import os
import re
from pathlib import Path
from typing import List, Dict

def detect_env_spills(root_dir: str) -> List[Dict]:
    """
    Scan directory for potential environment variable leaks.
    Returns list of detected spills with severity ratings.
    """
    spills = []
    env_patterns = [
        r'\b(API_KEY|SECRET|PASSWORD|TOKEN|AUTH)\b.*=',  # Common secrets
        r'\.env',  # Environment files
        r'process\.env\.[A-Z_]+',  # Node.js process.env access
        r'os\.getenv\(["\'][A-Z_]+["\']\)',  # Python os.getenv
    ]
    
    for file_path in Path(root_dir).rglob('*'):
        if file_path.is_file() and file_path.suffix in ['.py', '.js', '.ts', '.env']:
            try:
                with open(file_path, 'r', encoding='utf-8') as f:
                    content = f.read()
                    
                for i, line in enumerate(content.split('\n'), 1):
                    for pattern in env_patterns:
                        if re.search(pattern, line, re.IGNORECASE):
                            severity = 'HIGH' if 'PASSWORD' in line or 'SECRET' in line else 'MEDIUM'
                            spills.append({
                                'file': str(file_path),
                                'line': i,
                                'code': line.strip(),
                                'severity': severity,
                                'pattern': pattern
                            })
            except (UnicodeDecodeError, PermissionError):
                continue
    
    return spills

# Usage example:
if __name__ == "__main__":
    leaks = detect_env_spills('./my_project')
    for leak in leaks:
        print(f"[{leak['severity']}] {leak['file']}:{leak['line']}")
        print(f"  {leak['code']}")
        print()

The Problem: Your Codebase Is a Security Swamp

import os
import re
from pathlib import Path

def detect_envvar_spills(root_dir, severity_threshold='medium'):
    """
    Scans for exposed environment variables in your codebase.
    Returns list of potential security leaks with severity ratings.
    """
    
    # Common patterns for sensitive data
    patterns = {
        'high': [
            r'API[_-]?KEY',
            r'PASSWORD',
            r'SECRET',
            r'TOKEN',
            r'PRIVATE[_-]?KEY'
        ],
        'medium': [
            r'DATABASE[_-]?URL',
            r'AUTH[_-]?KEY',
            r'ENCRYPTION[_-]?KEY',
            r'ACCESS[_-]?KEY'
        ],
        'low': [
            r'DEBUG',
            r'ENVIRONMENT',
            r'LOG[_-]?LEVEL'
        ]
    }
    
    spills = []
    excluded_dirs = ['.git', 'node_modules', '__pycache__', '.env']
    
    for file_path in Path(root_dir).rglob('*'):
        if file_path.is_file() and not any(excl in str(file_path) for excl in excluded_dirs):
            try:
                with open(file_path, 'r', encoding='utf-8') as f:
                    content = f.read()
                    
                    # Check for .env files in wrong locations
                    if file_path.name == '.env' and file_path.parent != Path(root_dir):
                        spills.append({
                            'file': str(file_path),
                            'issue': 'Misplaced .env file',
                            'severity': 'high',
                            'line': 'N/A'
                        })
                    
                    # Check for hardcoded secrets
                    for severity, pattern_list in patterns.items():
                        for pattern in pattern_list:
                            matches = re.finditer(pattern, content, re.IGNORECASE)
                            for match in matches:
                                spills.append({
                                    'file': str(file_path),
                                    'issue': f'Potential {match.group()} exposure',
                                    'severity': severity,
                                    'line': content.count('\n', 0, match.start()) + 1
                                })
            except:
                continue
    
    # Filter by severity threshold
    severity_order = {'high': 3, 'medium': 2, 'low': 1}
    threshold_value = severity_order.get(severity_threshold.lower(), 2)
    
    filtered_spills = [
        spill for spill in spills 
        if severity_order.get(spill['severity'], 0) >= threshold_value
    ]
    
    return filtered_spills

# Usage example:
# leaks = detect_envvar_spills('/path/to/your/project', 'medium')
# for leak in leaks:
#     print(f"{leak['severity'].upper()}: {leak['issue']} in {leak['file']}:{leak['line']}")

Let's be honest: environment variables are the digital equivalent of leaving sticky notes with your passwords on your monitor. We all know we shouldn't do it, but sometimes you just need that API key RIGHT NOW, and .env files are so conveniently located right there in your project root. What could possibly go wrong?

