Thanks to visit codestin.com
Credit goes to envtrap.vercel.app

Skip to main content
Runtime Security · Node.js

Stop Secrets
Before They
Leave Your Process

envtrap is a zero-configuration runtime agent that intercepts, blocks, and flags accidental secret exfiltration across network, DNS, logs, and subprocesses — before a single byte leaves your machine.

Zero ConfigurationRuns LocallyBlocks in Real Time

Used by engineers at

VercelNetlifySupabaseRenderRailway
envtrap audit
$ envtrap run node app.js
info [envtrap] Config: envtrap.json
info [envtrap] Monitoring: network · dns · subprocess · stdout
info [envtrap] RAM CA ready · TLS proxy on :8443
info [system] Server on http://localhost:3000
warn [telemetry-pkg] POST to api.attacker.com/collect
body: STRIPE_SECRET_KEY=sk_live_...
error [envtrap] SECRET LEAK BLOCKED
secret STRIPE_SECRET_KEY
channel NETWORK (HTTPS egress)
action connection destroyed — 403
hash SHA256:baf2ae56c...
Node.jsNode.js Application
envtrapenvtrap agent
stdoutBLOCKED
HTTPSBLOCKED
SubprocessBLOCKED
DNSBLOCKED
EntropyBLOCKED
< 1msAdded latency per request
0 bytesDisk footprint
Node 18+Runtime requirement
5Monitored attack channels
Capabilities

Engineered for
Process Isolation

Five monitoring channels. One prefix command. Complete runtime visibility into every byte leaving your process.

Core Engine

Real-Time Secret Interception

Hooks Node.js at the ESM/CJS loader level. Every outbound call is scanned against your secret registry in microseconds — before the OS socket is opened.

// ESM loader hook — injected at process boot
export async function resolve(spec, ctx, next) {
if (MONITORED.includes(spec))
return next(`envtrap:${spec}`, ctx);
return next(spec, ctx);
}

RAM-Only Certificate Authority

Generates an ephemeral 2048-bit RSA Root CA entirely in memory. The private key never touches disk.

Key location
RAM buffer
Disk footprint
0 bytes
Key size
2048-bit RSA
Lifetime
Process scope

Zero Code Instrumentation

No SDK imports. No code modifications. Prefix your start command and you are protected immediately.

$envtrap run node app.js

100% Local Execution

All scans happen inside your process. No telemetry, no external API calls, no cloud dependency.

Air-gapped compatible

AI-Safe Hashed Reports

Incidents emit non-reversible SHA-256 hashes — safe for Claude Code, Copilot CLI, and CI log aggregators.

SHA256:ca18b2ee7a4dff2b...
Comparison

Why Existing
Tools Fall Short

Static analysis scanners operate on source code at rest. envtrap monitors your runtime — where leaks actually happen.

Static Analysis (SAST)
envtrap
xScans static source code syntax
vFull dynamic runtime visibility
xFinds regex patterns in committed files
vIntercepts network, DNS, subprocesses live
xCannot see dynamically-loaded keys
vAudits secrets loaded at runtime
xMisses transitive dependency leaks
vBlocks exfiltration before socket connects
xCannot actively prevent a leak
vZero code instrumentation required
Coverage

Five Runtime
Attack Surfaces

Each channel represents a distinct exfiltration vector. envtrap covers all of them simultaneously.

stdout / stderr
Prevents raw secrets appearing in console.log, process.stdout or log aggregators.
Blocked
HTTPS Egress
Intercepts all outbound TLS connections via an in-memory MITM proxy before the socket is established.
Blocked
Subprocesses
Blocks secrets from being inherited by spawned child_process, exec, or shell commands.
Blocked
DNS Tunneling
Detects secrets encoded inside DNS query hostname labels and blocks the resolver call.
Blocked
Entropy Detection
Shannon-entropy analysis flags high-entropy credential strings even without an explicit variable name match.
Warned
Architecture

Deep Runtime Interception

envtrap hooks at the lowest boundary of your runtime — before syscalls, before sockets, before DNS resolvers see a single query.

