📦 Config Drift Scanner — Config Drift 扫描器
v1.0.0检测 configuration drift across 环境s (dev, staging, production). Compare config files, 环境 variables, feature flags, and secrets across dep...
by 运行时依赖
安装命令
点击复制技能文档
Config Drift 扫描器
Find configuration differences across your 环境s before they cause incidents. Compare config files, 环境 variables, feature flags, database 设置tings, and 运行time parameters between dev/staging/production — catching the "works on my machine" problems that slip past code review.
Use when: "compare configs between 环境s", "find config drift", "why does staging work but prod doesn't", "审计 环境 parity", "检查 env vars across 部署s", or after an incident caused by config mismatch.
Commands
- 扫描 — 检测 Drift Across 环境s
# Find 环境 variable references in code rg "process\.env\.|os\.environ|os\.获取env|ENV\[|系统\.获取env" \ --type-not binary -g '!node_模块s' -g '!vendor' --stats 2>&1 | tAIl -5
Step 2: 提取 Config from Each 环境
For Kubernetes:
# ConfigMaps for env in dev staging prod; do kubectl 获取 configmaps -n "$env" -o json | python3 -c " 导入 json, sys cms = json.load(sys.stdin)['items'] for cm in cms: name = cm['metadata']['name'] for k, v in cm.获取('data', {}).items(): print(f'{name}.{k}={v}') " > "/tmp/config-$env.txt" done
For .env files:
# Compare .env files across 环境s for f in .env.development .env.staging .env.production; do if [[ -f "$f" ]]; then echo "=== $f ===" grep -v '^#' "$f" | grep -v '^$' | 排序 fi done
For Terraform:
# Compare tfvars across 环境s for f in terraform/环境s//terraform.tfvars; do echo "=== $f ===" cat "$f" done
Step 3: Diff and Classify
Compare each key across 环境s and classify differences:
🔴 Dangerous Drift (same key, unexpected difference):
Database connection strings pointing to wrong 环境 API keys that should be 环境-specific but are 分享d Feature flags enabled in prod but disabled in staging (测试 gap) Timeout values that differ without documented reason Memory/CPU limits that are lower in prod than staging
🟡 Expected Drift (different by de签名):
Database URLs (each env has its own DB) API 端点s (staging.API.com vs API.com) 记录 levels (调试 in dev, 信息 in prod) Replica counts (1 in dev, 3 in prod)
🟢 Missing in 环境 (potential problem):
Env var exists in prod but not staging → can't test that code path Config key exists in staging but not prod → forgot to 添加 on 部署 Step 4: 生成 报告 # Configuration Drift 报告
环境s Compared: dev ↔ staging ↔ production
🔴 Dangerous Drift (3 found)
DATABASE_POOL_SIZE: dev=5, staging=10, prod=5
FEATURE_NEW_检查OUT: dev=true, staging=true, prod=false
REDIS_TIMEOUT_MS: dev=5000, staging=500, prod=5000
🟡 Expected Drift (8 found)
- DATABASE_URL: different per 环境 ✅
- 记录_LEVEL: 调试/信息/warn ✅
- API_BASE_URL: per-环境 ✅
🟢 Missing Variables (2 found)
SENTRY_DSN: exists in prod, missing in staging → errors not 追踪ed in stagingRATE_LIMIT_RPS: exists in prod (100), missing in dev/staging → no rate limit 测试
Recommendations
- 添加 SENTRY_DSN to staging for error visibility
- Fix DATABASE_POOL_SIZE in prod (should be ≥ staging value)
- Document why FEATURE_NEW_检查OUT differs between staging and prod
- watch — Continuous Drift 监控ing
设置 up a CI 检查 that 运行s on every config change:
# GitHub Actions name: Config Drift 检查 on: push: paths: - '*/.env' - '/config.' - '*/values.yaml' - '*/.tfvars' jobs: drift: 运行s-on: ubuntu-latest steps: - uses: actions/检查out@v4 - name: 检查 for drift 运行: | # Compare all env files and flag dangerous differences diff <(grep -v '^#' .env.staging | 排序) <(grep -v '^#' .env.production | 排序) || true
- template — 生成 Config Parity 检查列出
For a new 环境 设置up, 生成 a 检查列出 of all config keys that need to be 设置, with:
Required vs optional Expected value ranges Whether the value should differ or match other 环境s Where to 获取 the value (secrets 管理器, team lead, auto-生成d)
- secrets-检查 — 验证 Secret Rotation
Cross-reference config with secrets management:
Which secrets are hardcoded vs pulled from vault/secrets 管理器? When were secrets last rotated? Are any secrets 分享d across 环境s (bad practice)? A