zorath-env v0.3.2 is now available. This release adds secret detection to catch accidentally committed credentials and a new diff command to compare environment files across deployments.
Release Highlights
- Secret detection scans for AWS keys, Stripe tokens, GitHub tokens, private keys, and more
zenv diffcommand compares two .env files to find differences- High-entropy detection catches potential API keys and secrets
- URL password detection finds embedded credentials in connection strings
Secret Detection
Accidentally committing secrets to version control is one of the most common security mistakes. API keys, database passwords, and access tokens end up in .env.example files, commit history, and public repositories.
zorath-env v0.3.2 adds the --detect-secrets flag to scan for potential credentials:
zenv check --detect-secrets
What It Detects
The secret scanner identifies 10 categories of sensitive data:
| Pattern | Examples | Description |
|---------|----------|-------------|
| AWS Access Keys | AKIA... | Access key IDs starting with AKIA |
| AWS Secret Keys | 40-character strings | Secret access keys |
| Stripe API Keys | sk_live_, sk_test_, pk_live_, pk_test_ | Stripe publishable and secret keys |
| GitHub Tokens | ghp_, gho_, ghs_, ghr_ | Personal access tokens, OAuth tokens |
| GitLab Tokens | glpat- | Personal access tokens |
| Slack Tokens | xoxb-, xoxp-, xoxa- | Bot and user tokens |
| Private Keys | -----BEGIN RSA PRIVATE KEY----- | RSA, SSH, PGP private key headers |
| JWT Tokens | eyJ... | JSON Web Tokens |
| URL Passwords | ://user:pass@host | Embedded credentials in URLs |
| High-Entropy Strings | 32+ character random strings | Potential API keys or secrets |
Example Output
Given a .env file with potential secrets:
AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
DATABASE_URL=postgresql://admin:supersecret123@db.example.com/mydb
STRIPE_KEY=sk_live_51ABC123DEF456GHI789
API_TOKEN=a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0
Running zenv check --detect-secrets:
$ zenv check --detect-secrets
Warning: Potential secrets detected:
- AWS_ACCESS_KEY_ID (line 1): AWS Access Key ID
- AWS_SECRET_ACCESS_KEY (line 2): AWS Secret Access Key
- DATABASE_URL (line 3): URL contains embedded password
- STRIPE_KEY (line 4): Stripe API Key
- API_TOKEN (line 5): High-entropy string (possible secret)
These values may be real secrets. Consider using placeholders in committed files.
When to Use Secret Detection
Run secret detection in these scenarios:
Before committing .env.example:
zenv check --env .env.example --detect-secrets
In CI/CD pipelines:
- name: Check for leaked secrets
run: |
cargo install zorath-env
zenv check --env .env.example --detect-secrets
Pre-commit hook:
#!/usr/bin/env bash
set -e
if [ -f ".env.example" ]; then
zenv check --env .env.example --detect-secrets || {
echo "Secret detection found potential credentials!"
exit 1
}
fi
Privacy First
Secret detection runs entirely locally. No data leaves your machine. zorath-env never uploads, phones home, or sends telemetry. Your secrets stay private.
Environment Diff
Different environments often have different configurations. Development uses localhost, staging uses test credentials, production uses real services. When these drift apart, deployments fail.
The new zenv diff command compares two .env files:
zenv diff .env.development .env.production
What It Shows
The diff output shows three categories:
- Variables only in the first file - missing from the second
- Variables only in the second file - missing from the first
- Variables with different values - present in both but changed
Example Output
Given two environment files:
.env.development:
DATABASE_URL=postgresql://localhost/mydb
NODE_ENV=development
DEBUG_MODE=true
API_URL=http://localhost:3000
.env.production:
DATABASE_URL=postgresql://prod-db.example.com/mydb
NODE_ENV=production
API_URL=https://api.example.com
SENTRY_DSN=https://key@sentry.io/123
Running zenv diff:
$ zenv diff .env.development .env.production
Only in .env.development:
- DEBUG_MODE
Only in .env.production:
- SENTRY_DSN
Different values:
- DATABASE_URL: "postgresql://localhost/mydb" vs "postgresql://prod-db.example.com/mydb"
- NODE_ENV: "development" vs "production"
- API_URL: "http://localhost:3000" vs "https://api.example.com"
Schema Validation with Diff
Add the --schema flag to also validate both files against your schema:
zenv diff .env.staging .env.production --schema env.schema.json
This catches both configuration drift AND type/validation errors in a single command.
Use Cases
Catch missing production variables:
zenv diff .env.example .env.production
Find variables defined in your example but missing from production.
Compare across environments:
zenv diff .env.staging .env.production
Verify staging matches production before deployment.
Audit configuration changes:
zenv diff .env.backup .env
See what changed since the last backup.
Combining Features
Use secret detection and diff together for comprehensive checks:
# Check for secrets in example file
zenv check --env .env.example --detect-secrets
# Compare environments with schema validation
zenv diff .env.staging .env.production --schema env.schema.json
In CI/CD:
name: Environment Validation
on: [push, pull_request]
jobs:
validate:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install zenv
run: cargo install zorath-env
- name: Check for secrets
run: zenv check --env .env.example --detect-secrets
- name: Validate schema
run: zenv check --env .env.example --schema env.schema.json
Full Changelog
v0.3.2 (2026-01-16)
Added:
- Secret detection with
--detect-secretsflag forzenv check - Detection patterns for AWS, Stripe, GitHub, GitLab, Slack tokens
- Private key header detection (RSA, SSH, PGP)
- JWT token detection
- URL embedded password detection
- High-entropy string detection for potential API keys
zenv diffcommand to compare two .env files- Schema validation support in diff command
Changed:
- Improved validation output formatting
- Better error messages for file operations
Installation
First-Time Install
Via cargo:
cargo install zorath-env
Download binary (no Rust required):
Visit GitHub Releases and download for your platform:
- Linux:
zenv-linux - macOS Intel:
zenv-macos-intel - macOS Apple Silicon:
zenv-macos-arm - Windows:
zenv.exe
Upgrade
# Via cargo
cargo install zorath-env --force
# Check version
zenv version --check-update
Verify the installation:
$ zenv version
zenv v0.3.2
Resources
- Documentation: zorl.cloud/zenv
- Full Docs: zorl.cloud/zenv/docs
- GitHub: github.com/zorl-engine/zorath-env
- Wiki: GitHub Wiki
- Package: crates.io/crates/zorath-env
- Community: r/zorath_env
Ready to secure your environment files? Run cargo install zorath-env --force or download the latest binary from GitHub Releases.