Skip to content

Add .gitignore protection against locally-created credential files#3075

Merged
edsavage merged 2 commits into
mainfrom
ai-repo-ready/gitignore-secrets-protection
Jul 15, 2026
Merged

Add .gitignore protection against locally-created credential files#3075
edsavage merged 2 commits into
mainfrom
ai-repo-ready/gitignore-secrets-protection

Conversation

@cachedout

Copy link
Copy Markdown
Contributor

What

Adds a small block of .gitignore patterns excluding common local credential/secret file shapes (.env, *.pem, *.key, *credentials*, *secret*, kubeconfig) that weren't previously covered.

Why

No secret is currently exposed in this repo — this is a preventive measure, not a response to an incident.

The specific motivation is AI coding agents. .env-style local config is one of the most common patterns in scaffolding and framework conventions, and it shows up constantly as the natural, well-trodden way an agent completes a task like "wire up this API" or "connect this database" — especially when a teammate hands the agent a literal working credential and asks it to set something up. Agents that verify their own work by actually running it are also likely to materialize real, working credentials into a local file mid-session so they can confirm the code functions, rather than just writing code and hoping.

Unlike a human, an agent doesn't reliably pause at "should this live somewhere other than the working directory" — it's optimizing for completing the task in front of it. A .gitignore entry that already excludes these file shapes before the agent (or a human) ever creates one is a safety net that doesn't depend on that judgment call being made correctly in the moment — it's just already there.

This is part of a broader effort to check baseline hygiene that matters specifically for AI-agent-assisted development across actively-developed Elastic repos.

Testing

No functional change — .gitignore only affects untracked files going forward. Nothing currently tracked is touched.

@elasticsearchmachine

Copy link
Copy Markdown

Pinging @elastic/ml-core (Team:ML)

@edsavage edsavage left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need to keep the .dockerignore file in-sync with the .gitignore file

Update: did this myself...

Keeps .dockerignore in sync with .gitignore (as its header requires) so the
same local secret file shapes are excluded from the Docker build context.

Co-authored-by: Cursor <cursoragent@cursor.com>
@edsavage edsavage force-pushed the ai-repo-ready/gitignore-secrets-protection branch from 91ef8b7 to 2dd0d6a Compare July 14, 2026 23:34
@edsavage edsavage self-requested a review July 14, 2026 23:45

@edsavage edsavage left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@edsavage edsavage merged commit 2159ca0 into main Jul 15, 2026
23 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants