqueVariables} unique environment variables in use`));
+        console.log(chalk.blue(`🌐 Found ${scanResult.stats.uniqueVariables} unique environment variables in use`));
         console.log();
         // List all variables found (if any)
         if (scanResult.stats.uniqueVariables > 0) {
@@ -225,7 +237,7 @@ function outputToConsole(scanResult, opts, comparedAgainst) {
                 if (opts.showStats) {
                     const displayUsages = usages.slice(0, 2);
                     displayUsages.forEach((usage) => {
-                        console.log(chalk.gray(`     Used in: ${usage.file}:${usage.line} (${usage.pattern})`));
+                        console.log(chalk.blue.dim(`     Used in: ${usage.file}:${usage.line} (${usage.pattern})`));
                     });
                     if (usages.length > 2) {
                         console.log(chalk.gray(`     ... and ${usages.length - 2} more locations`));
@@ -273,6 +285,22 @@ function outputToConsole(scanResult, opts, comparedAgainst) {
         });
         console.log();
     }
+    if (scanResult.secrets && scanResult.secrets.length > 0) {
+        console.log(chalk.yellow('🔒 Potential secrets detected in codebase:'));
+        const byFile = new Map();
+        for (const f of scanResult.secrets) {
+            if (!byFile.has(f.file))
+                byFile.set(f.file, []);
+            byFile.get(f.file).push(f);
+        }
+        for (const [file, findings] of byFile) {
+            console.log(chalk.bold(`  ${file}`));
+            for (const f of findings) {
+                console.log(chalk.yellow(`   - Line ${f.line}: ${f.message}\n     ${chalk.dim(f.snippet)}`));
+            }
+        }
+        console.log();
+    }
     // Success message for env file comparison
     if (comparedAgainst && scanResult.missing.length === 0) {
         console.log(chalk.green(`✅ All used environment variables are defined in ${comparedAgainst}`));
@@ -281,9 +309,5 @@ function outputToConsole(scanResult, opts, comparedAgainst) {
         }
         console.log();
     }
-    if (scanResult.missing.length > 0 && !opts.json && !opts.fix) {
-        console.log(chalk.gray('💡 Tip: Run with `--fix` to add these missing keys to your .env file automatically.'));
-        console.log();
-    }
     return { exitWithError };
 }

package/dist/src/config/options.js

@@ -26,12 +26,15 @@ export function normalizeOptions(raw) {
     const json = Boolean(raw.json);
     const onlyParsed = parseCategories(raw.only, '--only');
     const only = onlyParsed.length ? onlyParsed : undefined;
-    const scanUsage = Boolean(raw.scanUsage);
+    const noColor = Boolean(raw.noColor);
+    const compare = Boolean(raw.compare);
+    const scanUsage = raw.scanUsage ?? !compare;
     const includeFiles = parseList(raw.includeFiles);
     const excludeFiles = parseList(raw.excludeFiles);
-    const showUnused = Boolean(raw.showUnused);
-    const showStats = Boolean(raw.showStats);
+    const showUnused = raw.showUnused === false ? false : true;
+    const showStats = raw.showStats === false ? false : true;
     const files = parseList(raw.files);
+    const secrets = raw.secrets === false ? false : true;
     const ignore = parseList(raw.ignore);
     const ignoreRegex = [];
     for (const pattern of parseList(raw.ignoreRegex)) {
@@ -62,11 +65,14 @@ export function normalizeOptions(raw) {
         ignoreRegex,
         cwd,
         only,
+        compare,
+        noColor,
         scanUsage,
         includeFiles,
         excludeFiles,
         showUnused,
         showStats,
         files,
+        secrets,
     };
 }

