Why doesn't .gitignore protect my secrets from AI agents?

.gitignore only tells git not to track files. It does not change file permissions or prevent other programs from reading them. AI agents with file system access can read any file the user has permission to read, regardless of .gitignore.

Should I store secrets inside my project at all?

Preferably not. Use a secret manager like Vault, AWS Secrets Manager, or Doppler. If you must store secrets locally, put them outside the project directory and use environment variables to pass them to the application. Guard can enforce a boundary around the project root.

high severityCurated advisory

Gitignore bypass via agent file reads

AI agents can read files that are gitignored — secrets, private keys, and internal configs — because gitignore only prevents git tracking, not file system access. These files often contain the most sensitive data in a repository.

Protect my harness Protect a team

Affected surfaces.gitignoreprivate keyssecrets directoriesagent file-read tools

The attack

What happens

Gitignore prevents files from being tracked by git, but it does not prevent an AI agent from reading them. Agents can read .gitignored files like .env, private keys, and service account credentials because they have file system access.

Step by step

How the attack unfolds

1Agent is asked to explore or understand the project structure.

2Agent reads .gitignore to understand which files are excluded.

3Agent reads the gitignored files directly — .env, .pem, .p12, service-account.json — because gitignore does not block file reads.

4Sensitive file contents enter the context window and may be sent to the model API.

Example

What it looks like in practice

Scenario

A developer asks Cursor to "look at the project structure and understand how the app works." Cursor reads .gitignore to see what's excluded, then reads .env.production to understand the production configuration. The .env.production file contains the production database URL and Stripe secret key — data that enters the context window and is sent to the model API.

Detection

How Guard catches this

Guard cross-references file reads against .gitignore patterns and flags reads of gitignored files.

Guard blocks reads of known secret file patterns: .env, .pem, .p12, .key, id_rsa, service-account.json.

Guard alerts when an agent reads files in directories like .ssh/, .aws/, .gnupg/.

Mitigation

How to stop it

Recommended action

Use Guard to block reads of gitignored files that contain secrets. Maintain an explicit denylist of sensitive file patterns in addition to .gitignore.

Guard configuration

Enable "Gitignore-aware file protection" to flag reads of gitignored files.

Enable "Secret file denylist" to block reads of .env, .pem, .p12, .key, id_rsa, and service-account.json.

Enable "Sensitive directory protection" to block reads of .ssh/, .aws/, .gnupg/.

FAQ

Common questions

Related advisories

More threats to know about

critical

Environment file exfiltration via webhook

AI agents can be tricked into reading .env files and sending their contents to external endpoints through tool calls, webhook integrations, or HTTP requests that appear legitimate.

Read advisory

medium

Context window scraping via long file reads

AI agents that read large files can leak proprietary code, internal documentation, and customer data into their context window — which may then be sent to external LLM APIs or logged in cloud telemetry.

Read advisory

Stop this threat before it reaches your agent

Install HOL Guard to get real-time protection against this attack and others like it.

Install HOL Guard See team plans