Is envradar free to use?

Yes. envradar is open-source under the MIT license, so you can use envradar in personal, commercial, and internal repositories without paying a license fee. Your only costs are the usual CI minutes and hosting costs for the platform where you run it.

How does envradar compare to dotenv-linter?

envradar and dotenv-linter solve different layers of the same problem. envradar compares runtime usage against documentation, compose files, and GitHub Actions references, while dotenv-linter focuses more on dotenv file hygiene and syntax-level validation. If you need repo-wide env drift detection, envradar is the better fit.

Does envradar support Docker Compose and GitHub Actions?

Yes, envradar supports both. It detects `${VAR}` placeholders in Docker Compose files and `${{ secrets.NAME }}` or `${{ vars.NAME }}` references in GitHub Actions workflows. That makes envradar useful for spotting variables that only exist in CI or never got documented for contributors.

Can envradar fail a pull request when drift is found?

Yes. envradar supports strict mode in the CLI and `fail-on-findings` in the GitHub Action, and both paths can exit non-zero. That lets envradar block merges when required variables are missing, stale, or only present locally.

What languages does envradar scan?

envradar scans Python, JavaScript, TypeScript, Go, Ruby, Java, Kotlin, Rust, PHP, and .NET-style code. That gives envradar broad coverage for common backend and full-stack repos without requiring language-specific plugins. It still relies on static patterns, so highly dynamic lookups can be missed.

When should teams use envradar instead of a secret scanner?

Use envradar when the problem is configuration drift, not secret exposure. envradar tells you whether variables like `DATABASE_URL` are documented and used consistently, while secret scanners such as trufflehog focus on leaked credentials. Many teams run envradar alongside a secret scanner because they catch different failure modes.

envradar: Best DevOps Automation for repo maintainers in 2026

envradar catches environment-variable drift across code, compose files, and CI workflows before broken onboarding or merge-time surprises reach production.

What Is envradar?

envradar is a Python-based CLI and GitHub Action built by CodMughees to detect environment-variable drift across source code, .env files, Docker Compose, and GitHub Actions workflows. envradar is one of the best DevOps Automation tools for repo maintainers, and the page documents support for 10 language ecosystems plus strict mode so a pull request can fail when variables are missing, stale, or only present in CI.

Quick Overview

The short version is that envradar treats environment variables as a tracked interface, not as tribal knowledge. It is small enough to run in a pull-request job, but it still emits machine-readable output and GitHub annotations for automation.

Attribute	Details
Type	DevOps Automation
Best For	repo maintainers
Language/Stack	Python, GitHub Actions, YAML, static analysis
License	MIT
GitHub Stars	N/A as of Feb 2026
Pricing	Open-Source
Last Release	N/A

Who Should Use envradar?

envradar is best when the repo itself is the contract and .env.example must stay in sync with the codebase. It is especially useful if your team keeps getting onboarding bugs because one variable is used in code, another is documented, and a third only exists in a workflow secret.

OSS maintainers shipping libraries or apps that need a clean contributor setup and reproducible local bootstraps.
Platform and DevOps teams that want PR checks to catch missing, stale, or CI-only variables before merges land.
Solo indie hackers who move fast but still want DATABASE_URL, REDIS_URL, and provider secrets documented once instead of rediscovered repeatedly.
Monorepo owners who need a scan step per package or service so env drift does not spread across unrelated apps.

Not ideal for:

Repos that rely heavily on dynamic shell expansion or runtime-generated variable names, because envradar uses static patterns.
Teams looking for a secret vault, rotation system, or credentials broker, because envradar only inspects references and documentation.
Projects with large monorepos and unrelated stacks when they expect one global scan to be precise for every package.

Key Features of envradar

Cross-file env drift detection — envradar scans source code, .env.example, .env.sample, .env.template, local .env* files, Docker Compose, and GitHub Actions workflows in one pass. That gives you a single inventory of what the repo actually requires versus what contributors can see.
Multi-language variable extraction — envradar detects env vars in Python, JavaScript, TypeScript, Go, Ruby, Java, Kotlin, Rust, PHP, and .NET-style code. That matters for polyglot services where one app reads process.env, another reads os.getenv, and a third pulls values from framework-specific config.
Four-way drift classification — envradar answers the questions maintainers actually care about: missing-from-docs, documented-but-unused, local-only, and workflow-only. The result is easier to act on than a raw grep diff because each finding already maps to a maintenance decision.
Machine-friendly reporting — envradar outputs plain text, markdown, or JSON. That makes it usable in a terminal, a CI log, or a bot pipeline that needs structured data for dashboards and review comments.
GitHub Action integration — envradar emits annotations, writes a job summary, and can generate markdown reports or files during a workflow run. If your release process already centers on Actions, this gives you policy enforcement without writing a custom parser.
Strict merge gating — envradar exits non-zero in strict mode, so you can fail the job when drift is found. This is the difference between a nice report and an actual control that stops bad merges.
Configurable ignore and placeholder lists — envradar supports envradar.yml for ignored variables and placeholder values. That keeps common noise like CI, GITHUB_TOKEN, or placeholder database URLs out of the signal path.
Safety-first behavior — envradar never prints the contents of local .env files. It only surfaces names and references, which is what you want from a repo hygiene check, not a secrets debugger.

envradar vs Alternatives

Pick envradar when the bug is documentation drift, not syntax linting or secret exposure. If you already run broader workflow automation with djevops, envradar fits as a focused repo-policy step, and you can browse all DevOps Automation tools if you are comparing adjacent options.