package/dist/src/config/types.d.ts

@@ -13,6 +13,7 @@ export type Options = {
     ignoreRegex: RegExp[];
     cwd: string;
     only?: Category[];
+    compare: boolean;
     scanUsage: boolean;
     includeFiles: string[];
     excludeFiles: string[];
@@ -20,6 +21,7 @@ export type Options = {
     showStats: boolean;
     files?: string[];
     noColor?: boolean;
+    secrets: boolean;
 };
 export type RawOptions = {
     checkValues?: boolean;
@@ -33,12 +35,15 @@ export type RawOptions = {
     ignore?: string | string[];
     ignoreRegex?: string | string[];
     only?: string | string[];
+    compare?: boolean;
+    noColor?: boolean;
     scanUsage?: boolean;
     includeFiles?: string | string[];
     excludeFiles?: string | string[];
     showUnused?: boolean;
     showStats?: boolean;
     files?: string | string[];
+    secrets?: boolean;
 };
 export type CompareJsonEntry = {
     env: string;

package/dist/src/core/entropy.d.ts

@@ -0,0 +1 @@
+export declare function shannonEntropyNormalized(s: string): number;

package/dist/src/core/entropy.js

@@ -0,0 +1,16 @@
+export function shannonEntropyNormalized(s) {
+    if (!s)
+        return 0;
+    const freq = new Map();
+    for (const ch of s)
+        freq.set(ch, (freq.get(ch) ?? 0) + 1);
+    const len = s.length;
+    let H = 0;
+    for (const [, c] of freq) {
+        const p = c / len;
+        H += -p * Math.log2(p);
+    }
+    // Antag alfabet ~72 tegn (A-Za-z0-9+/_- mv.)
+    const maxH = Math.log2(72);
+    return Math.min(1, H / maxH);
+}

package/dist/src/core/secretDetectors.d.ts

@@ -0,0 +1,8 @@
+export type SecretFinding = {
+    file: string;
+    line: number;
+    kind: 'pattern' | 'entropy';
+    message: string;
+    snippet: string;
+};
+export declare function detectSecretsInSource(file: string, source: string): SecretFinding[];

package/dist/src/core/secretDetectors.js

@@ -0,0 +1,75 @@
+import { shannonEntropyNormalized } from './entropy.js';
+const SUSPICIOUS_KEYS = /\b(pass(word)?|secret|token|apikey|api_key|key|auth|bearer|private|client_secret|access[_-]?token)\b/i;
+const PROVIDER_PATTERNS = [
+    /\bAKIA[0-9A-Z]{16}\b/, // AWS access key id
+    /\bASIA[0-9A-Z]{16}\b/, // AWS temp key
+    /\bghp_[0-9A-Za-z]{30,}\b/, // GitHub token
+    /\bsk_live_[0-9a-zA-Z]{24,}\b/, // Stripe live secret
+    /\bsk_test_[0-9a-zA-Z]{24,}\b/, // Stripe test secret
+    /\bAIza[0-9A-Za-z\-_]{20,}\b/, // Google API key
+];
+const LONG_LITERAL = /["'`]{1}([A-Za-z0-9+/_\-]{24,})["'`]{1}/g;
+function looksHarmlessLiteral(s) {
+    return /^https?:\/\//i.test(s) || /\S+@\S+/.test(s);
+}
+// Undgå støj fra typiske test/fixture/mock filer (meget konservativ liste)
+function isProbablyTestPath(p) {
+    return (/\b(__tests__|__mocks__|fixtures|sandbox|samples)\b/i.test(p) ||
+        /\.(spec|test)\.[jt]sx?$/.test(p));
+}
+const DEFAULT_SECRET_THRESHOLD = 0.9;
+export function detectSecretsInSource(file, source) {
+    const threshold = isProbablyTestPath(file) ? 0.95 : DEFAULT_SECRET_THRESHOLD;
+    const findings = [];
+    const lines = source.split(/\r?\n/);
+    for (let i = 0; i < lines.length; i++) {
+        const lineNo = i + 1;
+        const line = lines[i];
+        // 1) Suspicious key literal assignments
+        if (SUSPICIOUS_KEYS.test(line)) {
+            const m = line.match(/=\s*["'`](.+?)["'`]/);
+            if (m && m[1] && !looksHarmlessLiteral(m[1]) && m[1].length >= 12) {
+                findings.push({
+                    file,
+                    line: lineNo,
+                    kind: 'pattern',
+                    message: 'matches password/secret/token-like literal assignment',
+                    snippet: line.trim().slice(0, 180),
+                });
+            }
+        }
+        // 2) Provider patterns
+        for (const rx of PROVIDER_PATTERNS) {
+            if (rx.test(line)) {
+                findings.push({
+                    file,
+                    line: lineNo,
+                    kind: 'pattern',
+                    message: 'matches known provider key pattern',
+                    snippet: line.trim().slice(0, 180),
+                });
+            }
+        }
+        // 3) High-entropy long literals
+        LONG_LITERAL.lastIndex = 0;
+        let lm;
+        while ((lm = LONG_LITERAL.exec(line))) {
+            const literal = lm[1];
+            if (looksHarmlessLiteral(literal))
+                continue;
+            if (literal.length < 32)
+                continue; // ekstra støjfilter
+            const ent = shannonEntropyNormalized(literal);
+            if (ent >= threshold) {
+                findings.push({
+                    file,
+                    line: lineNo,
+                    kind: 'entropy',
+                    message: `found high-entropy string (len ${literal.length}, H≈${ent.toFixed(2)})`,
+                    snippet: line.trim().slice(0, 180),
+                });
+            }
+        }
+    }
+    return findings;
+}