01
Secret Generated
Application or a dependency accesses a process environment variable.
02
Egress Attempted
The secret is embedded in a log, request body, DNS label, or subprocess env.
03
Intercepted
envtrap captures the call at the module-loader or socket boundary.
04
Classified
Entropy analysis and pattern matching identify the secret type.
05
Enforced
The connection is dropped or the process throws synchronously per your policy.
06
Report Emitted
A redacted, SHA-256-hashed JSON incident record is written to stdout.
Application
Node.js
LogsNetworkDNSProcesses
Interceptors
OS Pipes (stdout)
MITM Proxy (HTTPS)
Subprocess Hooks
DNS Resolver Hooks
Scanner
Entropy Analysis
Pattern Matching
Secret Fingerprint
Action
Block & Prevent
Redact & Log
Emit Report
incident.json — Sample Incident Report
stdout
{
"secretName": "STRIPE_SECRET_KEY",
"channel": "network",
"sha256": "e4b4ecc7d4a4aea379f1754c7a...",
"context": "[REDACTED].attacker.com",
"action": "blocked",
"timestamp": 1701315024545
}
Documentation

Works Everywhere
You Deploy

Drop envtrap into any pipeline with a single line change. Read the full docs

ci-pipeline.yml
name: envtrap Security Audit
on: [push, pull_request]

jobs:
  envtrap-audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: '20'
      - run: npm ci
      - name: Run tests under envtrap
        run: npx envtrap run npm test
No raw secrets in logs

AI-Safe by Design

Secrets are never logged raw. Non-reversible SHA-256 hashes keep incident logs safe for AI code assistants and copilots.

JSON structured output

Machine Readable Reports

Structured JSON incidents include secret type, channel, hash, destination context, and timestamp for automated remediation.

Per-channel granularity

Policy Configuration

Fine-tune behavior per channel — block, warn, or off — and whitelist trusted domains in an envtrap.json at your project root.

Get Started

Up and Running
in 30 Seconds

Install globally or add as a dev dependency. No configuration required. Full documentation

01
Install
npm install -g envtrap
02
Run your app
envtrap run node app.js
That is it.
envtrap.json (optional)
{
"channels": {
"network": "block",
"dns": "block",
"child_process": "block",
"stdout": "warn"
},
"exclusions": {
"domains": ["api.stripe.com"]
}
}

Configuration is entirely optional. Without envtrap.json, all channels default to block mode.

Help & Support

Technical
FAQ

Deep answers on how envtrap operates at the runtime and network layers.

No measurable latency on hot paths. The ESM/CJS loader hooks execute once at module-load time. The HTTPS proxy operates as an in-memory loopback, adding less than 0.8ms of routing overhead per request — well under typical network round-trip times.

envtrap generates a 2048-bit RSA Root CA entirely in RAM on startup, outputs the public certificate to a temp path, and sets NODE_EXTRA_CA_CERTS. The Node.js runtime trusts the local proxy. The private key is never written to disk and is garbage-collected when the process exits.

No. envtrap overrides the native net, tls, and http modules at the loader level. Any socket opened via net.connect, net.createConnection, or raw Socket instances is routed through the interception layer. Raw TCP egress containing a known secret is destroyed before the first byte is acknowledged.

All Node.js applications on v18.0.0 or later. This includes Express, Fastify, NestJS, Next.js (server-side), Hono, and custom HTTP servers. Both CommonJS require() and modern ECMAScript Module import() graphs are intercepted.

The exfiltration is permitted to proceed but a structured JSON incident record is written to stdout with a non-reversible hash of the secret value, the destination host, the channel (network/dns/subprocess), and a UTC timestamp. No raw secret is ever logged.

envtrapenvtrap

Secrets should never
leave your process.

Monitor. Detect. Block — before the network sees them.