This week: 5 repos in the scanned fleet exposed this category (8 matches).See Radar #4 →

What it is

Terraform variable files set input values for infrastructure code. Teams frequently put real secrets (database passwords, API tokens, cloud keys) into .tfvars for convenience.

Why it matters for AI context

An AI assistant indexing the repo can read secret values from .tfvars and surface them in context. State files (.tfstate) carry the same risk and should be excluded too.

How to keep it out of AI tools

  1. Pass secrets via environment variables (TF_VAR_*) or a secrets backend instead of files.
  2. Add *.tfvars and *.tfstate to .gitignore.
  3. Add the same patterns to your AI ignore file.
  4. Commit only example tfvars with placeholder values.
Add to your ignore file
*.tfvars
!example.tfvars
*.tfstate
*.tfstate.*

Ignore files that exclude this

FAQ

Do I also need to ignore Terraform state?
Yes. .tfstate often contains secret values in plain text and should be kept out of both git and AI context.

Check your own project

158 of 499 repos this week exposed sensitive paths to AI tools. Check yours in seconds:

Run the same local check with Offsend CLI:

brew install --cask offsend/tap/offsend-cli
offsend show
offsend prepare --dry-run

Everything runs locally. No file contents are uploaded.