.env missing from .gitignore
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.
What it detects
A .env file is present but .gitignore doesn't exclude it, risking an accidental commit of secrets.
Why it matters
Your .gitignore is the only thing standing between a local .env and a public commit. Without that line, a routine git add -A stages your secrets, and plenty of leaked keys start exactly this way. Fixing it takes one line now versus a key rotation later.
How to fix it
Add .env to .gitignore, plus common variants like .env.local and .env.*.local. Keep .env.example tracked as the documented template. Confirm with git check-ignore .env, and check whether the file was ever committed before (git log --all -- .env); if it was, treat its contents as leaked and rotate them.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo