| Version | Supported |
|---|---|
| 1.x.x | ✅ |
Do not report security vulnerabilities through GitHub Issues.
If you discover a security vulnerability in dotenv-scan:
-
Email: Open a GitHub Security Advisory (preferred) at github.com/dotenv-scan/dotenv-scan/security/advisories/new
-
Include:
- Type of vulnerability
- File paths of affected code
- Steps to reproduce
- Potential impact
-
Response time: You will receive a response within 48 hours.
-
Disclosure: We follow responsible disclosure — fixes are shipped before any public disclosure.
dotenv-scan is a local-only CLI tool with these security properties:
- No network access — dotenv-scan never makes HTTP requests or phone-home calls
- No secret exfiltration — the tool reads
.envfiles but only outputs variable names, never values - No arbitrary code execution — pure regex-based scanning, no
evalorFunctionconstructors - File system read-only —
scanandcheckonly read files;generatewrites only to.env.example
| Consideration | Status | Details |
|---|---|---|
.env values in output |
✅ Safe | Only variable names are reported, never values |
Path traversal via --dir |
✅ Safe | path.resolve() normalizes paths; fast-glob handles pattern safety |
| Regex DoS via malicious source files | ✅ Mitigated | File size limit of 1MB enforced; regex patterns are bounded |
| Supply chain | ✅ Monitored | Dependencies are minimal (3 runtime deps: chalk, commander, fast-glob) |