Environment Variable Inventory Checker

Check status

Environment label:

Use a label that will make exported audit rows clear to teammates.

Required variables:

Accepts KEY, KEY=, export KEY=value, and commented .env.example lines.

Current inventory:

Paste the environment snapshot you want to compare against the required list.

{{ fileStatus || 'Drop .env, JSON, YAML, or TXT onto the textarea.' }}

Blank required values:

Recommended for deployment checks because an empty string often behaves like a missing variable.

Variable matching:

Keep exact matching unless your source inventory is known to mix cases inconsistently.

Allowed extra prefixes:

Use this for public build-time prefixes such as NEXT_PUBLIC_ or VITE_.

Sensitive name pattern:

Sensitive values stay redacted; this only adjusts risk flags and briefing rows.

Placeholder tokens:

One token per line. The default set catches common example, change-me, and local-only placeholders.

Lowercase names:

Flags naming drift without blocking the missing-variable inventory result.

Fix blockers before deployment

{{ row.check }}: {{ row.evidence }}

Review warnings before sharing this inventory

{{ row.check }}: {{ row.evidence }}

Variable	Status	Value state	Source	Detail	Copy
No required variables parsed Paste required variable names or load the template sample before exporting this audit.
{{ row.key }}	{{ row.status }}	{{ row.valueState }}	{{ row.source }}	{{ row.detail }}

Variable	Required	Value state	Source lines	Flags	Copy
No inventory variables parsed Paste an environment snapshot or load a sample before exporting this inventory.
{{ row.key }}	{{ row.required }}	{{ row.valueState }}	{{ row.sourceLines }}	{{ row.flags }}

Severity	Check	Evidence	Next action	Copy
{{ row.severity }}	{{ row.check }}	{{ row.evidence }}	{{ row.nextAction }}

{{ result.remediationStub }}

Embed:

Customize

Include current inputs

Size

Advanced

Width

Height

Aspect ratio

Max height

Collapsible embed

Allow fullscreen

Referrer policy

Sandbox tokens

Configuration drift is often invisible until a service boots with the wrong assumptions. The code may expect DATABASE_URL, the container image may define a default, the deployment manifest may reference a Secret, and a temporary shell may still carry yesterday's value. An environment variable inventory turns that scattered configuration into a reviewable contract: these names are required, this snapshot appears to provide them, and these entries still need correction before the release depends on them.

Environment variables are small name-value pairs supplied by a shell, operating system, container runtime, build system, or orchestrator. They are commonly used for service endpoints, credentials, runtime modes, feature flags, public build settings, and per-deploy hostnames. Their appeal is portability: the same application code can run in development, staging, and production while the surrounding environment changes. The tradeoff is that the environment becomes a moving target unless teams keep a clear list of expected names and compare it with the source being deployed.

A useful inventory review separates name coverage from value correctness. A required name can be present but blank, repeated, filled with placeholder text, or populated by a reference to another system. Those states are different. Missing and blank entries usually block a deployment, placeholders suggest copied template text, references need follow-up in the secret or config store, and duplicates need runtime-specific precedence checks.

Environment inventory concepts
Concept	Typical Example	Review Risk
Required name	`APP_ENV` appears in a release checklist or template.	The application may fail or choose a default when the name is missing.
Observed inventory	A pasted `.env` file, shell export, JSON object, or YAML manifest.	The snapshot may not match the environment actually used at startup.
Blank value	`REDIS_URL=` exists with no value after the equals sign.	Presence checks pass, but many applications treat the empty string like missing configuration.
Placeholder	`SENTRY_DSN=changeme` or `API_KEY=<SECRET>`.	Template text can survive into a release even though the variable is technically set.
Reference	A Kubernetes-style entry points at a ConfigMap or Secret.	The variable is wired, but the referenced key and value still need verification.
Duplicate definition	The same name appears twice in one file or after multiple files are merged.	Different loaders and operators may disagree about which value wins.

Environment inventory review flow from required names and observed text to redacted findings — A review stays easier to trust when expected names, observed text, parser rules, and redacted findings remain separate.

Inventories are most valuable before risky changes: a database migration, a new container image, a secret rotation, a disaster-recovery exercise, or a move from one deployment system to another. These are the moments when a name can be renamed in one place, left blank in another, or overridden by a higher-precedence source. The review does not replace a live smoke test, but it gives the team a compact map of configuration work that should happen before the smoke test becomes the first warning.

