protect-my-env

Projects that follow the best practices below can voluntarily self-certify and show that they've achieved an Open Source Security Foundation (OpenSSF) best practices badge.

There is no set of practices that can guarantee that software will never have defects or vulnerabilities; even formal methods can fail if the specifications or assumptions are wrong. Nor is there any set of practices that can guarantee that a project will sustain a healthy and well-functioning development community. However, following best practices can help improve the results of projects. For example, some practices enable multi-person review before release, which can both help find otherwise hard-to-find technical vulnerabilities and help build trust and a desire for repeated interaction among developers from different companies. To earn a badge, all MUST and MUST NOT criteria must be met, all SHOULD criteria must be met OR be unmet with justification, and all SUGGESTED criteria must be met OR unmet (we want them considered at least). If you want to enter justification text as a generic comment, instead of being a rationale that the situation is acceptable, start the text block with '//' followed by a space. Feedback is welcome via the GitHub site as issues or pull requests There is also a mailing list for general discussion.

We gladly provide the information in several locales, however, if there is any conflict or inconsistency between the translations, the English version is the authoritative version.
If this is your project, please show your baseline badge status on your project page! The baseline badge status looks like this: Baseline badge level for project 12989 is in_progress Here is how to embed the baseline badge:
You can show your baseline badge status by embedding this in your markdown file:
[![OpenSSF Baseline](https://www.bestpractices.dev/projects/12989/baseline)](https://www.bestpractices.dev/projects/12989)
or by embedding this in your HTML:
<a href="https://www.bestpractices.dev/projects/12989"><img src="https://www.bestpractices.dev/projects/12989/baseline"></a>


These are the Baseline Level 1 criteria. These are criteria version v2026.02.19.

Baseline Series: Baseline Level 1 Baseline Level 2 Baseline Level 3

        

 Basics

  • General

    Note that other projects may use the same name.

    Protect My Env

    <p align="center"> <img src="https://raw.githubusercontent.com/marcuspmd/protect-my-env/master/icon.png" alt="Protect My Env Icon" width="128" /> </p> <p align="center"> <strong>Keep your .env secrets hidden on screen — without compromising your workflow.</strong> </p> <p align="center"> <a href="https://marketplace.visualstudio.com/items?itemName=marcusp.protect-my-env"> <img src="https://img.shields.io/visual-studio-marketplace/v/marcusp.protect-my-env?label=VS%20Code%20Marketplace&color=blue" alt="Marketplace Version" /> </a> <a href="https://marketplace.visualstudio.com/items?itemName=marcusp.protect-my-env"> <img src="https://img.shields.io/visual-studio-marketplace/d/marcusp.protect-my-env?color=green" alt="Downloads" /> </a> <a href="./LICENSE"> <img src="https://img.shields.io/badge/license-MIT-brightgreen" alt="MIT License" /> </a> </p> <p align="center"> <a href="https://github.com/marcuspmd/protect-my-env/actions/workflows/ci.yml"> <img src="https://github.com/marcuspmd/protect-my-env/actions/workflows/ci.yml/badge.svg" alt="CI" /> </a> <a href="https://github.com/marcuspmd/protect-my-env/actions/workflows/codeql.yml"> <img src="https://github.com/marcuspmd/protect-my-env/actions/workflows/codeql.yml/badge.svg" alt="CodeQL" /> </a> <a href="https://scorecard.dev/viewer/?uri=github.com/marcuspmd/protect-my-env"> <img src="https://api.securityscorecards.dev/projects/github.com/marcuspmd/protect-my-env/badge" alt="OpenSSF Scorecard" /> </a> <a href="https://codecov.io/gh/marcuspmd/protect-my-env"> <img src="https://codecov.io/gh/marcuspmd/protect-my-env/graph/badge.svg" alt="Coverage" /> </a> </p>

    Protect My Env Banner

    🔐 Privacy & Security

    Your secrets never leave your machine.

    • Zero data collection — no environment variables, keys, or values are ever recorded, stored, or transmitted anywhere.
    • No remote calls — the extension works entirely offline, with no telemetry, no analytics, and no external servers.
    • Total privacy — everything happens locally inside your VS Code editor.

    ⚠️ Disclaimer: This extension does not protect your .env files from AI agents (such as GitHub Copilot, Cursor, or similar tools) that have direct access to your workspace files. We do not encrypt or obfuscate file contents on disk — the data remains readable by any process with file system access. Protect My Env is designed solely to prevent accidental exposure during screen sharing, recordings, live coding sessions, and pair programming. It is not a security tool for AI context isolation.

    Why Protect My Env?

    Every time you open a .env file in VS Code, your secrets are visible in plain text — in editor tabs, during screen shares, in recordings, and in pair-programming sessions. Protect My Env solves this by rendering secrets as masked characters from the very first frame, with zero workflow disruption.

