.env and secrets files listed in .gitignore

Why it matters

A .gitignore that does not exclude .env files is a latent trap: any developer who creates .env.production or .env.local and runs git add . will commit production secrets to version control. CWE-312 (Cleartext Storage of Sensitive Information) and CWE-798 (Hard-coded Credentials) both apply — the git object database stores secrets permanently, surviving git rm. OWASP A02 (Cryptographic Failures) and NIST 800-53 SC-28 require protecting credentials at rest. A public repository with an accidentally committed .env file exposes database passwords, API keys, and signing secrets to the entire internet.

Remediation

Add comprehensive secret file exclusions to .gitignore:

# .gitignore — secrets section
.env
.env.*
!.env.example
*.pem
*.key
serviceAccount.json
firebase-adminsdk-*.json

If a .env file is already tracked, remove it from git's index without deleting it:

git rm --cached .env
git rm --cached .env.production

# Verify no secret files remain tracked:
git ls-files | grep -E '\.env|\.key|\.pem'

If secrets appear in git history, rotate them immediately — history cleaning with git filter-repo does not invalidate credentials already harvested by CI or forks.

Detection

ID: security-hardening.infra-monitoring.env-in-gitignore
Severity: info
What to look for: Enumerate every secret-containing file pattern (.env, .env.local, .env.production, credentials.json, *.pem, *.key). For each, open .gitignore and check for explicit exclusion of .env, .env.*, .env.local, .env.production, .env.staging and similar secret file patterns. Also check that *.pem, *.key, serviceAccount.json, Firebase credentials, and similar credential files are excluded. Verify that .env.example (with placeholder values only) is tracked.
Pass criteria: .gitignore excludes .env, .env.* (wildcard), and common credential file patterns. A .env.example is present with placeholder values and is tracked by git — 100% of secret file patterns must be in .gitignore. Report: "X secret file patterns found, all Y listed in .gitignore."
Fail criteria: .gitignore does not include .env patterns. Or .env files are tracked by git (check git ls-files .env).
Skip (N/A) when: Never — this check always applies.
Cross-reference: The secrets-not-committed check verifies that no actual secrets exist in the git history.
Detail on fail: ".env not listed in .gitignore — any .env file could be accidentally committed" or ".env.production found in git index — contains production secrets in version control"

Remediation: Update .gitignore and remove tracked secrets:

# .gitignore — secrets
.env
.env.*
!.env.example
*.pem
*.key
serviceAccount.json
firebase-adminsdk-*.json

# Remove accidentally tracked .env files
git rm --cached .env
git rm --cached .env.production

# Check nothing sensitive remains tracked
git ls-files | grep -E "\\.env|\\.key|\\.pem"

If secrets are in git history, rotate them immediately and use git filter-repo to clean history.

Why it matters

Remediation

Add comprehensive secret file exclusions to .gitignore:

# .gitignore — secrets section
.env
.env.*
!.env.example
*.pem
*.key
serviceAccount.json
firebase-adminsdk-*.json

If a .env file is already tracked, remove it from git's index without deleting it:

git rm --cached .env
git rm --cached .env.production

# Verify no secret files remain tracked:
git ls-files | grep -E '\.env|\.key|\.pem'

If secrets appear in git history, rotate them immediately — history cleaning with git filter-repo does not invalidate credentials already harvested by CI or forks.

Detection

ID: security-hardening.infra-monitoring.env-in-gitignore
Severity: info
What to look for: Enumerate every secret-containing file pattern (.env, .env.local, .env.production, credentials.json, *.pem, *.key). For each, open .gitignore and check for explicit exclusion of .env, .env.*, .env.local, .env.production, .env.staging and similar secret file patterns. Also check that *.pem, *.key, serviceAccount.json, Firebase credentials, and similar credential files are excluded. Verify that .env.example (with placeholder values only) is tracked.
Pass criteria: .gitignore excludes .env, .env.* (wildcard), and common credential file patterns. A .env.example is present with placeholder values and is tracked by git — 100% of secret file patterns must be in .gitignore. Report: "X secret file patterns found, all Y listed in .gitignore."
Fail criteria: .gitignore does not include .env patterns. Or .env files are tracked by git (check git ls-files .env).
Skip (N/A) when: Never — this check always applies.
Cross-reference: The secrets-not-committed check verifies that no actual secrets exist in the git history.
Detail on fail: ".env not listed in .gitignore — any .env file could be accidentally committed" or ".env.production found in git index — contains production secrets in version control"

Remediation: Update .gitignore and remove tracked secrets:

# .gitignore — secrets
.env
.env.*
!.env.example
*.pem
*.key
serviceAccount.json
firebase-adminsdk-*.json

# Remove accidentally tracked .env files
git rm --cached .env
git rm --cached .env.production

# Check nothing sensitive remains tracked
git ls-files | grep -E "\\.env|\\.key|\\.pem"

If secrets are in git history, rotate them immediately and use git filter-repo to clean history.

.env and secrets files listed in .gitignore

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History

.env and secrets files listed in .gitignore

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History