Values also need care even when they are not displayed. Variable names can reveal architecture, and raw pasted text may contain credentials. A good inventory habit is to redact or summarize values in shared evidence, keep raw snapshots private, and verify references in the system that owns the actual secret or configuration key.

How to Use This Tool:

Start with one required-variable list and one environment snapshot. The result is meant to support a release review, so keep the label and pasted source narrow enough that teammates know exactly which service and environment were checked.

Enter an Environment label such as worker-api production, billing staging, or a deployment ticket reference. The label appears in generated audit evidence and the remediation stub.
Paste the expected names into Required variables. Plain names, KEY= rows, KEY: value rows, export KEY=value, and declare -x KEY=value are accepted for requirement parsing.
Paste the observed snapshot into Current inventory, choose a supported text, JSON, YAML, or environment file with Browse file, or drop a file onto the textarea.
Selected files must be under 1 MiB. The file contents are loaded into the textarea before analysis, so remove secrets from the raw source before sharing your screen or browser history.
Leave Blank required values set to Block blanks for deployment checks. Switch to Allow blanks only when the application deliberately treats an empty string as a valid value.
Open Advanced when the inventory came from mixed documentation, includes intentional public prefixes, or needs stricter placeholder and sensitive-name rules. Use exact matching for real runtime checks unless you have a specific reason to compare names case-insensitively.
Use Load template, Passing sample, and Review sample to inspect the accepted shapes. Use Normalize after parsing looks correct if you want a sorted KEY=value snapshot from the last parsed value for each name.
If a Requirement syntax or Inventory syntax warning appears, fix the named line before trusting the coverage percentage.
Read the summary and blocker alert first. Then check Requirement Audit for each required name, Variable Inventory for extras and flags, Risk Briefing for next actions, and Coverage Breakdown for the set/reference/placeholder/empty/missing count.

Interpreting Results:

The primary status reports blockers when required names are missing or blank under the current blank-value setting. When no blocker exists, the status reports coverage for required names that are either set or populated by a reference. Placeholder, empty, and missing required names do not count as ready coverage.

Missing means no parsed current entry matched the required name.
Empty means the name exists but the final parsed value is an empty string.
Placeholder means the value matches built-in or configured placeholder patterns such as changeme, todo, example, ${TOKEN}, or <SECRET>.
Reference means the inventory points to another config or secret source. It counts as coverage, but the referenced value still needs its own check.
Extra means the name is outside the required list and does not begin with an allowed extra prefix.
Secret-like means the variable name contains a configured sensitive token such as SECRET, TOKEN, KEY, PASSWORD, PRIVATE, DSN, DATABASE_URL, or REDIS_URL.

A 100% coverage result is not proof that the live service is safe. It only means every required name in the pasted requirement list is either set or referenced in the observed snapshot. Confirm that the snapshot came from the target environment, that referenced Secrets or ConfigMaps contain the intended keys, and that duplicates resolve the same way in the actual runtime.

Use the Risk Briefing as the fix list. Blockers should be fixed before deployment, warnings should be reviewed before evidence is shared, and review items should be either removed, allowed, or documented. The JSON view is useful only after the visible tables match the source you meant to audit.

Technical Details:

Environment variable names in shell-oriented workflows usually use letters, digits, and underscores, with a letter or underscore as the first character. That conservative pattern keeps names portable across common command-line and deployment tooling, but it is stricter than every possible platform-specific key format. A name that falls outside that pattern is treated as malformed for this review rather than silently becoming part of the required set.

The comparison has three separate jobs: parse names from the required list, parse current entries from the observed inventory, and classify each required name by the last parsed current value under the selected matching mode. Exact matching is the default because environment names are normally case-sensitive. Case-insensitive review is available for messy documentation or hand-written lists, but it should not be used to excuse casing drift in an actual runtime source.

Transformation Core

The input transformation is intentionally small enough to audit. It recognizes common environment-file, shell, JSON, YAML, and Kubernetes-style shapes, then reduces them to variable names, source-line evidence, value states, and review flags.

