CLI Commands | varlock
Varlock provides a command-line interface for managing environment variables and secrets. This reference documents all available CLI commands.
See installation for instructions on how to install Varlock.
Running commands in JS projects
If you have installed varlock as a package.json dependency, rather than a standalone binary, the best way to invoke the CLI is via your package manager:
Also note that within package.json scripts, you can use it directly:
{
"scripts": {
"start": "varlock run -- node app.js"
}
}
package.json configuration
You can configure varlock’s default behavior by adding a varlock key to your package.json:
{
"varlock": {
"loadPath": "./envs/"
}
}
| Option | Description |
|---|---|
loadPath | Path to a directory or specific .env file to use as the default entry point. Defaults to the current working directory if not set. Use a directory path (with trailing /) to automatically load all relevant files (.env.schema, .env, .env.local, etc.); a file path only loads that file and its explicit imports. Can be overridden by the --path CLI flag. Varlock looks for this config in the package.json in the current working directory only. |
Commands reference
Starts an interactive onboarding process to help you get started. Will help create your .env.schema and install varlock as a dependency if necessary.
Loads and validates environment variables according to your .env files, and prints the results. Default prints a nicely formatted, colorized summary of the results, but can also print out machine-readable formats.
Useful for debugging locally, and in CI to print out a summary of env vars.
Options:
--format: Format of output [pretty|json|env|shell]--show-all: Shows all items, not just failing ones, when validation is failing--env: Set the default environment flag (e.g.,--env production), only useful if not using@currentEnvin.env.schema--path/-p: Path to a specific.envfile or directory to use as the entry point (overridesvarlock.loadPathinpackage.json)
Examples:
# Load and validate environment variables
varlock load
# Load and validate for a specific environment (when not using @currentEnv in .env.schema)
varlock load --env production
# Output validation results in JSON format
varlock load --format json
# Output as shell export statements (useful for direnv / eval)
eval "$(varlock load --format shell)"
# When validation is failing, will show all items, rather than just failing ones
varlock load --show-all
# Load from a specific .env file
varlock load --path .env.prod
# Load from a specific directory
varlock load --path ./config/
Executes a command in a child process, injecting your resolved and validated environment variables from your .env files. This is useful when a code-level integration is not possible.
Options:
--no-redact-stdout: Disable stdout/stderr redaction to preserve TTY detection for interactive tools--path/-p: Path to a specific.envfile or directory to use as the entry point
Examples:
varlock run -- node app.js # Run a Node.js application
varlock run -- python script.py # Run a Python script
# Use a specific .env file as entry point
varlock run --path .env.prod -- node app.js
# Use a specific directory as entry point
varlock run --path ./config/ -- node app.js
Resolves and prints the value of a single environment variable to stdout. Only the requested item and its transitive dependencies are resolved, making this faster than loading the full graph.
This is useful within larger shell commands where you need to embed a single resolved env var value.
varlock printenv <VAR_NAME> [options]
Options:
--path/-p: Path to a specific.envfile or directory to use as the entry point
Examples:
# Print the resolved value of MY_VAR
varlock printenv MY_VAR
# Use a specific .env file as entry point
varlock printenv --path .env.prod MY_VAR
# Embed in a shell command using subshell expansion
sh -c 'some-tool --token $(varlock printenv MY_TOKEN)'
Scans your project files for sensitive config values that should not appear in plaintext. Loads your varlock config, resolves all @sensitive values, then checks files for any occurrences of those values.
This is especially useful as a pre-commit git hook to prevent accidentally committing secrets into version control.
Options:
--staged: Only scan staged git files--include-ignored: Include git-ignored files in the scan (by default, gitignored files are skipped)--install-hook: Set upvarlock scanas a git pre-commit hook--path/-p: Path to a specific.envfile or directory to use as the schema entry point
Examples:
# Scan all non-gitignored files in the current directory
varlock scan
# Only scan staged git files
varlock scan --staged
# Scan all files, including gitignored ones
varlock scan --include-ignored
# Use a specific .env file as the schema entry point
varlock scan --path .env.prod
# Set up as a git pre-commit hook
varlock scan --install-hook
Generates type files according to @generateTypes and your config schema. Uses only non-environment-specific schema info, so output is deterministic regardless of which environment is active.
This command is particularly useful when you have set auto=false on the @generateTypes decorator to disable automatic type generation during varlock load or varlock run.
varlock typegen [options]
Options:
--path/-p: Path to a specific.envfile or directory to use as the entry point
Examples:
# Generate types using the default schema
varlock typegen
# Generate types from a specific .env file
varlock typegen --path .env.prod
varlock telemetry
Opts in/out of anonymous usage analytics. This command creates/updates a configuration file at $XDG_CONFIG_HOME/varlock/config.json (defaults to ~/.config/varlock/config.json) saving your preference.
varlock telemetry disable
varlock telemetry enable
Displays general help information, alias for varlock --help
For help about specific commands, use:
varlock subcommand --help