    Features

    Feature Description
    🔒 Secure Editor .env files open masked by default — no plaintext flash
    👁️ Per-key Reveal Reveal or hide individual values with a single click via CodeLens
    🌐 Reveal All / Hide All Toolbar buttons to toggle all values at once
    🔍 Search & Sort Filter by key or comment; sort by key column without touching file order
    🎭 Two Masking Modes all masks every key; pattern masks only keys matching glob patterns
    💬 Comment Protection Optionally mask full-line and inline comments too
    ✏️ Inline Editing Edit values directly in the secure view
    📝 Open as Text Fall back to the standard VS Code editor any time

    Preview

    Protect My Env in action

    Installation

    From the Marketplace

    1. Open VS Code.
    2. Press Ctrl+Shift+X (or Cmd+Shift+X on macOS) to open the Extensions panel.
    3. Search for Protect My Env.
    4. Click Install.

    From VSIX (manual)

    npm install -g @vscode/vsce
vsce package

    Then in VS Code: Extensions → ··· → Install from VSIX… and select the generated .vsix file.

    Quick Start

    1. Open any .env, .env.local, .env.production, or similar file.
    2. The file opens automatically in Secure .env Mode — values are masked from the first render.
    3. Use the CodeLens actions above each key:
      • Reveal KEY — temporarily show the value
      • Hide KEY — mask it again
    4. Use the toolbar buttons to control all values at once:
      • Reveal All Values (👁)
      • Hide All Values (👁‍🗨)

    Secure .env Mode

    The custom editor opens .env files in a table view where secrets are masked before any rendering occurs — eliminating the "decoration flash" you get with text-editor overlays.

    • Search filters keys and comments in real time.
    • Click the Key column header to sort the view without altering the file.
    • Full-line comments appear as comment rows; inline comments show in a separate column.
    • Row action icons let you reveal, edit, add, or delete values (hover for tooltips).
    • Click Open as text at any time to switch to the regular VS Code editor.

    Configuration

    Add any of the following to your settings.json:

    {
  "protectMyEnv.obfuscationMode": "all",
  "protectMyEnv.patterns": [
    "*_SECRET",
    "*_KEY",
    "*_PASSWORD",
    "*_TOKEN",
    "PASSWORD",
    "SECRET",
    "TOKEN",
    "KEY"
  ],
  "protectMyEnv.rules": [],
  "protectMyEnv.maskCharacter": "",
  "protectMyEnv.maskLength": 8,
  "protectMyEnv.protectComments": false
}

    Setting Reference

    Setting Type Default Description
    obfuscationMode string "all" "all" masks every key; "pattern" masks only keys matching patterns
    patterns string[] see above Glob patterns applied in pattern mode (case-insensitive)
    rules string[] [] Exact key names that are always masked regardless of mode
    maskCharacter string "•" Character used to render masked values
    maskLength number 8 Fixed mask length; set to 0 to match the original value length
    protectComments boolean false When true, masks full-line and inline comments

    Development

    Prerequisites

    • Node.js ≥ 18
    • VS Code ≥ 1.75

    Setup

    git clone https://github.com/marcuspmd/protect-my-env.git
cd protect-my-env
npm install
npm run compile

    Press F5 to launch the Extension Development Host.

    Testing

    npm test                  # Run all unit tests
npm run test:watch        # Watch mode
npm run test:coverage     # With coverage report

    Contributing

    Contributions are welcome! Please read CONTRIBUTING.md before opening a pull request.

    License

    MIT © Marcus Paulo M Dias

    Publishing

    npm run vscode:prepublish

    Scripts

    • npm run compile
    • npm run esbuild-base
    • npm run esbuild
    • npm run watch
    • npm run vscode:prepublish
    • npm test
    • npm run test:watch
    • npm run test:coverage
    Please use SPDX license expression format; examples include "Apache-2.0", "BSD-2-Clause", "BSD-3-Clause", "GPL-2.0+", "LGPL-3.0+", "MIT", and "(BSD-2-Clause OR Ruby)". Do not include single quotes or double quotes.
    If there is more than one language, list them as comma-separated values (spaces optional) and sort them from most to least used. If there is a long list, please list at least the first three most common ones. If there is no language (e.g., this is a documentation-only or test-only project), use the single character "-". Please use a conventional capitalization for each language, e.g., "JavaScript".
    The Common Platform Enumeration (CPE) is a structured naming scheme for information technology systems, software, and packages. It is used in a number of systems and databases when reporting vulnerabilities.

 Controls 0/24

  • Controls


    Unknown required information, not enough for a badge.

