# SlickEnv > The Security Layer for Environment Variables SlickEnv is a CLI-first secret lifecycle security tool — scan → protect → sync → audit. It combines encrypted env sync with a full secret security suite: scanner, git history cleanup, AI firewall, drift monitor, and env linter. ## Key Features - **Secret Scanner**: 53-pattern engine detects AWS, Stripe, GitHub, OpenAI, Anthropic, JWT, DB URLs, and 45+ more patterns across files, git history, MCP configs, and AI-generated code. - **Git History Protection**: Audit entire commit history for leaked secrets, guided BFG Repo-Cleaner cleanup, and pre-commit hook to block future leaks. - **AI Safety Layer**: Auto-generates .cursorignore, .claudeignore, .copilotignore, .aiexclude. slickenv:// reference system means AI tools never see real values. - **End-to-end encryption**: AES-256-GCM client-side encryption. The server never sees plaintext values. - **Version control**: Every push creates an immutable version. Roll back, diff, or pull any version. - **Audit Log & Drift Monitor**: Full audit trail for every push, pull, share, and rollback. Environment drift detection across staging/production. - **Env Linter**: 11 rules run silently on every push and pull. Catches lowercase keys, duplicates, unquoted spaces, missing examples. - **Encrypted Share Links**: AES-256-GCM per-link key, one-time self-destruct, expiry, read limit, password protection. - **Team sync**: Share environments across your team with role-based access (admin, member, viewer). - **CLI-first**: Install with `npm i -g slickenv`, authenticate with `slickenv login`, and manage everything from the terminal. ## CLI Commands ### Core Sync - `slickenv init` - Initialise a project (with smart source-code scan + security wizard) - `slickenv login` - Authenticate via browser OAuth; opens dashboard in browser on success - `slickenv push` - Push local .env to remote (encrypted, linted) - `slickenv pull` - Pull remote .env to local (decrypted, linted) - `slickenv status` - Compare local vs remote and show sync state - `slickenv versions` - List version history - `slickenv diff` - Compare two versions - `slickenv rollback` - Roll back to a previous version - `slickenv export` - Generate .env.example - `slickenv share` - Create shareable view or encrypted one-time link (--link --expires --reads --password) - `slickenv run` - Resolve slickenv:// references at runtime (values in memory only) ### Secret Scanner - `slickenv scan` - Scan for leaked secrets (--files --git --mcp --ai-generated --ci --fix --severity). Silently stores results to the dashboard when the user is authenticated. ### Git Protection - `slickenv git scan` - Search entire commit history for secrets - `slickenv git audit` - Visual timeline of secret-containing commits - `slickenv git clean` - Guided BFG Repo-Cleaner wrapper - `slickenv git protect` - Install pre-commit hook ### AI Safety - `slickenv ai protect` - Generate AI tool ignore files (.cursorignore, .claudeignore, .copilotignore, .aiexclude) - `slickenv ai status` - Show AI tool protection status ### Team Management - `slickenv members list` - List project members - `slickenv members invite` - Invite a team member - `slickenv members remove` - Remove a team member ## Security Features - **53-Pattern Scanner** — Detects AWS keys, Stripe secrets, GitHub tokens, OpenAI keys, Anthropic keys, JWT tokens, database URLs, private keys, and 45+ more - **Git History Scanner** — Finds secrets committed months ago that .gitignore never caught - **AI Firewall** — .aiignore generation for Cursor, Claude Code, GitHub Copilot, Windsurf, Continue.dev - **Pre-Commit Hook** — Blocks secrets at the commit level before they leave the machine - **Per-Link Encryption** — Each share link has its own AES-256-GCM key ## Dashboard The web dashboard at /dashboard provides: - **Projects overview** with security snapshot and stats cards - **Onboarding checklist** for new users — guides through install, first push, git audit, and AI protection - **Project detail** with environments, team members, security overview panels, and sub-views: Git History, AI Monitor, Drift, Audit Log - **Project Settings** — rename, update description, archive, or permanently delete a project - **Share Links tracker** (/dashboard/share-links) — lists all encrypted share links with access status (Pending / Accessed / Used / Expired), read counts, and last access timestamps - **Dark/light mode toggle** — in the sidebar footer and mobile top bar; keyboard shortcut D also works - **Security Snapshot** — cross-project view