How-To Guide

How to Gitignore Sensitive Files

Prevent accidental commits of secrets

TL;DR

TL;DR: Add .env* , credential files, and config files with secrets to your .gitignore . Use !.env.example to keep your template. If files are already tracked, run git rm --cached filename to untrack them. Always verify with git status before committing.

Essential .gitignore for Secrets

Copy this security-focused .gitignore section to every project:

# ========================================
# SECRETS - Never commit these
# ========================================

# Environment files
.env
.env.local
.env.development.local
.env.test.local
.env.production.local
.env.production
.env.staging

# Keep the example file
!.env.example
!.env.template

# Private keys
*.pem
*.key
*.p12
*.pfx
id_rsa
id_ed25519

# Credentials
credentials.json
service-account*.json
*-credentials.json
secrets.json
config.secrets.*

# Cloud provider configs with secrets
.aws/credentials
.gcloud/
.azure/

# IDE with possible secrets
.idea/
.vscode/settings.json

# Local database files
*.sqlite
*.sqlite3
*.db

# Log files (might contain secrets)
*.log
logs/

Step-by-Step Setup

Create or update .gitignore

Open (or create) .gitignore in your project root and add the patterns above.

Check if secrets are already tracked

Run this command to see if any sensitive files are being tracked:

# Check for tracked .env files
git ls-files | grep -E "^\.env"

# Check for any files with common secret patterns
git ls-files | grep -E "(credential|secret|key\.json|\.pem)$"

Untrack already committed files

If sensitive files are tracked, remove them from git (but keep local copies):

# Remove specific file from tracking
git rm --cached .env.local

# Remove all .env files from tracking
git rm --cached .env* 2>/dev/null || true

# Remove a directory
git rm --cached -r secrets/

The --cached flag removes from git but keeps your local file.

Commit the .gitignore update

git add .gitignore
git commit -m "Update .gitignore to exclude sensitive files"

Verify files are ignored

# Check git status - .env files should not appear
git status

# Test if a file would be ignored
git check-ignore -v .env.local
# Output: .gitignore:3:.env.local    .env.local

Already pushed secrets?

If you've already pushed secrets to a remote repository, adding them to .gitignore won't remove them from history. You need to rotate those credentials immediately, then consider cleaning git history with tools like git filter-branch or BFG Repo Cleaner.

Pattern Syntax Guide

# Ignore a specific file
.env.local

# Ignore all files with extension
*.pem

# Ignore files starting with pattern
.env*

# Ignore a directory
secrets/

# Ignore files in any subdirectory
**/*.key

# Negate a pattern (don't ignore this file)
!.env.example

# Ignore only in root (not subdirectories)
/.env

Project-Type Specific Patterns

Next.js / React

.env
.env.local
.env.development.local
.env.test.local
.env.production.local
.next/
out/
build/

Node.js / Express

.env
.env.*
!.env.example
node_modules/
*.log

Python / Django

.env
.env.*
*.pyc
__pycache__/
.venv/
secrets.py
local_settings.py

Global Gitignore

Set up a global gitignore for your machine to always ignore certain files:

# Create global gitignore
git config --global core.excludesfile ~/.gitignore_global

# Add to ~/.gitignore_global
.env.local
.DS_Store
*.pem
.idea/
.vscode/settings.json

Why doesn't .gitignore work on files I already committed?

Git tracks files once they're committed. Adding them to .gitignore only prevents future tracking. To stop tracking existing files, use git rm --cached filename.

How do I share configuration without sharing secrets?

Create a .env.example file with placeholder values and commit that. Use the ! pattern in .gitignore to not ignore it: !.env.example. Team members copy it to .env.local and fill in real values.

Can I have .gitignore in subdirectories?

Yes, you can have a .gitignore file in any directory. Patterns in subdirectory .gitignore files only affect that directory and its children. This is useful for ignoring build outputs in specific folders.