ckmtools / envscan / for Kubernetes

envscan for Kubernetes

A Pod that references process.env.DATABASE_URL crashes at runtime if that var isn't in your ConfigMap or Secret — not at build time, not at deploy time. envscan finds every process.env reference in your source and flags the ones missing from .env.example, before kubectl apply.

$ envscan scan .
Found 11 environment variables:
  DATABASE_URL     type: url     src/db.ts:12
  PORT             type: number  src/server.ts:5
  JWT_SECRET       type: secret  src/auth.ts:8
  REDIS_URL        type: url     src/cache.ts:3
  K8S_NAMESPACE    type: string  src/metrics.ts:21
  NODE_ENV         type: string  src/config.ts:2
  SMTP_HOST        type: string  src/mailer.ts:15
  SMTP_PORT        type: number  src/mailer.ts:16
  SENTRY_DSN       type: url     src/errors.ts:4
  API_RATE_LIMIT   type: number  src/middleware.ts:9
  LOG_LEVEL        type: string  src/logger.ts:7

Missing from .env.example: JWT_SECRET, REDIS_URL, SENTRY_DSN (3/11 undocumented)
Exit code: 1
Join the waitlist

Free — we'll email you when it launches

Why Kubernetes deployments break on missing env vars

In Kubernetes, env vars come from multiple places: env: blocks in pod specs, envFrom: configMapRef, envFrom: secretRef, and values injected by the cluster itself. None of these automatically match what your Node.js code calls process.env.

When a required var is missing from a ConfigMap or Secret, the Pod starts, hits the missing var at runtime, and crashes — CrashLoopBackOff. The error is often a null reference or "Cannot read properties of undefined", not "missing env var".

The fix is preventing the mismatch: your code, your ConfigMap, and your .env.example should list the same vars. envscan scans source to build the authoritative list.

Add envscan scan . --fail-on-undocumented to your CI pipeline and fail fast before any image is built.

What envscan finds

Source file scanning

Parses every .js and .ts file for process.env.VAR_NAME references. Infers type from naming conventions: _PORT → number, _SECRET / _KEY / _TOKEN → secret (redacted in .env.example), _URL → url, everything else → string.

.env.example generation

Generates a documented .env.example with a comment for each var showing which file and line uses it. Secret vars are redacted (JWT_SECRET=***). Run it once to create the file, then in CI to verify new vars are documented.

CI exit code

Returns exit code 1 when undocumented vars are found. Wire into your Dockerfile build or CI pipeline — if a developer adds process.env.NEW_SECRET without updating .env.example, the build fails with a clear diff.

Add it to your deployment pipeline

# .github/workflows/deploy.yml
name: Deploy
on: [push]
jobs:
  env-check:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: '20'
      - name: Check env var documentation
        run: npx envscan scan . --fail-on-undocumented
      - name: Build and push image
        if: success()
        run: |
          docker build -t myapp:${{ github.sha }} .
          docker push myapp:${{ github.sha }}
      - name: Deploy to Kubernetes
        if: success()
        run: kubectl set image deployment/myapp myapp=myapp:${{ github.sha }}

envscan runs before the Docker build. If any process.env reference is missing from .env.example, the pipeline stops — before the image is built and before kubectl apply runs.

Join the waitlist

envscan is in development. Join the waitlist and we'll email you when it's ready. Free tier planned: scan unlimited repos, GitHub Actions CI check, ConfigMap diff output.

Notify Me When It's Ready

Free — no credit card required

← Back to envscan overview