of critical findings, stale secrets, scan counts, and audit activity ## Upcoming Features - Native VS Code extension for inline secret warnings - GitHub Action for automated secret scanning on PRs - Slack and Teams notifications for stale or over-shared secrets - SAML SSO and on-premise deployment for enterprise teams ## Pages - Website: https://env.slickspender.com - Features: https://env.slickspender.com/features - How It Works: https://env.slickspender.com/how-it-works - Security: https://env.slickspender.com/security - Pricing: https://env.slickspender.com/pricing - About: https://env.slickspender.com/about - Changelog: https://env.slickspender.com/changelog - Compare: https://env.slickspender.com/compare - vs GitHub: https://env.slickspender.com/compare/github-secret-scanning - vs Doppler: https://env.slickspender.com/compare/doppler - vs Infisical: https://env.slickspender.com/compare/infisical - vs dotenv-vault: https://env.slickspender.com/compare/dotenv-vault - vs 1Password Secrets: https://env.slickspender.com/compare/1password-secrets - vs HashiCorp Vault: https://env.slickspender.com/compare/hashicorp-vault - Contact Us: https://env.slickspender.com/contact-us - Badge: https://env.slickspender.com/badge/embed ## Documentation - Docs Home: https://env.slickspender.com/docs - Getting Started: https://env.slickspender.com/docs/getting-started - CLI Reference: https://env.slickspender.com/docs/cli-reference - Sync & Collaboration: https://env.slickspender.com/docs/sync - Security: https://env.slickspender.com/docs/security - Metadata Annotations: https://env.slickspender.com/docs/metadata - Secret Scanner: https://env.slickspender.com/docs/scanner - Git History Protection: https://env.slickspender.com/docs/git-protection - AI Safety: https://env.slickspender.com/docs/ai-safety ## Blog - Blog Home: https://env.slickspender.com/blog - Why We Built SlickEnv: https://env.slickspender.com/blog/why-we-built-slickenv - Stop Sharing Secrets on Slack: https://env.slickspender.com/blog/stop-sharing-secrets-on-slack - Vibe Coding, AI Agents, and the .env Files Nobody Checks: https://env.slickspender.com/blog/vibe-coding-env-security - Your Code is Versioned. Your Secrets Aren't.: https://env.slickspender.com/blog/versioned-environment-variables - Everyone's a Developer Now. Nobody's Managing the Secrets.: https://env.slickspender.com/blog/non-developers-env-crisis - The Practical Guide to Environment Variable Management for Teams: https://env.slickspender.com/blog/env-management-guide-for-teams - You Gave Your AI Agent Full Access. Did You Think About Your .env?: https://env.slickspender.com/blog/ai-coding-agents-env-risks - Securing Your .env in the Age of Autonomous Code Agents: https://env.slickspender.com/blog/securing-env-files-in-agentic-era - SlickEnv vs Doppler vs dotenv-vault: https://env.slickspender.com/blog/slickenv-vs-doppler-dotenv-vault - 12 Million .env Files Were Exposed: https://env.slickspender.com/blog/12-million-exposed-env-files - We Found Stripe Keys in Our Git History: https://env.slickspender.com/blog/we-found-stripe-keys-in-git-history - Your AI Coding Tool Can Read Your .env File: https://env.slickspender.com/blog/ai-tools-can-read-your-env-file - One Commit From 8 Months Ago Still Has Your Production Key: https://env.slickspender.com/blog/secrets-committed-to-git - Why Your .env File Needs a Linter: https://env.slickspender.com/blog/env-linter-why-it-matters - MCP Config Files Are the New .env: https://env.slickspender.com/blog/mcp-config-security - The One Git Hook Every Developer Should Install: https://env.slickspender.com/blog/pre-commit-hooks-for-secrets - How to Rotate Production Secrets Without Downtime: https://env.slickspender.com/blog/zero-downtime-secret-rotation - How CI/CD Pipelines Leak Secrets: https://env.slickspender.com/blog/github-actions-secrets-leak ## External Links - GitHub: https://github.com/SlickSpender/slickenv - npm: https://www.npmjs.com/package/slickenv - RSS Feed: https://env.slickspender.com/feed.xml ## Legal - Terms of Service: https://env.slickspender.com/legal/terms - Privacy Policy: https://env.slickspender.com/legal/privacy ## Security Model - Client-side AES-256-GCM encryption — server stores only ciphertext - Keys derived per-user per-project using PBKDF2 - Auth via Clerk OAuth with JWT tokens - TLS in transit, encrypted at rest - Private variables are never exposed in plaintext outside the CLI - Pre-commit hook blocks secrets before they enter git history - AI ignore files prevent AI tools from reading .env and secret files