package/dist/src/index.js

@@ -1,2 +1,6 @@
 export { parseEnvFile } from './lib/parseEnv.js';
 export { diffEnv } from './lib/diffEnv.js';
+process.env.API_KEY = '1234asdasdasasdsdfdfaasddsa5';
+process.env.NEW_API_KEY = '67890';
+const password = '3fg400asipkfoemkfmojwpajwmdklaosjfiop';
+const service = 'http://my-service.com';

package/dist/src/services/codeBaseScanner.d.ts

@@ -1,3 +1,4 @@
+import { type SecretFinding } from '../core/secretDetectors.js';
 export interface EnvUsage {
     variable: string;
     file: string;
@@ -13,6 +14,7 @@ export interface ScanOptions {
     ignore: string[];
     ignoreRegex: RegExp[];
     files?: string[];
+    secrets?: boolean;
 }
 export interface ScanResult {
     used: EnvUsage[];
@@ -23,6 +25,7 @@ export interface ScanResult {
         totalUsages: number;
         uniqueVariables: number;
     };
+    secrets: SecretFinding[];
 }
 /**
  * Scans the codebase for environment variable usage based on the provided options.

package/dist/src/services/codeBaseScanner.js

@@ -1,6 +1,7 @@
 import fs from 'fs/promises';
 import path from 'path';
 import fsSync from 'fs';
+import { detectSecretsInSource, } from '../core/secretDetectors.js';
 // Framework-specific patterns for finding environment variable usage
 const ENV_PATTERNS = [
     {
@@ -74,11 +75,24 @@ export async function scanCodebase(opts) {
     });
     const allUsages = [];
     let filesScanned = 0;
+    const allSecrets = [];
     for (const filePath of files) {
         try {
             const content = await fs.readFile(filePath, 'utf-8');
             const fileUsages = await scanFile(filePath, content, opts);
             allUsages.push(...fileUsages);
+            if (opts.secrets) {
+                try {
+                    // Brug relativ path i findings, så output matcher dine øvrige prints
+                    const relativePath = path.relative(opts.cwd, filePath);
+                    const sec = detectSecretsInSource(relativePath, content);
+                    if (sec.length)
+                        allSecrets.push(...sec);
+                }
+                catch {
+                    // aldrig fail scannet pga. detector; bare fortsæt
+                }
+            }
             filesScanned++;
         }
         catch {
@@ -94,6 +108,7 @@ export async function scanCodebase(opts) {
         used: filteredUsages,
         missing: [],
         unused: [],
+        secrets: allSecrets,
         stats: {
             filesScanned,
             totalUsages: filteredUsages.length,

package/package.json

@@ -1,8 +1,8 @@
 {
   "name": "dotenv-diff",
-  "version": "2.1.6",
+  "version": "2.2.0",
   "type": "module",
-  "description": "Find differences between .env and .env.example / .env.* files. And optionally scan your codebase to find environment variables in use.",
+  "description": "scan your codebase to find environment variables in use.",
   "bin": {
     "dotenv-diff": "dist/bin/dotenv-diff.js"
   },