Security Audit for dotenv-patterns (0/100)

medium line 409

Template literal with variable interpolation in command context

SourceSKILL.md

409

```yaml

medium line 640

Template literal with variable interpolation in command context

SourceSKILL.md

640	config({ path: `.env.${environment}` });

medium line 610

System command execution

SourceSKILL.md

610	Set environment variables in your CI system (GitHub Actions secrets, etc.):

medium line 300

Path traversal pattern

SourceSKILL.md

300	import { newService } from '../../src';

medium line 301

Path traversal pattern

SourceSKILL.md

301	import type { ServiceConnector } from '../../src';

medium line 3

Access to .env file

SourceSKILL.md

3	description: Environment file (.env) patterns, test data, and credential loading

medium line 6

Access to .env file

SourceSKILL.md

6	# Environment File Patterns (.env)

medium line 10

Access to .env file

SourceSKILL.md

10	### Rule #1: NEVER Commit .env Files

medium line 12

Access to .env file

SourceSKILL.md

12	- .env files contain secrets

medium line 14

Access to .env file

SourceSKILL.md

14	- Use .env.example as template

medium line 15

Access to .env file

SourceSKILL.md

15	- Each developer has their own .env

low line 19

Access to .env file

SourceSKILL.md

19

.env

low line 20

Access to .env file

SourceSKILL.md

20	.env.local

low line 21

Access to .env file

SourceSKILL.md

21	.env.*.local

medium line 24

Access to .env file

SourceSKILL.md

24	### Rule #2: ONLY test/integration/Common.ts Reads .env

medium line 26

Access to .env file

SourceSKILL.md

26	- FORBIDDEN: `process.env` in `src/` directory (production code)

medium line 29

Access to .env file

SourceSKILL.md

29	- Test files import from Common.ts, NEVER access process.env directly

low line 35

Access to .env file

SourceSKILL.md

35	config(); // Load .env explicitly

low line 37

Access to .env file

SourceSKILL.md

37	export const SERVICE_API_KEY = process.env.SERVICE_API_KEY \|\| '';

low line 38

Access to .env file

SourceSKILL.md

38	export const SERVICE_BASE_URL = process.env.SERVICE_BASE_URL \|\| 'https://api.example.com';

low line 44

Access to .env file

SourceSKILL.md

44	const apiKey = process.env.API_KEY; // NEVER!

low line 47

Access to .env file

SourceSKILL.md

47	const apiKey = process.env.SERVICE_API_KEY; // Use Common.ts instead!

low line 50

Access to .env file

SourceSKILL.md

50	// test/unit/Common.ts should NEVER use process.env

medium line 53

Access to .env file

SourceSKILL.md

53	### Rule #3: ALL Test Values Must Be in .env

low line 58

Access to .env file

SourceSKILL.md

58	# ✅ CORRECT - Test values in .env

medium line 70

Access to .env file

SourceSKILL.md

70	1. User gives you test values → Add to `.env` immediately

medium line 75

Access to .env file

SourceSKILL.md

75	## .env File Structure

medium line 79

Access to .env file

SourceSKILL.md

79	Create .env in module root (same directory as package.json):

low line 83

Access to .env file

SourceSKILL.md

83	├── .env ← HERE (module root)

low line 130

Access to .env file

SourceSKILL.md

130	export const SERVICE_API_TOKEN = process.env.SERVICE_API_TOKEN \|\| '';

low line 131

Access to .env file

SourceSKILL.md

131	export const SERVICE_BASE_URL = process.env.SERVICE_BASE_URL \|\| 'https://api.example.com';

low line 156

Access to .env file

SourceSKILL.md

156	export const SERVICE_CLIENT_ID = process.env.SERVICE_CLIENT_ID \|\| '';

low line 157

Access to .env file

SourceSKILL.md

157	export const SERVICE_CLIENT_SECRET = process.env.SERVICE_CLIENT_SECRET \|\| '';