Environment inventory transformation rules
Stage	Accepted Shape	Audit Effect
Required parse	`KEY`, `KEY=`, `KEY: value`, `export KEY=value`, `declare -x KEY=value`, and list rows beginning with a valid name.	Creates one required row per valid name and warns about malformed or duplicate requirement lines.
Inventory parse	`KEY=value`, shell export rows, simple YAML key-value rows, JSON objects or arrays, and Kubernetes-style `name` with `value` or `valueFrom`.	Builds the current inventory with source lines, source kind, duplicate counts, and redacted value states.
Comment and quote handling	Inline comments beginning with `#` after whitespace are stripped unless they are inside quotes; simple quoted values are unwrapped.	Prevents common `.env` comments from being mistaken for value text.
Duplicate handling	Multiple current entries with the same matched name are grouped, and the last parsed value supplies the value state.	Requirement rows and inventory rows keep duplicate warnings because another loader may choose or show a different effective value.
Reference detection	JSON or YAML entries with `valueFrom` are marked as references.	References count as required-name coverage while still requiring a separate Secret or ConfigMap check.

Rule Core

Severity depends on what the value state implies for a deployment review. The same parsed row can also carry flags for duplicates, lowercase names, extra variables, allowed extra prefixes, or secret-like names.

Environment variable inventory signals and outcomes
Signal	Trigger	Resulting Action
Missing required variable	No current entry matches a required name.	Blocker finding and remediation-stub line.
Blank required value	The final parsed current value is empty.	Blocker when blanks are blocked; review finding when blanks are intentionally allowed.
Placeholder value	The value matches configured tokens or built-in placeholder shapes such as `change-me`, `replace_me`, `null`, `undefined`, `example.com`, `${NAME}`, or `<NAME>`.	Warning finding and remediation-stub line.
Set value	The value is non-empty and not placeholder-like.	Counts as ready coverage; the value is summarized as a redacted character count.
Reference	The current inventory uses `valueFrom` instead of an inline value.	Counts as ready coverage, with follow-up outside the pasted text.
Extra variable	A parsed current name is not required and does not start with an allowed extra prefix.	Review finding for cleanup or ownership confirmation.
Secret-like name	The name includes a configured sensitive token and the value is set.	Review finding to verify approved secret handling without printing the value.
Lowercase name	The parsed name contains lowercase characters while lowercase warnings are enabled.	Warning finding for naming drift unless that lowercase name is intentional.

Formula Core

Coverage measures required-name readiness only. It ignores extra variables, sensitive-name review items, syntax warnings, chart rows, and export availability.

Coverage = \frac{set required names + referenced required names}{total required names} \times 100 %

If six required names are listed, four are set, one is a reference, and one is missing, coverage is (4 + 1) / 6 x 100, or 83.3% before the summary rounds it for display. The missing name still appears as a blocker even if every extra or secret-like review item has already been addressed.

The remediation stub is built from missing, empty, and placeholder required names, sorted alphabetically. It is a starter edit list for the next configuration change. It does not know the correct values, and it does not include duplicate, extra, lowercase, or secret-like review items unless those names are also missing, blank, or placeholder-like required variables.

Advanced Tips:

Keep Variable matching on exact names for runtime evidence. Use case-insensitive review only to reconcile rough documentation before fixing the casing in the real source.
Add allowed extra prefixes for intentional client-visible build variables such as NEXT_PUBLIC_ and VITE_, but avoid using broad prefixes that hide unrelated deployment drift.
Tune Placeholder tokens for local conventions such as local-only or ask-devops when those values should never pass a release review.
Use the Sensitive name pattern to flag names that imply credentials in your environment. It flags names only; it does not inspect or reveal the secret value.
Run Normalize after syntax warnings are fixed. The normalized text uses the last parsed value per name, so it should not be treated as proof of runtime precedence.

Limitations and Privacy Notes:

The review runs against the pasted or loaded text in the browser. It does not query a running process, inspect a cluster, fetch a Secret, read a ConfigMap, or confirm which source the application reads during startup.

Set values are redacted in result rows and generated evidence, but the original textarea still contains the raw text you supplied.
Environment labels, variable names, source lines, and reference names can reveal architecture even when values are hidden.
Do not share raw snapshots, normalized inventory text, page addresses, screenshots, or exported evidence without checking whether names and labels are sensitive.
Secret and ConfigMap references require a separate check in the target environment before they can be treated as release-ready.

Worked Examples:

These examples use the checker behavior that matters most in release reviews: missing names, placeholder values, references, and parser warnings.

Production review sample

The built-in review sample expects APP_ENV, DATABASE_URL, REDIS_URL, SENTRY_DSN, FEATURE_PAYMENTS, and PUBLIC_APP_ORIGIN. The current inventory leaves REDIS_URL blank, keeps SENTRY_DSN=changeme, repeats FEATURE_PAYMENTS, includes EXTRA_DEBUG, and has lowercase_name. With blank values blocked, the summary reports blockers, Requirement Audit shows the missing and empty required rows, and Risk Briefing separates blocker, warning, and review actions.

Referenced database URL

A Kubernetes-style entry with - name: DATABASE_URL followed by valueFrom: is classified as Reference. That required name counts toward coverage because the manifest wires the variable, but the follow-up is not inside the inventory text. Check the referenced Secret or ConfigMap key in the target namespace and confirm that the deployment account can read it.

Blank value allowed for a feature flag

If an application deliberately treats an empty FEATURE_PAYMENTS value as valid, switch Blank required values to Allow blanks before judging the review. The blank row changes from blocker to review severity, but Requirement Audit still reports Empty and the coverage formula still excludes it from set-or-reference readiness.

Malformed requirement line

A required-list row such as 1BAD_NAME=value does not start with a valid environment variable name, so it becomes a Requirement syntax warning instead of a required variable. The required-count badge will be lower than the checklist expects. Rewrite the row with a valid name, rerun the review, and confirm the required count before sharing the result.

FAQ:

Which inventory formats can I paste?

You can paste plain KEY=value rows, shell export or declare -x output, simple YAML key-value rows, JSON objects or arrays, and Kubernetes-style environment entries with name, value, or valueFrom.

Are actual values shown in the audit tables?

Set values are reported as redacted character counts. Empty, missing, placeholder, reference, duplicate, and syntax states are shown because those states are needed for the review. The source textarea still contains the raw text you supplied.

Why did coverage drop after I allowed blank values?

Allowing blanks changes the severity of blank required values from blocker to review, but coverage still counts only set and referenced required names. Empty values remain empty even when they are acceptable for one application.

Should I use case-insensitive matching?

Use it for messy checklists or documentation drafts, not for final runtime evidence. Exact matching better reflects shell-oriented environment behavior and helps catch names that differ only by case.

Why is my public frontend variable marked extra?

A current variable outside the required list is extra unless it starts with an allowed extra prefix. Add intentional prefixes such as NEXT_PUBLIC_ or VITE_ when those variables belong in the inventory but are not part of the required server checklist.

Does a reference prove the secret value is correct?

No. A reference means the inventory points to another config or secret source. Check the referenced key and value in the target environment before treating the release as ready.

Why was a line ignored or marked as a syntax warning?

The parser expects a valid variable name and a recognizable assignment, JSON, YAML, or Kubernetes-style shape. Remove decorative text, fix malformed names, or rewrite the row as KEY=value before relying on the summary.

Glossary:

Required name: A variable name that the application, release checklist, or template expects to exist.
Observed inventory: The pasted or loaded environment snapshot being compared with the required names.
Value state: The redacted classification of a parsed value, such as set, empty, placeholder, missing, or reference.
Placeholder: A value that looks like example text, change-me text, or a token marker rather than a deployment-specific value.
Reference: An entry showing that the variable is populated from another config or secret source.
Allowed extra prefix: A configured prefix that marks non-required variables as intentional extras.
Secret-like name: A variable name whose tokens suggest credentials, keys, tokens, database URLs, DSNs, or other sensitive configuration.
Remediation stub: A starter environment list for required names that were missing, blank, or placeholder-like.

References:

III. Config, The Twelve-Factor App, last updated 2017.
Environment variables in Compose, Docker Docs.
Environment variables precedence in Docker Compose, Docker Docs.
Define Environment Variables for a Container, Kubernetes Documentation.
Secrets Management Cheat Sheet, OWASP Cheat Sheet Series.
How to set environment variables in Linux command line, simplified.guide.
How to use an env file with Docker Compose, simplified.guide.