The problem isn't that developers are careless—well, actually, that's exactly the problem. But it's a special kind of carelessness. It's the 'I'll just commit this config file real quick and clean it up later' carelessness that turns into 'Oh crap, I just gave 5,000 GitHub users access to our production database' reality. And let's not forget the classic 'But it worked on my machine!' defense, which holds up in court about as well as 'The dog ate my homework.'

Here's what typically happens: You're rushing to meet a deadline (because when are we not?), you've got three different .env files floating around, you commit the wrong one, and suddenly your Slack bot token is doing the digital equivalent of streaking through Times Square. The worst part? You probably won't even notice until some kind soul (or malicious actor) DMs you saying 'Hey, just thought you should know...'

The Solution: Treating Security Breaches Like Environmental Disasters

I built EnvVar Spill Detector because I got tired of watching developers treat security breaches like 'oopsie daisies' rather than the digital equivalent of leaving the nuclear codes on a park bench. This tool takes a different approach: it treats your leaked secrets like environmental catastrophes, because frankly, they kind of are.

At its core, EnvVar Spill Detector is a pre-commit hook that scans your staged files for patterns that look suspiciously like secrets. Think API_, KEY_, SECRET_, PASSWORD_—you know, the things you definitely shouldn't be committing unless you want your company's AWS bill to look like the GDP of a small country.

The magic happens in how it presents the information. Instead of dry, boring error messages that you'll ignore like you ignore your linter warnings, it gives you color-coded severity ratings and mock environmental impact reports. Because nothing motivates change like seeing 'Your database password just polluted 3 GitHub forks' in bright red text.

How to Use It (Without Spilling Everything)

Installation is about as complicated as making instant coffee (and significantly less complicated than cleaning up after you've leaked production credentials). Here's the basic setup:

# Clone the repository
$ git clone https://github.com/BoopyCode/env-var-spill-detector.git

# Install the pre-commit hook
$ cd env-var-spill-detector
$ ./install-hook.sh

Once installed, the hook runs automatically before every commit. Here's what the main detection logic looks like (simplified for clarity):

def detect_spills(file_content):
    """Scan for secret patterns in file content"""
    patterns = [
        r'API_[A-Z_]+',
        r'KEY_[A-Z_]+',
        r'SECRET_[A-Z_]+',
        r'PASSWORD_[A-Z_]+',
        r'TOKEN_[A-Z_]+'
    ]
    
    spills = []
    for pattern in patterns:
        matches = re.findall(pattern, file_content)
        spills.extend(matches)
    
    return spills

Check out the full source code on GitHub for the complete implementation, including the hilarious (but educational) severity rating system.

Key Features That Actually Work

• Pre-commit hook that scans for common secret patterns: Catches API_, KEY_, SECRET_, PASSWORD_ and other suspicious patterns before they escape into the wild. It's like a digital bouncer for your secrets.
• Color-coded spill severity ratings: From 'tiny drip' (low risk) to 'catastrophic flood' (you should probably update your LinkedIn). Each rating comes with appropriate shame levels.
• Generates mock environmental impact reports: 'Your AWS key just polluted 3 GitHub forks' or 'Database password spill detected: estimated cleanup cost: 3 hours of panic and 1 awkward team meeting.'
• Custom pattern support: Add your own secret patterns because every company has their own special way of naming things they shouldn't commit.
• Git-friendly output: Integrates seamlessly with your existing workflow, because the last thing you need is another tool that breaks everything.

Conclusion: Stop Treating Security Like an Afterthought

EnvVar Spill Detector won't solve all your security problems (you still shouldn't use 'password123' for anything), but it will catch the most common, most embarrassing mistakes before they become public relations nightmares. It's the digital equivalent of checking your fly before leaving the bathroom—simple, quick, and prevents a lot of awkwardness.

The tool is free, open source, and takes about five minutes to set up. That's less time than it takes to explain to your boss why there are Bitcoin miners running on your AWS account. Try it out today and join the ranks of developers who treat security seriously (or at least seriously enough to avoid public humiliation).

Remember: Your secrets should stay secret, not become open source contributions. Unless you're trying to get fired, in which case, carry on—you're doing great!