Claude Code Prompt to Audit Env and Config Files

What this prompt does

This prompt turns Claude Code into a configuration security auditor that reads your repo's actual files instead of guessing. It walks ten explicit checks — .env for plaintext secrets and default passwords, .env.example drift against the real .env, hardcoded values that belong in env vars, Docker and compose hardening, CI/CD secret handling, database connection security, env-specific settings that differ across dev/staging/prod, and API key rotation readiness — then ends by generating a clean, documented .env.example template you can commit.

It works because it is a checklist, not an open question. Each numbered item forces Claude to look for one specific class of problem, so nothing gets skipped when a file is long or noisy. The [framework] variable pins findings to real conventions (Laravel's config/*.php, Rails' credentials.yml.enc, Node's process.env), and the critical/warning/info severity flag makes the output triageable — you fix the critical leaks first and schedule the rest.

The [environment] and [config_count] variables tune scope: you decide which environment's .env is compared, and how many framework-specific best practices Claude must check beyond the universal nine.

When to use it

• Before making a private repo public, or onboarding a contractor who'll get repo access.
• Right after inheriting a legacy codebase where nobody knows what's in .env or whether secrets were ever committed.
• When php artisan or npm start fails on a fresh clone because .env.example is missing keys the app actually needs.
• Pre-deploy, to catch a DB_PASSWORD or APP_DEBUG=true that drifted between staging and prod.
• During a security review when you need a severity-ranked list, not a vague "looks fine."
• When standardizing config across several services and you want one authoritative .env.example.

Example output

CRITICAL  .env:14   Stripe live key committed (sk_live_…) — rotate now, purge from git history
CRITICAL  .env:31   DB_PASSWORD=password (default) — replace before any deploy
WARNING   config/services.php:22  Mailgun secret hardcoded; move to MAILGUN_SECRET
WARNING   .env.example missing: REDIS_PASSWORD, AWS_BUCKET (present in prod .env)
INFO      docker-compose.yml  Postgres port 5432 published to host — bind to 127.0.0.1
INFO      .env extra var STALE_FLAG not referenced in code — safe to remove

Generated .env.example:
  STRIPE_SECRET=        # Live/test secret key, never commit the real value
  DB_PASSWORD=          # Per-environment; use a secrets manager in prod

Pro tips

• Set [environment] to prod for the highest-stakes pass — that's where APP_DEBUG=true and verbose logging do real damage. Re-run for staging separately; merging environments hides drift.
• Claude can't see your git history. Pair this with git log -p --all -S 'sk_live' (or gitleaks/trufflehog) — this prompt flags secrets present now, not ones you committed and deleted.
• Push [config_count] to 15+ for a thorough Laravel pass so it checks SESSION_SECURE_COOKIE, queue connection encryption, and config:cache compatibility, not just the obvious keys.
• The generated .env.example is a starting template — review every description before committing. Treat it as a draft, never auto-commit a file claiming to document secrets.
• Run it after php artisan config:clear; cached config can mask which values are actually env-driven versus hardcoded.