This week: 71 repos in the scanned fleet exposed this category (182 matches).See Radar #4 →

What it is

An environment file stores configuration as KEY=value pairs. In real projects it usually contains database credentials, third-party API keys, signing secrets, and other values an application needs at runtime.

Why it matters for AI context

AI coding assistants index the files in your workspace to answer questions and generate code. If a real .env is present (not a .env.example placeholder), its secret values can be pulled into prompts, sent to model providers, or echoed back inside completions.

How to keep it out of AI tools

  1. Keep only a .env.example with placeholder values in version control.
  2. Add .env and .env.* to .gitignore so real files are never committed.
  3. Add the same patterns to a dedicated AI ignore file so assistants skip them even when the file exists locally.
  4. Rotate any secret that may already have been committed to history.
Add to your ignore file
.env
.env.*
!.env.example

Ignore files that exclude this

FAQ

Should I commit .env files to git?
No. Commit a .env.example with placeholder keys instead, and keep real .env files out of version control entirely.
Does .gitignore stop AI tools from reading .env?
Not reliably. Some assistants read files on disk regardless of git status, so add .env to a dedicated AI ignore file as well.

Check your own project

158 of 499 repos this week exposed sensitive paths to AI tools. Check yours in seconds:

Run the same local check with Offsend CLI:

brew install --cask offsend/tap/offsend-cli
offsend show
offsend prepare --dry-run

Everything runs locally. No file contents are uploaded.