@tomoyamachi What is the justification for this change? All of my Next.js developers are saying that the usage of .env is a very common practice and they are annoyed that dockle is flagging this.

Is this another issue like the x509 public keys where we really need to be doing some sort of inspection rather then just flagging the existence of a file?

Or maybe I could also challenge you, why are you flagging just .env and not .env.* which are also very common in nextjs environments?

.env.local – Loaded in all environments except when process.env.NODE_ENV is "test".
.env.development – Loaded only in development mode.
.env.production – Loaded only in production mode.
.env.test – Loaded only in test mode.

I think the only real valid test would be to look into the env files and look for common secret patterns.