保護DataHogo
Security Encyclopedia/Project Config Best Practices
lowCWE-1059

No .env.example File

Without a .env.example file, new contributors don't know what environment variables are required, leading to insecure workarounds like hardcoding values.

How It Works

When a developer clones your repo and can't find which env vars are needed, they either spend time reading the code to figure it out or hardcode values to make it work quickly. A .env.example with all required keys (but no real values) solves both the documentation problem and reduces the temptation to hardcode.

Vulnerable Code
// BAD: no .env.example — developer has to guess what's needed
// .gitignore
.env
// No .env.example file
// developer clones repo, nothing works, they hardcode DATABASE_URL in code
Secure Code
// GOOD: .env.example documents all required variables
// .env.example (committed to git, no real values)
DATABASE_URL=postgresql://user:password@localhost:5432/mydb
NEXT_PUBLIC_SUPABASE_URL=https://your-project.supabase.co
STRIPE_SECRET_KEY=sk_test_your_key_here
ANTHROPIC_API_KEY=sk-ant-your_key_here

Real-World Example

Studies of open-source repositories show that missing configuration documentation is one of the top reasons developers accidentally commit real secrets — they can't find the .env.example so they paste real values directly into code.

How to Prevent It

  • Create a .env.example with every required key and a placeholder value describing what goes there
  • Keep .env.example updated whenever you add new environment variables
  • Add a setup check in your README that tells developers to copy .env.example to .env
  • Consider using a tool like dotenv-safe that validates all .env.example keys are present at startup

Affected Technologies

Node.js

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

No Security Linting

low

Without security-focused ESLint rules, common vulnerabilities like XSS sinks, dangerouslySetInnerHTML, and eval() usage slip through code review.

CWE-1076A06:2021

No Git Security Hooks

low

Without pre-commit hooks that scan for secrets and security issues, developers can accidentally push API keys and passwords to the repository.

CWE-1059A02:2021

Inadequate .gitignore

medium

A .gitignore that doesn't cover .env files, build artifacts, and IDE configs can lead to secrets or sensitive data being accidentally committed.

CWE-540A02:2021

Insecure npm Scripts

medium

npm scripts that fetch and execute remote code, or that embed secrets as shell arguments, are a supply chain and credential exposure risk.

CWE-78A06:2021