Stop Secrets
Before They
Leave Your Process
envtrap is a zero-configuration runtime agent that intercepts, blocks, and flags accidental secret exfiltration across network, DNS, logs, and subprocesses — before a single byte leaves your machine.
Used by engineers at
Engineered for
Process Isolation
Five monitoring channels. One prefix command. Complete runtime visibility into every byte leaving your process.
Real-Time Secret Interception
Hooks Node.js at the ESM/CJS loader level. Every outbound call is scanned against your secret registry in microseconds — before the OS socket is opened.
RAM-Only Certificate Authority
Generates an ephemeral 2048-bit RSA Root CA entirely in memory. The private key never touches disk.
Zero Code Instrumentation
No SDK imports. No code modifications. Prefix your start command and you are protected immediately.
100% Local Execution
All scans happen inside your process. No telemetry, no external API calls, no cloud dependency.
AI-Safe Hashed Reports
Incidents emit non-reversible SHA-256 hashes — safe for Claude Code, Copilot CLI, and CI log aggregators.
Why Existing
Tools Fall Short
Static analysis scanners operate on source code at rest. envtrap monitors your runtime — where leaks actually happen.
Five Runtime
Attack Surfaces
Each channel represents a distinct exfiltration vector. envtrap covers all of them simultaneously.
Deep Runtime Interception
envtrap hooks at the lowest boundary of your runtime — before syscalls, before sockets, before DNS resolvers see a single query.
Works Everywhere
You Deploy
Drop envtrap into any pipeline with a single line change. Read the full docs
name: envtrap Security Audit
on: [push, pull_request]
jobs:
envtrap-audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: '20'
- run: npm ci
- name: Run tests under envtrap
run: npx envtrap run npm testAI-Safe by Design
Secrets are never logged raw. Non-reversible SHA-256 hashes keep incident logs safe for AI code assistants and copilots.
Machine Readable Reports
Structured JSON incidents include secret type, channel, hash, destination context, and timestamp for automated remediation.
Policy Configuration
Fine-tune behavior per channel — block, warn, or off — and whitelist trusted domains in an envtrap.json at your project root.
Up and Running
in 30 Seconds
Install globally or add as a dev dependency. No configuration required. Full documentation
Configuration is entirely optional. Without envtrap.json, all channels default to block mode.
Technical
FAQ
Deep answers on how envtrap operates at the runtime and network layers.
No measurable latency on hot paths. The ESM/CJS loader hooks execute once at module-load time. The HTTPS proxy operates as an in-memory loopback, adding less than 0.8ms of routing overhead per request — well under typical network round-trip times.
envtrap generates a 2048-bit RSA Root CA entirely in RAM on startup, outputs the public certificate to a temp path, and sets NODE_EXTRA_CA_CERTS. The Node.js runtime trusts the local proxy. The private key is never written to disk and is garbage-collected when the process exits.
No. envtrap overrides the native net, tls, and http modules at the loader level. Any socket opened via net.connect, net.createConnection, or raw Socket instances is routed through the interception layer. Raw TCP egress containing a known secret is destroyed before the first byte is acknowledged.
All Node.js applications on v18.0.0 or later. This includes Express, Fastify, NestJS, Next.js (server-side), Hono, and custom HTTP servers. Both CommonJS require() and modern ECMAScript Module import() graphs are intercepted.
The exfiltration is permitted to proceed but a structured JSON incident record is written to stdout with a non-reversible hash of the secret value, the destination host, the channel (network/dns/subprocess), and a UTC timestamp. No raw secret is ever logged.
Secrets should never
leave your process.
Monitor. Detect. Block — before the network sees them.