PHPackages jcadima/vaultcheck - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [CLI & Console](/categories/cli) 4. / 5. jcadima/vaultcheck ActiveLibrary[CLI & Console](/categories/cli) jcadima/vaultcheck ================== CLI tool to audit secrets and environment variable hygiene across a project v1.1.4(2d ago)07↑757.1%MITPHPPHP ^8.2 Since Apr 6Pushed todayCompare [ Source](https://github.com/jcadima/vaultcheck)[ Packagist](https://packagist.org/packages/jcadima/vaultcheck)[ Docs](https://github.com/jcadima/vaultcheck)[ RSS](/packages/jcadima-vaultcheck/feed)WikiDiscussions main Synced today READMEChangelogDependencies (5)Versions (8)Used By (0) [![A PHP CLI tool that audits environment variable and secrets hygiene across your project](https://camo.githubusercontent.com/d1d6db5d031acabd0e599a27eb5423cbfe2addc1e032ba5a8ace807d225588e6/68747470733a2f2f6a636164696d612e6465762f696d616765732f7661756c74636865636b5f62672e706e67)](https://camo.githubusercontent.com/d1d6db5d031acabd0e599a27eb5423cbfe2addc1e032ba5a8ace807d225588e6/68747470733a2f2f6a636164696d612e6465762f696d616765732f7661756c74636865636b5f62672e706e67) VaultCheck ========== [](#vaultcheck) A PHP CLI tool that audits environment variable and secrets hygiene across your project. Think of it as a spell-checker for your `.env` files it catches security problems before they become incidents. ``` CRITICAL [E008] APP_DEBUG=true in a production environment exposes stack traces. CRITICAL [G008] STRIPE_KEY: current value was found in git history never rotated. HIGH [E007] APP_KEY is empty. Laravel cannot encrypt sessions without it. MEDIUM [E011] Duplicate key 'DB_PASSWORD' on line 14 (first seen on line 8). LOW [C001] Environment variable 'LEGACY_KEY' is defined but never referenced. 5 finding(s): 2 CRITICAL, 1 HIGH, 1 MEDIUM, 1 LOW ``` --- Requirements ------------ [](#requirements) - PHP 8.2+ - `git` binary (for G001–G008 git history checks) --- Installation ------------ [](#installation) **Via Composer (recommended):** ``` composer global require jcadima/vaultcheck ``` After install, make sure Composer's global `bin/` directory is in your `$PATH`. The directory differs between Composer v1 and v2, so let Composer resolve it for you: ``` # Works for both Composer v1 and v2 — detects the correct bin dir automatically echo "export PATH=\"\$PATH:$(composer global config bin-dir 2>/dev/null)\"" >> ~/.bashrc source ~/.bashrc ``` If you use **zsh**, replace `~/.bashrc` with `~/.zshrc`. **VPS / server alternative — symlink to `/usr/local/bin` (no shell profile changes needed):** ``` sudo ln -sf "$(composer global config bin-dir)/vaultcheck" /usr/local/bin/vaultcheck ``` This makes `vaultcheck` available to all users and works in cron jobs, scripts, and CI pipelines without any PATH configuration. Verify the install: ``` vaultcheck --version vaultcheck audit /path/to/your/project ``` **Via Docker Compose (local build):** ``` git clone https://github.com/jcadima/vaultcheck.git cd vaultcheck # Build and start the container docker compose -f docker-compose-local.yml up -d --build # Install dependencies (once) docker compose -f docker-compose-local.yml exec vaultcheck composer install # Run the audit against a target project docker compose -f docker-compose-local.yml exec vaultcheck php bin/vaultcheck audit /path/to/project # Stop when done docker compose -f docker-compose-local.yml down ``` **From source:** ``` git clone https://github.com/jcadima/vaultcheck.git cd vaultcheck && composer install php bin/vaultcheck audit /path/to/your/project ``` --- Usage ----- [](#usage) ### `vaultcheck audit` : Run a full security audit [](#vaultcheck-audit--run-a-full-security-audit) ``` # Scan current directory vaultcheck audit # Scan a specific path vaultcheck audit /path/to/project # Output as JSON (useful for CI pipelines and dashboards) vaultcheck audit --output=json # Output as Markdown (useful for reports and documentation) vaultcheck audit --output=markdown # Exit with code 1 if any MEDIUM or higher finding exists (for CI/CD gates) vaultcheck audit --strict # Skip git history scanning (faster for local dev) vaultcheck audit --skip-history # Scan entire git history instead of just the last 500 commits vaultcheck audit --full-history # Reveal MEDIUM findings too (e.g. missing keys in .env.example, short secrets) vaultcheck audit --min-severity=MEDIUM # Show everything including LOW-priority items vaultcheck audit --min-severity=LOW ``` By default, only `CRITICAL` and `HIGH` findings are shown — these are the genuine red flags that need immediate attention. Lower-severity findings are still detected and a count is displayed at the bottom with instructions to reveal them. Valid values for `--min-severity`: `CRITICAL`, `HIGH` *(default)*, `MEDIUM`, `LOW`, `INFO`. ### `vaultcheck keys` : List all environment variables and their status [](#vaultcheck-keys--list-all-environment-variables-and-their-status) ``` vaultcheck keys /path/to/project ``` ``` Key Status Value (masked) References APP_KEY MISSING_DEFAULT ba**********h= 0 ref(s) DB_PASSWORD UNUSED ch**me 3 ref(s) UNDEFINED_KEY EMPTY (empty) — ``` StatusMeaning`DEFINED`Has a value and is referenced in code`EMPTY`In `.env` but has no value`EXAMPLE_ONLY`Only in `.env.example`, not in `.env``UNUSED`In `.env` but never called in PHP code`MISSING_DEFAULT`Called via `env('KEY')` without a fallback### `vaultcheck snapshot` - Save a baseline [](#vaultcheck-snapshot---save-a-baseline) ``` # Save current state (key hashes + findings) vaultcheck snapshot /path/to/project # Include git history checks in the snapshot vaultcheck snapshot --include-history /path/to/project ``` Saves to `.vaultcheck/snapshot.json`. Secret values are **never stored** — only SHA-256 hashes. ### `vaultcheck drift` : Detect what changed since the snapshot [](#vaultcheck-drift--detect-what-changed-since-the-snapshot) ``` vaultcheck drift /path/to/project ``` ``` Key Changes: [+] NEW STRIPE_KEY (added) [=] same APP_KEY [~] CHANGED DB_PASSWORD (value changed) Finding Changes: [+] NEW [CRITICAL] G002 Stripe key found in history [-] RESOLVED [HIGH] E015 .env.bak backup file found ``` ### `vaultcheck fix` : Auto-fix safe issues [](#vaultcheck-fix--auto-fix-safe-issues) ``` # Preview what would be fixed (no changes applied) vaultcheck fix --safe --dry-run /path/to/project # Apply all safe fixes with confirmation prompt vaultcheck fix --safe /path/to/project # Apply without confirmation vaultcheck fix --safe --yes /path/to/project ``` Issue fixedActionP001 — world-readable `.env``chmod 600 .env`P002 — world-writable `.env``chmod 600 .env`P003 — group-writable `.env``chmod 640 .env`E010 — Windows CRLF line endingsConvert `\r\n` → `\n`E011 — duplicate keysRemove duplicates, keep first--- CI/CD Integration ----------------- [](#cicd-integration) Add VaultCheck to your pipeline to block deployments if secrets hygiene regresses: ``` # GitHub Actions example - name: Audit secrets hygiene run: | composer global require jcadima/vaultcheck vaultcheck audit --strict --skip-history ``` The `--strict` flag causes the process to exit with code `1` if any `MEDIUM` or higher finding exists, failing the pipeline step. --- Check Reference --------------- [](#check-reference) ### Environment (E001–E015) [](#environment-e001e015) IDSeverityWhat it catchesE001HIGH`.env` file is missingE002MEDIUM`.env.example` is missingE003MEDIUMKey in `.env` but missing from `.env.example`E004LOWKey in `.env.example` but absent from `.env`E005HIGHEmpty value in productionE006MEDIUMPlaceholder value (`changeme`, `your-key-here`, etc.)E007HIGH`APP_KEY` missing, empty, or malformedE008CRITICAL`APP_DEBUG=true` in productionE009HIGH`DB_HOST` set to `localhost` in productionE010LOWWindows CRLF line endingsE011MEDIUMDuplicate key in `.env`E012HIGHReal-looking secret value in `.env.example`E013LOWNo log level configuredE014MEDIUMDevelopment driver (`file`, `sync`, `array`) in productionE015HIGHBackup `.env` file found (`.env.bak`, `.env.old`, etc.)### Codebase (C001–C005) [](#codebase-c001c005) IDSeverityWhat it catchesC001LOWEnv var defined in `.env` but never referenced in codeC002HIGH / MEDIUM / LOWCode calls `env('KEY')` for a key not defined in `.env`. Severity depends on call origin: **HIGH** when application code (e.g. `app/`) has no fallback default; **MEDIUM** when application code has a fallback default; **LOW** when only `config/` files reference it (optional framework integrations).C003MEDIUM`env('KEY')` called without a fallback default in application code. Calls originating only from `config/` files are suppressed — Laravel framework configs intentionally omit defaults for optional integrations.C004MEDIUM`env()` called outside a `config/` file (breaks `config:cache`)C005LOWCasing mismatch between `.env` key and `env()` call### Permissions (P001–P004) [](#permissions-p001p004) IDSeverityWhat it catchesP001CRITICAL`.env` is world-readableP002CRITICAL`.env` is world-writableP003MEDIUM`.env` is group-writableP004CRITICAL`.env` inside `public/`, `web/`, or other web-accessible directory### Consistency (X001–X005) [](#consistency-x001x005) IDSeverityWhat it catchesX001HIGH`DB_PASSWORD` identical across environment filesX002CRITICAL`APP_KEY` shared between environmentsX003HIGHSensitive key has the same value in production and non-productionX004MEDIUM`APP_ENV` value doesn't match what the filename impliesX005LOWKey in `.env.staging` / `.env.testing` not in `.env.example`### Strength (S001–S006) [](#strength-s001s006) IDSeverityWhat it catchesS001MEDIUMSecret shorter than 16 charactersS002LOWSecret is all lowercase (low entropy)S003HIGHSecret matches a known-weak passwordS004MEDIUM`APP_KEY` set but missing the `base64:` prefixS005HIGH`JWT_SECRET` shorter than 32 charactersS006HIGH`DB_PASSWORD` is the same as `DB_USERNAME`### Git History (G001–G008) [](#git-history-g001g008) IDSeverityWhat it catchesG001CRITICAL`.env` was ever committed to git historyG002CRITICALKnown service credential (Stripe, AWS, GitHub, etc.) found in a commitG003HIGHHigh-entropy token found in a commit (likely secret, unknown format)G004HIGH`.env.bak` or `.env.backup` was ever committedG005HIGHHard-coded credential found in `config/` directory historyG006CRITICAL`.env` not listed in `.gitignore`G007HIGH`.env` committed before `.gitignore` was set upG008CRITICALCurrent `.env` value found in git history — leaked and not rotatedLicense ------- [](#license) MIT ### Health Score 43 — FairBetter than 90% of packages Maintenance100 Actively maintained with recent releases Popularity6 Limited adoption so far Community6 Small or concentrated contributor base Maturity50 Maturing project, gaining track record Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~0 days Total 7 Last Release 2d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/dd3d82f149b79e91ee3cbb12ea29ce37d8796a788c036db370cb116921f60de7?d=identicon)[jcadima](/maintainers/jcadima) --- Top Contributors [![jcadima](https://avatars.githubusercontent.com/u/2554115?v=4)](https://github.com/jcadima "jcadima (10 commits)") --- Tags clisecurityenvAuditsecrets ### Code Quality TestsPHPUnit ### Embed Badge ![Health badge](/badges/jcadima-vaultcheck/health.svg) ``` [![Health](https://phpackages.com/badges/jcadima-vaultcheck/health.svg)](https://phpackages.com/packages/jcadima-vaultcheck) ``` ### Alternatives [acquia/orca A tool for testing a company's software packages together in the context of a realistic, functioning, best practices Drupal build 32902.4k](/packages/acquia-orca)[mahocommerce/maho Free and open source ecommerce platform, created in 2024 on the M1 platform, PHP 8.3+ 1322.1k12](/packages/mahocommerce-maho) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)