How to Ignore Environment Variables and Secrets Safely in .gitignore
To safely ignore environment variables and secrets in .gitignore, add patterns like .env and .env.* to exclude all dotenv files while using !.env.example to track a template, then verify rules with git check-ignore.
The github/gitignore repository provides community-vetted patterns for excluding sensitive configuration files across languages and frameworks. Learning how to ignore environment variables and secrets safely in .gitignore prevents API keys and passwords from leaking into version control while maintaining a usable template for your development team.
Block Environment Files While Keeping Templates
Ignore All Dotenv Variants
Start by ignoring the base .env file and any variants that start with .env.. According to the source code in Node.gitignore (lines 68-71), the canonical pattern is:
# dotenv environment variable files
.env
.env.*
This captures files like .env.local, .env.development, and .env.production used by libraries such as dotenv.
Re-include an Example Template
Developers need to know which variables are required without seeing actual secrets. Use the negation pattern ! to track an example file:
!.env.example
As implemented in Node.gitignore at line 71, this exception ensures .env.example (containing keys without values) remains in version control while blocking real environment files.
Add Framework-Specific Environment Patterns
Different frameworks use distinct naming conventions for stage-specific configuration. The github/gitignore templates include targeted rules for popular stacks:
- Next.js:
Nextjs.gitignore(lines 27-29) adds.env*.localto ignore local overrides while allowing committed staging files. - NestJS:
Nestjs.gitignore(lines 16-20) explicitly lists.env.development,.env.test, and.env.production. - Laravel:
Laravel.gitignore(lines 19, 27-28) covers.env.backupand.env.production. - Python:
Python.gitignore(lines 151-153) ignores.envand.envrcfordirenvusers. - Rails:
Rails.gitignore(lines 27-30) handles.envand.env*.localfor Ruby projects.
Include the relevant patterns from these templates to ensure comprehensive coverage.
Isolate Personal Secrets with Global Ignores
For files containing private API keys that should never be shared, avoid adding them to the project's shared .gitignore. Instead, use your global ignore file or the repository-specific exclude file:
# Add to ~/.gitignore_global or .git/info/exclude
.secrets/
*.key
*.token
This keeps personal configuration out of the shared repository history while still protecting you from accidental commits.
Validate Exclusions with git check-ignore
Before committing, verify that your patterns correctly block secrets and allow templates:
git check-ignore -v .env
git check-ignore -v .env.example
The first command should output the matching rule and line number, confirming exclusion. The second should return nothing, indicating the file is tracked.
Summary
- Add
.envand.env.*to your.gitignoreto block all dotenv files according toNode.gitignorelines 68-71. - Use
!.env.exampleto re-include a template file that documents required variables without exposing values. - Incorporate framework-specific patterns from
Nextjs.gitignore,Nestjs.gitignore,Laravel.gitignore,Python.gitignore, andRails.gitignorefor stage-specific files. - Store personal secrets in
~/.gitignore_globalor.git/info/excluderather than the project's.gitignore. - Run
git check-ignore -v <file>to verify rules are working as expected.
Frequently Asked Questions
What is the safest pattern to ignore all .env files in Git?
Add .env and .env.* to your .gitignore. This combination catches the base file and all variants like .env.local or .env.production, as recommended in the Node.gitignore template.
How do I keep an example environment file in version control?
Use the negation pattern !.env.example placed after your .env.* rule. This tells Git to track the example file despite the preceding wildcard exclusion, allowing you to document required keys without exposing secrets.
Where should I put personal API keys that I don't want to share?
Add personal secrets to your global Git ignore file at ~/.gitignore_global or the repository-specific .git/info/exclude. This prevents accidental commits without polluting the shared project's .gitignore with user-specific paths.
How can I test if my .gitignore rules are working correctly?
Run git check-ignore -v <filename> from your repository root. If the file is ignored, Git outputs the specific rule and line number; if nothing prints, the file is currently tracked or untracked but not ignored.
Have a question about this repo?
These articles cover the highlights, but your codebase questions are specific. Give your agent direct access to the source. Share this with your agent to get started:
curl -s "https://instagit.com/install.md" Maintain an open-source project? Get it listed too →