Pre-commit secret detection that catches leaked credentials before they hit git. 76 patterns. 100% local. Zero telemetry.
Secrets leak every day through accidental commits. By the time you notice, attackers have already used them. EnvGuard stops the leak at the source.
One command sets up EnvGuard and hooks into your git workflow via Lefthook.
brew install lefthook && envguard hooks install
Write code normally. EnvGuard silently watches your staged files every time you commit. Zero friction.
If a secret is detected, the commit is blocked instantly with clear remediation steps. No secrets reach git.
Detects AWS, Stripe, GitHub, Slack, Google, Firebase, database URIs, private keys, and dozens more out of the box.
Blocks secrets before they ever reach git. Integrates with Lefthook for zero-config hook management across your team.
Suppress false positives with file-level and pattern-level allowlists. Stays out of your way on known-safe patterns.
Find secrets already buried in your repo history. Scan every commit to identify credentials that were committed in the past.
Generate compliance-ready SARIF output for integration with GitHub Code Scanning, Azure DevOps, and audit workflows.
Define your own secret formats with regex. Catch internal tokens, proprietary API keys, and organization-specific credentials.
| Feature | EnvGuard | GitGuardian | Gitleaks | TruffleHog |
|---|---|---|---|---|
| Price | Free / $19 / $39 | $50/dev/mo | Free (OSS) | Free (OSS) |
| Runs Locally | ✓ | ✗ (SaaS) | ✓ | ✓ |
| Pre-commit Hook | ✓ | ✓ | ✓ | ✗ |
| Zero Telemetry | ✓ | ✗ | ✓ | ✓ |
| Git History Scan | ✓ | ✓ | ✓ | ✓ |
| SARIF Reports | ✓ | ✓ | ✓ | ✗ |
| Custom Patterns | ✓ | ✓ | ✓ | ✓ |
| License Compliance | ✓ (via DepGuard) | ✗ | ✗ | ✗ |
| Built-in Patterns | 76+ | 350+ | ~150 | ~700 |
Start scanning for free. Upgrade for pre-commit protection.
No spam. One email per week max. Unsubscribe anytime.
Install EnvGuard in 30 seconds. Free, local, and silent until it matters.