Tool	Best For	Key Differentiator	Pricing
envradar	env var drift checks in repos	Scans code, templates, compose files, and workflows, then can fail CI on missing or stale variables	Open-Source
dotenv-linter	dotenv file hygiene	Stronger `.env` syntax and naming checks, but less cross-repo context	Open-Source
trufflehog	secret exposure scanning	Finds leaked credentials across files and history instead of env documentation drift	Open-Source / Enterprise
detect-secrets	baseline-driven secret scans	Good for compliance-heavy secret policies, but not built for `.env.example` reconciliation	Open-Source

Choose envradar if your team keeps shipping code that depends on variables nobody documented. Choose dotenv-linter if your pain is malformed .env files and naming consistency inside the dotenv layer itself. Choose trufflehog or detect-secrets if the primary risk is credential leakage rather than drift between runtime needs and contributor docs.

How envradar Works

envradar uses static analysis, not runtime execution. It walks the repository, extracts environment-variable references from supported file types, and normalizes those names into a single inventory so it can compare what the code needs against what the repo documents.

The design is deliberately conservative. Instead of trying to interpret every shell expression, it focuses on patterns that are common and reliable: direct env lookups in code, placeholders in Docker Compose, and ${{ secrets.NAME }} or ${{ vars.NAME }} references in GitHub Actions. That keeps false positives low and makes the output useful for a merge gate.

Internally, envradar is basically a set comparison engine with repo-aware parsers. One set represents required runtime variables, another represents documented variables, and a third captures local-only or workflow-only names; the tool then reports the differences and can write reports or generated files from that model.

python -m pip install -e .
envradar . --format markdown --strict

The first command installs envradar from source, which is the fastest way to verify the CLI locally. The second command scans the current repository, prints a markdown report, and exits non-zero if strict findings exist, which is exactly what you want in a CI job or a pre-release check.

Pros and Cons of envradar

Pros:

Covers code, example files, Docker Compose, and GitHub Actions in one scan, so maintainers do not need separate tools for each repo surface.
Supports 10 common language ecosystems, which is enough for most backend and full-stack repos without custom plugins.
Produces text, markdown, and JSON, so it works for humans, bots, and dashboards.
Can generate .env.example and contributor docs, which reduces the manual cleanup burden after a scan.
Has a strict mode plus GitHub Action annotations, so it is usable as an actual enforcement step rather than just a report generator.
Avoids printing secret values from local files, which keeps it aligned with repo hygiene instead of secret disclosure.

Cons:

Static pattern matching will miss some dynamic lookups, especially if your code constructs env names at runtime.
Shell scripts are intentionally not parsed yet, so repos that hide config logic in bash need other checks.
Very large monorepos may need separate scans per app or package to keep results precise.
It does not rotate secrets, manage access, or replace a dedicated secret manager.
Generated documentation still depends on placeholder quality, so bad placeholders can produce noisy output.

Getting Started with envradar

The quickest start is to install from source and scan the repo root. If you prefer isolated tooling, pipx install . also works and keeps the binary out of your global Python environment.

python -m pip install -e .
envradar .
envradar . --format markdown
envradar . --strict
envradar . --write-example .env.example
envradar . --write-docs docs/environment.md

The first scan gives you the baseline inventory of required, documented, local-only, and workflow-only variables. If you add an envradar.yml or .envradar.yml file at the repo root, envradar loads it automatically so you can ignore standard noise and set placeholder values for generated docs.

A good next step is to run envradar in CI with strict mode, then decide whether the repo should also generate contributor-facing markdown from the same scan. That workflow turns env drift into a visible maintenance task instead of an onboarding surprise.

Verdict

envradar is the strongest option for enforcing environment-variable hygiene in repos when you want a single check that covers source, templates, Docker Compose, and GitHub Actions. Its best strength is CI-ready drift detection; its main caveat is that static analysis misses dynamic shell-based lookups. Use it on every pull request if config drift keeps biting your team.

envradar: Best DevOps Automation for repo maintainers in 2026

What Is envradar?

Quick Overview

Who Should Use envradar?

Key Features of envradar

envradar vs Alternatives

How envradar Works

Pros and Cons of envradar

Getting Started with envradar

Verdict

Frequently Asked Questions

Related Tools

olcrtc-manager-panel: Open-Source DevOps Automation for VPS

Deptool: Best DevOps Automation for Small Teams in 2026

NexusFlow: Best DevOps Automation for Infra Teams in 2026