    When a user attempts to read or modify a sensitive resource in the project's authoritative repository, the system MUST require the user to complete a multi-factor authentication process. [OSPS-AC-01.01]
    Enforce multi-factor authentication for the project's version control system, requiring collaborators to provide a second form of authentication when accessing sensitive data or modifying repository settings. Passkeys are acceptable for this control.

    Unknown required information, not enough for a badge.

    When a new collaborator is added, the version control system MUST require manual permission assignment, or restrict the collaborator permissions to the lowest available privileges by default. [OSPS-AC-02.01]
    Most public version control systems are configured in this manner. Ensure the project's version control system always assigns the lowest available permissions to collaborators by default when added, granting additional permissions only when necessary.

    Unknown required information, not enough for a badge.

    When a direct commit is attempted on the project's primary branch, an enforcement mechanism MUST prevent the change from being applied. [OSPS-AC-03.01]
    If the VCS is centralized, set branch protection on the primary branch in the project's VCS. Alternatively, use a decentralized approach, like the Linux kernel's, where changes are first proposed in another repository, and merging changes into the primary repository requires a specific separate act.

    Unknown required information, not enough for a badge.

    When an attempt is made to delete the project's primary branch, the version control system MUST treat this as a sensitive activity and require explicit confirmation of intent. [OSPS-AC-03.02]
    Set branch protection on the primary branch in the project's version control system to prevent deletion.

    Unknown required information, not enough for a badge.

    When a CI/CD pipeline operates on untrusted metadata, those parameters MUST be sanitized and validated prior to use in the pipeline. [OSPS-BR-01.01]
    CI/CD pipelines should sanitize (quote, escape or exit on expected values) all metadata inputs which correspond to untrusted sources. This includes data such as branch names, commit messages, tags, pull request titles, and author information.

    Unknown required information, not enough for a badge.

    When a CI/CD pipeline operates on untrusted code snapshots, it MUST prevent access to privileged CI/CD credentials and assets. [OSPS-BR-01.03]
    CI/CD pipelines should isolate untrusted code snapshots from privileged credentials and assets. In particular, projects should be careful to ensure that workflows which build or execute code prior to review by a collaborator do not have access to CI/CD credentials.

    Unknown required information, not enough for a badge.

    When the project lists a URI as an official project channel, that URI MUST be exclusively delivered using encrypted channels. [OSPS-BR-03.01]
    Configure the project's websites and version control systems to use encrypted channels such as SSH or HTTPS for data transmission. Ensure all tools and domains referenced in project documentation can only be accessed via encrypted channels.

    Unknown required information, not enough for a badge.

    When the project lists a URI as an official distribution channel, that channel MUST be protected from adversary-in-the-middle attacks using cryptographically authenticated channels. [OSPS-BR-03.02]
    Artifacts distributed by the project should be distributed through channels which ensure integrity and authenticity. Use of HTTPS for downloads, signed releases, or distribution through trusted package managers are all acceptable methods to protect against adversary-in-the-middle attacks.

    Unknown required information, not enough for a badge.

    The project MUST prevent the unintentional storage of unencrypted sensitive data, such as secrets and credentials, in the version control system. [OSPS-BR-07.01]
    Configure .gitignore or equivalent to exclude files that may contain sensitive information. Use pre-commit hooks and automated scanning tools to detect and prevent the inclusion of sensitive data in commits.

    Unknown required information, not enough for a badge.

    When the project has made a release, the project documentation MUST include user guides for all basic functionality. [OSPS-DO-01.01]
    Create user guides or documentation for all basic functionality of the project, explaining how to install, configure, and use the project's features. If there are any known dangerous or destructive actions available, include highly-visible warnings.

    Unknown required information, not enough for a badge.

    When the project has made a release, the project documentation MUST include a guide for reporting defects. [OSPS-DO-02.01]
    It is recommended that projects use their VCS default issue tracker. If an external source is used, ensure that the project documentation and contributing guide clearly and visibly explain how to use the reporting system. It is recommended that project documentation also sets expectations for how defects will be triaged and resolved.

    Unknown required information, not enough for a badge.

    While active, the project MUST have one or more mechanisms for public discussions about proposed changes and usage obstacles. [OSPS-GV-02.01]
    Establish one or more mechanisms for public discussions within the project, such as mailing lists, instant messaging, or issue trackers, to facilitate open communication and feedback.

    Unknown required information, not enough for a badge.

    While active, the project documentation MUST include an explanation of the contribution process. [OSPS-GV-03.01]
    Create a CONTRIBUTING.md or CONTRIBUTING/ directory to outline the contribution process including the steps for submitting changes, and engaging with the project maintainers.

    Unknown required information, not enough for a badge.

