保護DataHogo
Security Encyclopedia/Vibecoding Patterns
criticalCWE-540A02:2021

Secrets in Committed .env Files

A .env file containing real credentials committed to git, making all secrets permanently accessible to anyone with repo access — including through git history.

How It Works

git tracks every version of every file. When you commit a .env with real secrets and later delete it, the secrets remain in every prior commit. Anyone who clones the repo can run `git log -p` and retrieve the secrets. For public repos, GitHub also indexes the content for search.

Vulnerable Code
# BAD: .env committed to git (never do this)
DATABASE_URL=postgresql://user:realpassword@db.host/prod
STRIPE_SECRET_KEY=sk_live_abc123
ANTHROPIC_API_KEY=sk-ant-real-key-here
Secure Code
# GOOD: .env.example with placeholders only
DATABASE_URL=postgresql://user:password@localhost/mydb
STRIPE_SECRET_KEY=sk_live_your_key_here
ANTHROPIC_API_KEY=sk-ant-your-key-here
# Real values go in .env (gitignored) or your deployment platform

Real-World Example

Twitch's 2021 breach included internal tool secrets that had been committed to internal repos years earlier. Even 'private' repos can be exposed through insider threats, acquired companies, or misconfigured access controls.

How to Prevent It

  • Add .env and .env.local to .gitignore before your very first commit
  • Only commit .env.example with placeholder values, never real credentials
  • If you already committed secrets, rotate all exposed credentials immediately
  • Use git filter-repo or BFG Repo-Cleaner to purge secrets from git history
  • Use truffleHog or git-secrets as a pre-commit hook to block future secret commits

Affected Technologies

nodejsNext.jsReactPythonGoPHP

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Hardcoded API Keys

critical

API keys, tokens, or secrets written directly in source code, making them visible to anyone with repo access — including public GitHub repositories.

CWE-798A02:2021

No Input Validation

medium

User-supplied data sent directly to databases or external APIs without any type, format, or content validation.

CWE-20A03:2021

Passwords Stored in Plaintext

critical

User passwords stored as raw strings in the database instead of being hashed with a proper algorithm like bcrypt or Argon2.

CWE-256A02:2021

JWT Without Expiration

high

JWTs signed without an `exp` claim that never expire, meaning a stolen token grants permanent access with no way to revoke it.

CWE-613A07:2021