low line 158

Access to .env file

SourceSKILL.md

158	export const SERVICE_BASE_URL = process.env.SERVICE_BASE_URL \|\| 'https://api.example.com';

low line 159

Access to .env file

SourceSKILL.md

159	export const SERVICE_TOKEN_URL = process.env.SERVICE_TOKEN_URL \|\| 'https://api.example.com/oauth/token';

low line 183

Access to .env file

SourceSKILL.md

183	export const SERVICE_EMAIL = process.env.SERVICE_EMAIL \|\| '';

low line 184

Access to .env file

SourceSKILL.md

184	export const SERVICE_PASSWORD = process.env.SERVICE_PASSWORD \|\| '';

low line 185

Access to .env file

SourceSKILL.md

185	export const SERVICE_BASE_URL = process.env.SERVICE_BASE_URL \|\| 'https://api.example.com';

low line 220

Access to .env file

SourceSKILL.md

220	export const SERVICE_API_TOKEN = process.env.SERVICE_API_TOKEN \|\| '';

low line 223

Access to .env file

SourceSKILL.md

223	export const SERVICE_EMAIL = process.env.SERVICE_EMAIL \|\| '';

low line 224

Access to .env file

SourceSKILL.md

224	export const SERVICE_PASSWORD = process.env.SERVICE_PASSWORD \|\| '';

low line 226

Access to .env file

SourceSKILL.md

226	export const SERVICE_BASE_URL = process.env.SERVICE_BASE_URL \|\| 'https://api.example.com';

medium line 239

Access to .env file

SourceSKILL.md

239	🚨 CRITICAL: All integration test IDs/values MUST be in .env

low line 265

Access to .env file

SourceSKILL.md

265	export const SERVICE_API_KEY = process.env.SERVICE_API_KEY \|\| '';

low line 266

Access to .env file

SourceSKILL.md

266	export const SERVICE_BASE_URL = process.env.SERVICE_BASE_URL \|\| 'https://api.example.com';

low line 269

Access to .env file

SourceSKILL.md

269	export const SERVICE_TEST_USER_ID = process.env.SERVICE_TEST_USER_ID \|\| '';

low line 270

Access to .env file

SourceSKILL.md

270	export const SERVICE_TEST_ORGANIZATION_ID = process.env.SERVICE_TEST_ORGANIZATION_ID \|\| '';

low line 271

Access to .env file

SourceSKILL.md

271	export const SERVICE_TEST_RESOURCE_NAME = process.env.SERVICE_TEST_RESOURCE_NAME \|\| '';

low line 283

Access to .env file

SourceSKILL.md

283	const userId = SERVICE_TEST_USER_ID; // ✅ From .env

low line 296

Access to .env file

SourceSKILL.md

296	// test/integration/Common.ts - ONLY file allowed to access process.env

low line 303

Access to .env file

SourceSKILL.md

303	// Load .env file explicitly to ensure credentials are available

low line 307

Access to .env file

SourceSKILL.md

307	export const SERVICE_API_KEY = process.env.SERVICE_API_KEY \|\| '';

low line 308

Access to .env file

SourceSKILL.md

308	export const SERVICE_EMAIL = process.env.SERVICE_EMAIL \|\| '';

low line 309

Access to .env file

SourceSKILL.md

309	export const SERVICE_PASSWORD = process.env.SERVICE_PASSWORD \|\| '';

low line 310

Access to .env file

SourceSKILL.md

310	export const SERVICE_BASE_URL = process.env.SERVICE_BASE_URL \|\| 'https://api.example.com';

low line 312

Access to .env file

SourceSKILL.md

312	// Test Data Values - export any test IDs, names, or other values from .env

low line 313

Access to .env file

SourceSKILL.md

313	export const SERVICE_TEST_USER_ID = process.env.SERVICE_TEST_USER_ID \|\| '';

low line 314

Access to .env file

SourceSKILL.md

314	export const SERVICE_TEST_ORGANIZATION_ID = process.env.SERVICE_TEST_ORGANIZATION_ID \|\| '';

low line 324

Access to .env file

SourceSKILL.md

324	if (process.env.LOG_LEVEL) {

low line 325

Access to .env file

SourceSKILL.md

325	switch (process.env.LOG_LEVEL) {

low line 371

Access to .env file

SourceSKILL.md

371	* Uses real credentials from .env file.

