The Problem: Your Inevitable, Embarrassing Security Oopsie

Let's be honest. The modern developer workflow is a minefield of sensitive strings just begging to be committed. You've got your .env files that look suspiciously like your .env.example files. You've got that one config JSON you "temporarily" filled with real credentials to test something. You've got the memory of a goldfish after three cups of coffee.

The result? The Great Secret Leak Cycle™. It goes like this:

1. You commit API_KEY="sk_live_youreSoScrewed123" because "it's just a quick test."
2. GitHub's secret scanner emails you 14 minutes later, triggering a fight-or-flight response.
3. You frantically rewrite history with git reset --hard, creating seven new branch orphans in the process.
4. You spend the afternoon rotating every key from AWS to your grandma's Wi-Fi password.
5. You send a company-wide Slack apology that's equal parts technical jargon and pure panic.
6. You swear you'll never do it again. (You'll do it again.)

We've tried everything: security training (ignored), pre-commit hooks (disabled after they "got annoying"), sternly worded READMEs (unread). The problem persists because shame is private. What if we made it... social?

The Solution: Public Humiliation as a Service

Enter Environment Shamer. I built this tool not to prevent secret leaks (that's a nice side effect), but to make the consequences so socially awkward you'll think twice. It operates on a simple, time-tested principle: peer pressure works better than policy.

Here's how it works at a high level: it's a Git pre-commit hook that scans your staged changes for patterns that look like secrets (API keys, database URLs, that password you still use from 2012). If it finds something sus, it doesn't just block the commit with a boring error. Oh no. It can:

• Post an anonymous shame message to your team's Slack or Discord channel.
• Automatically amend your commit message to something like "SECRET LEAKER WAS HERE - FIX BEFORE MERGE."
• Escalate its tone for repeat offenders, moving from gentle reminders to full dramatic alerts.

The genius is in the anonymity. The tool doesn't name names in the public channel. But your team knows. You know. And you'll stare at that shame message in Slack, sweating, wondering if today's the day your carelessness gets broadcast to #general.

How to Use It (And Subject Yourself to Judgment)

Getting started is easier than explaining to your CTO why there's a Bitcoin miner running in your S3 bucket. First, clone the repository:

git clone https://github.com/BoopyCode/env-shame.git
cd env-shame
pip install -r requirements.txt  # It's Python, because of course it is

The core of the shaming logic is in the scanner. Here's a snippet from the main file that shows the beautiful simplicity of catching you in the act:

def scan_for_secrets(content):
    """Scan content for common secret patterns."""
    shame_patterns = [
        (r'[A-Za-z0-9]{40}', 'Potential GitHub Token'),
        (r'sk_live_[A-Za-z0-9]{24}', 'Stripe Live Secret Key'),
        (r'AIza[0-9A-Za-z-_]{35}', 'Google API Key'),
        (r'password\s*=\s*[^\s]{8,}', 'Plaintext Password')
    ]
    found_shame = []
    for pattern, shame_type in shame_patterns:
        if re.search(pattern, content):
            found_shame.append(shame_type)
    return found_shame

Check out the full source code on GitHub to see the Slack/Discord integration and the gloriously petty commit message amender.

Configuration involves creating a shame_config.yaml file where you set your webhook URLs and choose your level of public humiliation. You can enable the "escalating drama" feature, where a first offense gets a gentle "👀 Someone almost leaked a secret," but by the third time it's "🚨 RED ALERT: THE SAME DEVELOPER IS TRYING TO BANKRUPT US AGAIN 🚨."

Key Features (A.K.A. Ways It Will Roast You)

• Scans staged git commits for common secret patterns: Catches everything from AWS keys to that Firebase config you definitely shouldn't commit.
• Posts anonymous shame messages to a configurable channel (Slack/Discord): The core feature. Your mistake becomes team entertainment.
• Optionally adds embarrassing commit messages: Tags your commit with warnings like "SECRET LEAKER WAS HERE" so the shame lives on in your git history.
• Can be configured to send increasingly dramatic alerts for repeat offenders: Because a one-time oopsie is forgivable. A pattern is a cry for help (and public ridicule).

Conclusion: Embrace the Shame

Environment Shamer won't solve your inattentiveness. It won't give you a better memory. But it will weaponize your fear of social embarrassment into better security practices. It turns a private panic into a public lesson (for everyone).

The next time you're about to git commit -m "quick fix", you'll pause. You'll think, "Is this worth a sarcastic message in #dev-chat?" And 99 times out of 100, you'll move that secret to where it belongs. The 100th time? Well, at least you'll give your team a good story.

Try it out and start shaming responsibly: https://github.com/BoopyCode/env-shame

Remember: A secret committed is a secret shared. And with Environment Shamer, it's shared with everyone who matters—your judgmental, meme-ready colleagues.