EnvVar Shamer: Because Your API Key Deserves Public Humil...

Ever accidentally committed your AWS secret key to GitHub, only to discover it when you get that lovely 'Your account has been suspended for suspicious activity' email at 2 AM? Of course you have. We've all been there, frantically rewriting git history while sweating through our 'World's Okayest Developer' t-shirt. It's the modern developer's version of forgetting your fly is down during a presentation—except instead of embarrassment, you get to explain to your CTO why your company's data is now mining cryptocurrency in Eastern Europe.

The Problem: Your Codebase Is Leakier Than a Sieve

Let's be honest—environment variables are the digital equivalent of that junk drawer in your kitchen. You throw everything in there: API keys, database passwords, third-party tokens, that one weird credential from a service you signed up for in 2018 and promptly forgot about. And just like that junk drawer, occasionally something important falls out and embarrasses you in front of company.

The traditional approach to this problem involves pre-commit hooks that silently reject your commit. It's like having a polite butler whisper, "Pardon me, sir, but you appear to have left your production database credentials in this file." Nice, but forgettable. You'll just bypass it with --no-verify and tell yourself you'll clean it up later (you won't).

What we need isn't more polite suggestions—we need public shaming. The kind of social pressure that makes you triple-check your code before hitting enter. The kind that makes your teammates mock you mercilessly in Slack. The kind that plays a sad trombone sound when you try to commit your AWS credentials for the third time this week.

🔧 Get the Tool

View on GitHub →

Free & Open Source • MIT License

The Solution: Public Humiliation as a Service

I built EnvVar Shamer because sometimes the stick works better than the carrot. Instead of quietly preventing you from making mistakes, it makes those mistakes so embarrassing that you'll never make them again.

Here's how it works: when you try to commit code, EnvVar Shamer scans your staged files for patterns that look like secrets—API keys (those lovely 32-character hexadecimal strings), passwords, tokens, and other digital valuables you really shouldn't be sharing with the world. If it finds something suspicious, it doesn't just stop you. Oh no. That would be too easy.

Instead, it generates alternative commit messages that range from mildly embarrassing to career-limiting. It can optionally post mock security breach notifications to your team's chat. It can even play shame sound effects. The goal isn't to be mean—it's to create the kind of memorable learning experience that actually changes behavior.

How to Use It (Prepare for Humiliation)

Installation is straightforward, much like setting up your own public stocks in the town square:

# Clone the repository
$ git clone https://github.com/BoopyCode/env-var-shamer-1768169873

# Install dependencies
$ npm install

# Set up the git hook
$ ./setup-hook.sh

Once installed, try committing something you shouldn't:

$ git add config.js  # Contains: API_KEY="sk_live_1234567890abcdef"
$ git commit -m "Update config"

Instead of your boring commit message, you might get:

🚨 SECURITY BREACH ATTEMPT 🚨
User: you@company.com
Attempted to commit: Stripe live secret key
Suggested commit message: "Giving away company money for free"

Commit blocked. Your shame has been logged.

Check out the full source code on GitHub to see how the detection logic works. Here's a snippet from the main detection module:

// From detector.js - the heart of the shame
const SECRET_PATTERNS = [
  /[A-Za-z0-9]{32}/,                    // Generic API keys
  /sk_live_[A-Za-z0-9]{24}/,            // Stripe live keys
  /AKIA[0-9A-Z]{16}/,                   // AWS access keys
  /[A-Za-z0-9\-_]{40}/,                 // GitHub tokens
  /password\s*[:=]\s*['"][^'"]+['"]/i  // Plaintext passwords
];

function detectSecrets(content) {
  const violations = [];
  SECRET_PATTERNS.forEach((pattern, index) => {
    if (pattern.test(content)) {
      violations.push(SECRET_TYPES[index]);
    }
  });
  return violations;
}

Key Features (Your Shame Checklist)

Detects common secret patterns: API keys, passwords, tokens, and other digital valuables in staged files. It's like a bloodhound for your security mistakes.
Generates humiliating alternative commit messages: Instead of "Fixed bug," you get "Committed company bankruptcy to version control."
Optionally posts mock 'security breach' notifications: Configure it to announce your failures in Slack, Teams, or whatever chat app your team uses to judge you.
Can be configured to play shame sound effects: The sad trombone, the Price Is Right losing horn, or a custom audio file of your choice.
Customizable shame levels: From "gentle reminder" to "career-ending public spectacle."
Team leaderboard: Optional feature to track who's most likely to get the company hacked (great for sprint retrospectives!).

Conclusion: Embrace the Shame

EnvVar Shamer isn't just another pre-commit hook—it's a behavioral modification tool disguised as a developer utility. By making security failures socially costly, it creates the kind of institutional memory that actually prevents breaches. Plus, it's way more fun than reading another boring security policy document.

The truth is, we all make mistakes. The difference between junior and senior developers isn't that seniors don't make errors—it's that seniors have been publicly shamed enough times to develop good habits. EnvVar Shamer just accelerates that process.

So go ahead—try it out. Install it on your team's repositories. Configure it to post to your team channel. Set the shame sound to something truly embarrassing. Your future self (and your company's security team) will thank you.

Remember: it's not public humiliation if it prevents a data breach. It's just... aggressive mentoring.