medium line 393

Access to .env file

SourceSKILL.md

393	- Explicit `config()` ensures .env is loaded BEFORE env vars are accessed

medium line 398

Access to .env file

SourceSKILL.md

398	### Local Development (.env file)

low line 401

Access to .env file

SourceSKILL.md

401	# .env - Local developer credentials

medium line 418

Access to .env file

SourceSKILL.md

418	- Local: .env file for developers

medium line 423

Access to .env file

SourceSKILL.md

423	## .env.example Template

medium line 425

Access to .env file

SourceSKILL.md

425	ALWAYS provide .env.example for documentation:

low line 428

Access to .env file

SourceSKILL.md

428	# .env.example - Template for setting up credentials

low line 446

Access to .env file

SourceSKILL.md

446	cp .env.example .env

low line 447

Access to .env file

SourceSKILL.md

447	vim .env # Add your credentials

low line 472

Access to .env file

SourceSKILL.md

472	// Load .env file explicitly

low line 475

Access to .env file

SourceSKILL.md

475	export const SERVICE_API_KEY = process.env.SERVICE_API_KEY \|\| '';

low line 491

Access to .env file

SourceSKILL.md

491	// Test with real credentials from .env

medium line 498

Access to .env file

SourceSKILL.md

498	### Check .env Configuration

low line 501

Access to .env file

SourceSKILL.md

501	# Verify .env exists

low line 502

Access to .env file

SourceSKILL.md

502	[ -f .env ] && echo "✅ .env exists" \|\| echo "❌ Missing .env - create it!"

low line 504

Access to .env file

SourceSKILL.md

504	# Check .env is in .gitignore

low line 505

Access to .env file

SourceSKILL.md

505	grep -q "^\.env$" .gitignore && echo "✅ .env in .gitignore" \|\| echo "❌ Add .env to .gitignore!"

low line 508

Access to .env file

SourceSKILL.md

508	grep -q "SERVICE_API_KEY" .env && echo "✅ SERVICE_API_KEY present" \|\| echo "❌ Missing SERVICE_API_KEY"

low line 520

Access to .env file

SourceSKILL.md

520	grep -E "export const.=.process\.env\." test/integration/Common.ts && echo "✅ Exports env vars" \|\| echo "❌ No env var exports"

medium line 526

Access to .env file

SourceSKILL.md

526	### Check NO process.env in src/ (Security Rule #2)

low line 530

Access to .env file

SourceSKILL.md

530	grep -r "process\.env" src/ && echo "❌ Found process.env in src/! FORBIDDEN!" \|\| echo "✅ No process.env in src/"

low line 533

Access to .env file

SourceSKILL.md

533	grep "process\.env" test/unit/Common.ts 2>/dev/null && echo "❌ Found process.env in unit test Common.ts! FORBIDDEN!" \|\| echo "✅ No process.env in unit tests"

low line 542

Access to .env file

SourceSKILL.md

542	echo " ALL test values must be in .env and imported from Common.ts"

medium line 563

Access to .env file

SourceSKILL.md

563	- [ ] .env is in .gitignore

medium line 564

Access to .env file

SourceSKILL.md

564	- [ ] No .env files committed to git

medium line 565

Access to .env file

SourceSKILL.md

565	- [ ] .env.example created (no real credentials)

medium line 566

Access to .env file

SourceSKILL.md

566	- [ ] No process.env in src/ directory

medium line 567

Access to .env file

SourceSKILL.md

567	- [ ] ONLY test/integration/Common.ts reads process.env

medium line 570

Access to .env file

SourceSKILL.md

570	- [ ] All test values in .env (no hardcoded IDs in tests)

low line 581

Access to .env file

SourceSKILL.md

581	Create a `.env` file in the module root:

low line 585

Access to .env file

SourceSKILL.md

585	cp .env.example .env

low line 622

Access to .env file

SourceSKILL.md

622	# .env.development

low line 626

Access to .env file

SourceSKILL.md

626	# .env.staging

low line 630

Access to .env file

SourceSKILL.md

630	# .env.production (NEVER commit!)

