保護DataHogo
Security Encyclopedia/Project Config Best Practices
mediumCWE-540A02:2021

Inadequate .gitignore

A .gitignore that doesn't cover .env files, build artifacts, and IDE configs can lead to secrets or sensitive data being accidentally committed.

How It Works

If .env, .env.local, and similar files aren't in .gitignore, one 'git add .' commits all your secrets. Similarly, IDE config files often contain API tokens, personal settings, or absolute paths that leak developer machine information. Build artifacts can contain source maps that reveal your full source code.

Vulnerable Code
# BAD: minimal .gitignore that misses common secret files
node_modules/
dist/
# Missing: .env, .env.local, .env.production, *.pem, .DS_Store
Secure Code
# GOOD: comprehensive .gitignore for a Node.js project
node_modules/
dist/
.next/
# Secrets
.env
.env.local
.env.*.local
*.pem
*.key
# IDE
.vscode/settings.json
.idea/
# OS
.DS_Store
Thumbs.db

Real-World Example

In 2022, a developer accidentally committed .env.production to a public GitHub repo. It contained Stripe production keys, database credentials, and Twilio API tokens. The repo was public for 8 hours before being discovered, resulting in fraudulent charges.

How to Prevent It

  • Use GitHub's official .gitignore templates as a starting point for your language/framework
  • Always include .env, .env.local, .env.*.local, *.pem, and *.key in .gitignore
  • Run 'git status' and review every file before committing, especially when first setting up a project
  • Install the gitignore global config for your OS (like .DS_Store) in ~/.gitignore_global

Affected Technologies

Node.js

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

No .env.example File

low

Without a .env.example file, new contributors don't know what environment variables are required, leading to insecure workarounds like hardcoding values.

CWE-1059

No Security Linting

low

Without security-focused ESLint rules, common vulnerabilities like XSS sinks, dangerouslySetInnerHTML, and eval() usage slip through code review.

CWE-1076A06:2021

No Git Security Hooks

low

Without pre-commit hooks that scan for secrets and security issues, developers can accidentally push API keys and passwords to the repository.

CWE-1059A02:2021

Insecure npm Scripts

medium

npm scripts that fetch and execute remote code, or that embed secrets as shell arguments, are a supply chain and credential exposure risk.

CWE-78A06:2021