Environment Variable Provider
The Environment Variable provider reads secrets directly from process environment variables. This is a read-only provider designed for CI/CD compatibility and containerized environments.
Configuration
Section titled “Configuration”The env provider accepts no configuration options:
# All these are equivalent$ secretspec check --provider env$ secretspec check --provider env:$ secretspec check --provider env://Secret References
Section titled “Secret References”By default each secret reads the environment variable named after it. A secret’s
ref field reads a different
variable, which is useful when your infrastructure already exposes a value under
another name: item is the variable name, case-sensitive and preserved verbatim
(field is not supported). Like the rest of this provider, references are
read-only.
[profiles.default]DATABASE_URL = { description = "DB", ref = { item = "POSTGRES_CONNECTION_STRING" }, providers = ["env"] }When to Use
Section titled “When to Use”- Running in CI/CD pipelines where secrets are injected as environment variables
- Testing with temporary environment variables
- Working with containerized applications that use environment variables
Example
Section titled “Example”# Set environment variablesexport DATABASE_URL="postgresql://localhost/mydb"export API_KEY="sk-1234567890"
# Check secrets are available$ secretspec check --provider env✓ All required secrets are configured
# Run with environment variables$ secretspec run --provider env -- npm startCI/CD Integration
Section titled “CI/CD Integration”# GitHub Actions- name: Run with secrets env: DATABASE_URL: ${{ secrets.DATABASE_URL }} API_KEY: ${{ secrets.API_KEY }} run: | secretspec run --provider env -- npm run deploy