Skip to main content

envshed diff

Compare secrets between two environments in the same project. Output is color-coded: added keys in green, removed keys in red, and changed keys in yellow. Secret values are masked by default — use --show-values only in trusted terminals.

Usage

envshed diff <env1> <env2> [options]

Arguments

ArgumentDescription
<env1>First environment slug (the "from" side)
<env2>Second environment slug (the "to" side)

Options

FlagDescription
-o, --org <slug>Organization slug (overrides config)
-p, --project <slug>Project slug (overrides config)
--show-valuesShow actual secret values (use only in trusted terminals)

Example

Compare staging and production environments (values masked):

envshed diff staging production
staging  →  production

+ NEW_FEATURE_FLAG  ***
- DEPRECATED_KEY  ***
~ DATABASE_URL  *** (changed)

1 added, 1 removed, 1 changed

Show actual values (only in trusted terminals):

envshed diff staging production --show-values
Warning: secret values are visible in this output. Do not share or log this output.

staging  →  production

+ NEW_FEATURE_FLAG  true
- DEPRECATED_KEY  old-value
~ DATABASE_URL  postgres://staging-host/db → postgres://prod-host/db

1 added, 1 removed, 1 changed

When environments are identical:

envshed diff staging production
staging  →  production

No differences found.

Behavior

  • Both environments are fetched in parallel. If either fetch fails (e.g., 403 Forbidden), the diff aborts with a clear error — no partial output is rendered.
  • Values are always masked as *** by default. This prevents accidental leakage in logs, CI output, or terminal recordings.
  • When --show-values is passed, a warning is printed to stderr before the diff output, and actual values are shown.
  • The summary line at the bottom counts only keys that differ (added + removed + changed). Unchanged keys are not shown.

Security Note

The --show-values flag is intended for local debugging only. Never use it in CI/CD pipelines, shared terminals, or any environment where output may be logged or observed by others.