Environment files (.env)
.env files hold environment variables — frequently API keys, database URLs, and tokens. When one sits in a repo, AI coding tools can read it as workspace context.
This week: 71 repos in the scanned fleet exposed this category (182 matches).See Radar #4 →
What it is
An environment file stores configuration as KEY=value pairs. In real projects it usually contains database credentials, third-party API keys, signing secrets, and other values an application needs at runtime.
Why it matters for AI context
AI coding assistants index the files in your workspace to answer questions and generate code. If a real .env is present (not a .env.example placeholder), its secret values can be pulled into prompts, sent to model providers, or echoed back inside completions.
How to keep it out of AI tools
- Keep only a .env.example with placeholder values in version control.
- Add .env and .env.* to .gitignore so real files are never committed.
- Add the same patterns to a dedicated AI ignore file so assistants skip them even when the file exists locally.
- Rotate any secret that may already have been committed to history.
.env
.env.*
!.env.exampleIgnore files that exclude this
FAQ
- Should I commit .env files to git?
- No. Commit a .env.example with placeholder keys instead, and keep real .env files out of version control entirely.
- Does .gitignore stop AI tools from reading .env?
- Not reliably. Some assistants read files on disk regardless of git status, so add .env to a dedicated AI ignore file as well.
Check your own project
158 of 499 repos this week exposed sensitive paths to AI tools. Check yours in seconds:
Run the same local check with Offsend CLI:
brew install --cask offsend/tap/offsend-cli
offsend show
offsend prepare --dry-runEverything runs locally. No file contents are uploaded.