Add .gitignore protection against locally-created credential files#3075
Merged
Conversation
|
Pinging @elastic/ml-core (Team:ML) |
edsavage
requested changes
Jul 13, 2026
Keeps .dockerignore in sync with .gitignore (as its header requires) so the same local secret file shapes are excluded from the Docker build context. Co-authored-by: Cursor <cursoragent@cursor.com>
91ef8b7 to
2dd0d6a
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds a small block of
.gitignorepatterns excluding common local credential/secret file shapes (.env,*.pem,*.key,*credentials*,*secret*,kubeconfig) that weren't previously covered.Why
No secret is currently exposed in this repo — this is a preventive measure, not a response to an incident.
The specific motivation is AI coding agents.
.env-style local config is one of the most common patterns in scaffolding and framework conventions, and it shows up constantly as the natural, well-trodden way an agent completes a task like "wire up this API" or "connect this database" — especially when a teammate hands the agent a literal working credential and asks it to set something up. Agents that verify their own work by actually running it are also likely to materialize real, working credentials into a local file mid-session so they can confirm the code functions, rather than just writing code and hoping.Unlike a human, an agent doesn't reliably pause at "should this live somewhere other than the working directory" — it's optimizing for completing the task in front of it. A
.gitignoreentry that already excludes these file shapes before the agent (or a human) ever creates one is a safety net that doesn't depend on that judgment call being made correctly in the moment — it's just already there.This is part of a broader effort to check baseline hygiene that matters specifically for AI-agent-assisted development across actively-developed Elastic repos.
Testing
No functional change —
.gitignoreonly affects untracked files going forward. Nothing currently tracked is touched.