.env and secrets files listed in .gitignore

ab-002416 · security-hardening.infra-monitoring.env-in-gitignore

Severity: infoactive

Why it matters

A .gitignore that does not exclude .env files is a latent trap: any developer who creates .env.production or .env.local and runs git add . will commit production secrets to version control. CWE-312 (Cleartext Storage of Sensitive Information) and CWE-798 (Hard-coded Credentials) both apply — the git object database stores secrets permanently, surviving git rm. OWASP A02 (Cryptographic Failures) and NIST 800-53 SC-28 require protecting credentials at rest. A public repository with an accidentally committed .env file exposes database passwords, API keys, and signing secrets to the entire internet.

Severity rationale

Info because this check is a configuration safeguard — the actual risk materializes only if a `.env` file is subsequently committed, but the missing gitignore makes that accident inevitable.

Remediation

Add comprehensive secret file exclusions to .gitignore:

# .gitignore — secrets section
.env
.env.*
!.env.example
*.pem
*.key
serviceAccount.json
firebase-adminsdk-*.json

If a .env file is already tracked, remove it from git's index without deleting it:

git rm --cached .env
git rm --cached .env.production

# Verify no secret files remain tracked:
git ls-files | grep -E '\.env|\.key|\.pem'

If secrets appear in git history, rotate them immediately — history cleaning with git filter-repo does not invalidate credentials already harvested by CI or forks.

Detection

ID: env-in-gitignore
Severity: info
What to look for: Enumerate every secret-containing file pattern (.env, .env.local, .env.production, credentials.json, *.pem, *.key). For each, open .gitignore and check for explicit exclusion of .env, .env.*, .env.local, .env.production, .env.staging and similar secret file patterns. Also check that *.pem, *.key, serviceAccount.json, Firebase credentials, and similar credential files are excluded. Verify that .env.example (with placeholder values only) is tracked.
Pass criteria: .gitignore excludes .env, .env.* (wildcard), and common credential file patterns. A .env.example is present with placeholder values and is tracked by git — 100% of secret file patterns must be in .gitignore. Report: "X secret file patterns found, all Y listed in .gitignore."
Fail criteria: .gitignore does not include .env patterns. Or .env files are tracked by git (check git ls-files .env).
Skip (N/A) when: Never — this check always applies.
Cross-reference: The secrets-not-committed check verifies that no actual secrets exist in the git history.
Detail on fail: ".env not listed in .gitignore — any .env file could be accidentally committed" or ".env.production found in git index — contains production secrets in version control"

Remediation: Update .gitignore and remove tracked secrets:

# .gitignore — secrets
.env
.env.*
!.env.example
*.pem
*.key
serviceAccount.json
firebase-adminsdk-*.json

# Remove accidentally tracked .env files
git rm --cached .env
git rm --cached .env.production

# Check nothing sensitive remains tracked
git ls-files | grep -E "\\.env|\\.key|\\.pem"

If secrets are in git history, rotate them immediately and use git filter-repo to clean history.

External references

cwe · CWE-312 — Cleartext Storage of Sensitive Information
cwe · CWE-798 — Use of Hard-coded Credentials
owasp:2021 · A02 — Cryptographic Failures
nist:rev5 · SC-28 — Protection of Information at Rest

Taxons

cryptography-and-secrets operational-readiness

History

2026-04-18·v1.0.0·Initial import from security-hardening·automated