We can't read your secrets. By design.

Your environment variables contain API keys, database credentials, and payment secrets. We designed SlickEnv so even we cannot read them.

Encryption is the foundation, not a feature

Every variable is encrypted with AES-256-GCM before it leaves your machine. The server stores ciphertext. Keys are derived client-side. This is not marketing language. It means a database breach exposes nothing useful.

What we protect

  • Encryption at rest. All stored variables are encrypted with AES-256-GCM. Encryption keys are managed per-project and never stored alongside encrypted data.
  • Encryption in transit. Every API call uses TLS 1.3. No data leaves your machine unencrypted.
  • No plaintext storage. Secrets are never written to disk, logs, or caches in plaintext. Not on our servers, and not by the CLI.
  • CLI output masking. Variables marked as sensitive are automatically masked in all CLI output. You will never accidentally leak a secret in a terminal screenshot.
  • Authentication. OAuth 2.0 via GitHub or Google. Credentials are stored in your system keychain, not in a config file.
  • Access control. Per-project, per-environment role-based access. You control who can read, write, or admin each environment.
  • Audit trail. Every push, pull, share, and rollback is logged with a timestamp and user identity.

Secret Scanner

SlickEnv ships a 53-pattern secret detection engine that scans files, git history, MCP config files, and AI-generated code. It detects AWS access keys, Stripe secret keys, GitHub tokens, OpenAI keys, Anthropic keys, JWT tokens, database connection strings, PEM private keys, and over 40 more patterns.

Every scan produces a security score from 0–100. Findings are categorised by severity: critical, high, medium, and info. The --ci flag exits with code 1 on critical or high findings, making it easy to block deployments in CI pipelines.

$ slickenv scan --files --git --mcp

  ✗ STRIPE_SECRET_KEY   stripe_live_key  (critical)  .env:3
  ✗ AWS_SECRET_KEY      found in 3 commits            git history

  Score: 41/100  —  2 critical, 0 high

Git History Protection

Deleting a file from git doesn't delete it from history. A secret committed and immediately removed is still present in every clone of your repository. SlickEnv's git protection layer addresses this in three steps:

  • Scanslickenv git scan searches every commit across all branches for all 53 patterns
  • Cleanslickenv git clean guides you through BFG Repo-Cleaner to permanently rewrite history
  • Blockslickenv git protect installs a pre-commit hook that prevents secrets from ever entering git history again

AI Tool Protection

Modern AI coding assistants — Cursor, Claude Code, GitHub Copilot, Windsurf, Continue.dev — index your project files to provide context-aware suggestions. By default, this includes your .env file and any file containing credentials. slickenv ai protect generates four ignore files in one command:

  • .cursorignore — Cursor
  • .claudeignore — Claude Code
  • .copilotignore — GitHub Copilot
  • .aiexclude — Windsurf, Continue.dev, and others

For maximum protection, the slickenv:// reference system lets you use placeholder references in your code and config files instead of real values. slickenv run resolves them at runtime — the real values exist only in the child process memory and are never written to disk or logged.

What we don't do

  • We do not read, analyse, or process your environment variables.
  • We do not sell, share, or monetise your data in any way.
  • We do not store your authentication credentials on our servers.
  • We do not log the contents of your .env files. We only log metadata like variable count and version number.
  • We do not require broad permissions. The CLI only accesses the files and directories you explicitly initialise.

Responsible disclosure

If you discover a security vulnerability in SlickEnv, please report it responsibly. We take all reports seriously and will respond within 48 hours.

Email: hello@slickspender.com

Please include a detailed description of the vulnerability, steps to reproduce, and any relevant logs or screenshots. We will acknowledge receipt within 48 hours, provide an initial assessment within 5 business days, and keep you informed of our progress toward a fix.

Read the full technical breakdown.