envpkt env scan
Scan process.env for credential-shaped variables. Matches against ~45 known service names, ~13 generic suffix patterns, and ~29 value shape patterns.
envpkt env scan [options]Options
Section titled “Options”| Option | Description | Default |
|---|---|---|
--format <format> | Output format: table, json | table |
--write | Write/append discovered credentials to envpkt.toml | false |
--dry-run | Preview TOML that would be written (implies --write) | false |
--include-unknown | Include vars with no inferred service | false |
Examples
Section titled “Examples”# Scan and display resultsenvpkt env scan
# JSON outputenvpkt env scan --format json
# Write to envpkt.tomlenvpkt env scan --write
# Preview what would be writtenenvpkt env scan --dry-run
# Include unidentified credential-shaped varsenvpkt env scan --include-unknownConfidence Levels
Section titled “Confidence Levels”| Level | Icon | Meaning |
|---|---|---|
| High | ● | Exact name match (e.g., OPENAI_API_KEY) or recognized value prefix (e.g., sk-) |
| Medium | ◐ | Generic suffix pattern (e.g., *_API_KEY, *_TOKEN) with derived service name |
Pattern Tiers
Section titled “Pattern Tiers”- Exact name (~45 patterns) — Known service-specific variable names like
STRIPE_SECRET_KEY,AWS_ACCESS_KEY_ID,GITHUB_TOKEN - Value shape (~29 patterns) — Recognized value prefixes like
sk-,ghp_,AKIA,postgres:// - Generic suffix (~13 patterns) — Suffixes like
_API_KEY,_SECRET,_TOKEN,_PASSWORD
See the Environment Scanning guide for details on the pattern registry.