low line 639

Access to .env file

SourceSKILL.md

639	const environment = process.env.NODE_ENV \|\| 'development';

low line 640

Access to .env file

SourceSKILL.md

640	config({ path: `.env.${environment}` });

low line 646

Access to .env file

SourceSKILL.md

646

# .env

medium line 661

Access to .env file

SourceSKILL.md

661	- ✅ .env file created in module root

medium line 662

Access to .env file

SourceSKILL.md

662	- ✅ .env is in .gitignore

medium line 663

Access to .env file

SourceSKILL.md

663	- ✅ .env.example template provided

medium line 665

Access to .env file

SourceSKILL.md

665	- ✅ test/integration/Common.ts is ONLY file accessing process.env

medium line 668

Access to .env file

SourceSKILL.md

668	- ✅ All test data values in .env (no hardcoded test IDs)

medium line 671

Access to .env file

SourceSKILL.md

671	- ✅ No process.env in src/ directory (CRITICAL)

medium line 672

Access to .env file

SourceSKILL.md

672	- ✅ No process.env in test/unit/Common.ts (unit tests don't use env vars)

low line 38

External URL reference

SourceSKILL.md

38	export const SERVICE_BASE_URL = process.env.SERVICE_BASE_URL \|\| 'https://api.example.com';

low line 97

External URL reference

SourceSKILL.md

97	GITHUB_BASE_URL=https://api.github.com

low line 119

External URL reference

SourceSKILL.md

119	SERVICE_BASE_URL=https://api.example.com

low line 131

External URL reference

SourceSKILL.md

131	export const SERVICE_BASE_URL = process.env.SERVICE_BASE_URL \|\| 'https://api.example.com';

low line 144

External URL reference

SourceSKILL.md

144	SERVICE_BASE_URL=https://api.example.com

low line 145

External URL reference

SourceSKILL.md

145	SERVICE_TOKEN_URL=https://api.example.com/oauth/token

low line 158

External URL reference

SourceSKILL.md

158	export const SERVICE_BASE_URL = process.env.SERVICE_BASE_URL \|\| 'https://api.example.com';

low line 159

External URL reference

SourceSKILL.md

159	export const SERVICE_TOKEN_URL = process.env.SERVICE_TOKEN_URL \|\| 'https://api.example.com/oauth/token';

low line 172

External URL reference

SourceSKILL.md

172	SERVICE_BASE_URL=https://api.example.com

low line 185

External URL reference

SourceSKILL.md

185	export const SERVICE_BASE_URL = process.env.SERVICE_BASE_URL \|\| 'https://api.example.com';

low line 198

External URL reference

SourceSKILL.md

198	SERVICE_BASE_URL=https://api.example.com

low line 210

External URL reference

SourceSKILL.md

210	SERVICE_BASE_URL=https://api.example.com

low line 226

External URL reference

SourceSKILL.md

226	export const SERVICE_BASE_URL = process.env.SERVICE_BASE_URL \|\| 'https://api.example.com';

low line 244

External URL reference

SourceSKILL.md

244	SERVICE_BASE_URL=https://api.example.com

low line 266

External URL reference

SourceSKILL.md

266	export const SERVICE_BASE_URL = process.env.SERVICE_BASE_URL \|\| 'https://api.example.com';

low line 310

External URL reference

SourceSKILL.md

310	export const SERVICE_BASE_URL = process.env.SERVICE_BASE_URL \|\| 'https://api.example.com';

low line 432

External URL reference

SourceSKILL.md

432	SERVICE_BASE_URL=https://api.example.com

low line 589

External URL reference

SourceSKILL.md

589	SERVICE_BASE_URL=https://api.example.com

low line 623

External URL reference

SourceSKILL.md

623	SERVICE_BASE_URL=https://dev-api.example.com

low line 627

External URL reference

SourceSKILL.md

627	SERVICE_BASE_URL=https://staging-api.example.com

low line 631

External URL reference

SourceSKILL.md

631	SERVICE_BASE_URL=https://api.example.com

dotenv-patterns

Install this skill

Categories Tested

Security Issues