    While active, the license for the source code MUST meet the OSI Open Source Definition or the FSF Free Software Definition. [OSPS-LE-02.01]
    Add a LICENSE file to the project's repo with a license that is an approved license by the Open Source Initiative (OSI), or a free license as approved by the Free Software Foundation (FSF). Examples of such licenses include the MIT, BSD 2-clause, BSD 3-clause revised, Apache 2.0, Lesser GNU General Public License (LGPL), and the GNU General Public License (GPL). Releasing to the public domain meets this control if there are no other encumbrances such as patents.

    Unknown required information, not enough for a badge.

    While active, the license for the released software assets MUST meet the OSI Open Source Definition or the FSF Free Software Definition. [OSPS-LE-02.02]
    If a different license is included with released software assets, ensure it is an approved license by the Open Source Initiative (OSI), or a free license as approved by the Free Software Foundation (FSF). Examples of such licenses include the MIT, BSD 2-clause, BSD 3-clause revised, Apache 2.0, Lesser GNU General Public License (LGPL), and the GNU General Public License (GPL). Note that the license for the released software assets may be different than the source code.

    Unknown required information, not enough for a badge.

    While active, the license for the source code MUST be maintained in the corresponding repository's LICENSE file, COPYING file, or LICENSE/ directory. [OSPS-LE-03.01]
    Include the project's source code license in the project's LICENSE file, COPYING file, or LICENSE/ directory to provide visibility and clarity on the licensing terms. The filename MAY have an extension. If the project has multiple repositories, ensure that each repository includes the license file.

    Unknown required information, not enough for a badge.

    While active, the license for the released software assets MUST be included in the released source code, or in a LICENSE file, COPYING file, or LICENSE/ directory alongside the corresponding release assets. [OSPS-LE-03.02]
    Include the project's released software assets license in the released source code, or in a LICENSE file, COPYING file, or LICENSE/ directory alongside the corresponding release assets to provide visibility and clarity on the licensing terms. The filename MAY have an extension. If the project has multiple repositories, ensure that each repository includes the license file.

    Unknown required information, not enough for a badge.

    While active, the project's source code repository MUST be publicly readable at a static URL. [OSPS-QA-01.01]
    Use a common VCS such as GitHub, GitLab, or Bitbucket. Ensure the repository is publicly readable. Avoid duplication or mirroring of repositories unless highly visible documentation clarifies the primary source. Avoid frequent changes to the repository that would impact the repository URL. Ensure the repository is public.

    Unknown required information, not enough for a badge.

    The version control system MUST contain a publicly readable record of all changes made, who made the changes, and when the changes were made. [OSPS-QA-01.02]
    Use a common VCS such as GitHub, GitLab, or Bitbucket to maintain a publicly readable commit history. Avoid squashing or rewriting commits in a way that would obscure the author of any commits.

    Unknown required information, not enough for a badge.

    When the package management system supports it, the source code repository MUST contain a dependency list that accounts for the direct language dependencies. [OSPS-QA-02.01]
    This may take the form of a package manager or language dependency file that enumerates all direct dependencies such as package.json, Gemfile, or go.mod.

    Unknown required information, not enough for a badge.

    Projects with multiple repositories MUST document a list of codebases that are part of the project. [OSPS-QA-04.01]
    Document any additional subproject code repositories produced by the project and compiled into a release. This documentation should include the status and intent of the respective codebase.

    Unknown required information, not enough for a badge.

    While active, the version control system MUST NOT contain generated executable artifacts. [OSPS-QA-05.01]
    Remove generated executable artifacts in the project's version control system. It is recommended that any scenario where a generated executable artifact appears critical to a process such as testing, it should be instead be generated at build time or stored separately and fetched during a specific well-documented pipeline step.

    Unknown required information, not enough for a badge.

    While active, the version control system MUST NOT contain unreviewable binary artifacts. [OSPS-QA-05.02]
    Do not add any unreviewable binary artifacts to the project's version control system. This includes executable application binaries, library files, and similar artifacts. It does not include assets such as graphical images, sound or music files, and similar content typically stored in a binary format.

    Unknown required information, not enough for a badge.

    While active, the project documentation MUST contain security contacts. [OSPS-VM-02.01]
    Create a security.md (or similarly-named) file that contains security contacts for the project.


This data is available under the Community Data License Agreement – Permissive, Version 2.0 (CDLA-Permissive-2.0). This means that a Data Recipient may share the Data, with or without modifications, so long as the Data Recipient makes available the text of this agreement with the shared Data. Please credit Marcus Paulo M Dias and the OpenSSF Best Practices badge contributors.

Project badge entry owned by: Marcus Paulo M Dias.
Entry created on 2026-05-26 15:32:19 UTC, last updated on 2026-05-26 15:33:32 UTC.