Will It Vibe?
SEC-003High severity-15 points

.env missing from .gitignore

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.

What it detects

A .env file is present but .gitignore doesn't exclude it, risking an accidental commit of secrets.

Why it matters

Your .gitignore is the only thing standing between a local .env and a public commit. Without that line, a routine git add -A stages your secrets, and plenty of leaked keys start exactly this way. Fixing it takes one line now versus a key rotation later.

How to fix it

Add .env to .gitignore, plus common variants like .env.local and .env.*.local. Keep .env.example tracked as the documented template. Confirm with git check-ignore .env, and check whether the file was ever committed before (git log --all -- .env); if it was, treat its contents as leaked and rotate them.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks