ZUA.
Home/Blog/AI IDE Security
Backend / SecurityJuly 8, 2026 · 10 min read

Your AI Coding Assistant Is Reading Your .env File Right Now

You installed a VS Code extension to write code faster. What you didn't realise is that it's also indexing your API keys, database passwords, and production credentials — and sending them to a third-party server every time you ask it a question.

SecurityAI ToolsVS CodeCursorClaude CodeDevOps

The Problem Nobody Talks About

Every AI coding assistant — GitHub Copilot, Cursor, Windsurf, Claude Code, Continue — works by sending your code as context to a remote model. The more context it has, the better its suggestions. So these tools are designed to read as much of your project as possible.

That includes your .env file.

Not theoretically. Not as an edge case. By default, right now, on most setups.

GitGuardian research found that repositories using AI coding tools are 40% more likely to contain leaked secrets than those without. A 2026 study found that 6.4% of repos using GitHub Copilot leaked at least one secret. Researchers disclosed 30+ vulnerabilities in AI coding tools that enable data theft — including credentials read from the local environment.

WHAT HAPPENS WHEN AI READS YOUR .ENV

Your secrets become part of the prompt sent to a third-party server · The AI might suggest code that hardcodes the credentials it just saw · Accidental edits can overwrite or corrupt your credential files · Sending credentials to external APIs may violate SOC 2, HIPAA, or PCI DSS

How Each Tool Handles (or Mishandles) This

The behaviour differs per tool, and knowing the default is the first step to locking it down.

GitHub Copilot indexes open files and visible editor tabs. If your .env is open while you're working, its contents are in context. Copilot does not respect .gitignore for context exclusion — it only respects explicit Content Exclusion rules configured in GitHub settings.

Cursor indexes your entire project directory on startup for its codebase search feature. Every file — including .env, .env.local, .env.production — gets embedded and stored locally, and sent as context when you ask questions about your project.

Claude Code (and similar agentic tools) goes further — it can actively read, write, and execute files. When you run it in agent mode without restrictions, it has the same filesystem access as your terminal user. It will read whatever it thinks is relevant to completing your task.

Windsurf / Continue / Gravity IDE follow similar patterns — project-wide indexing with varying degrees of configurability.

Fix 1 — .cursorignore (Cursor)

Cursor supports a .cursorignore file that works exactly like .gitignore — files listed there are excluded from AI indexing, completions, and chat context. Create it at your project root:

# .cursorignore

# Environment files — never send to AI context
.env
.env.local
.env.development
.env.production
.env.staging
.env.test
*.env

# Secret and credential files
.secrets
secrets/
credentials/
*.pem
*.key
*.p12
*.pfx
id_rsa
id_ed25519

# Config files that may contain tokens
.netrc
.npmrc
.pypirc
.aws/credentials
.aws/config

# Infrastructure secrets
terraform.tfvars
terraform.tfvars.json
*.tfstate
*.tfstate.backup
IMPORTANT

Add .cursorignore to your .gitignore too — or better, commit it so the whole team benefits. It is safe to commit since it contains no secrets itself.

Fix 2 — GitHub Copilot Content Exclusion

Copilot does not support a .copilotignore file — this is a common misconception. You must configure exclusions through GitHub settings.

Go to your GitHub repository or organisation settings:

  • Repository: Settings → Copilot → Content exclusion
  • Organisation: Settings → Copilot → Policies → Content exclusion

Add glob patterns to exclude from Copilot context:

# In GitHub Copilot Content Exclusion settings — one pattern per line
**/.env
**/.env.*
**/secrets/**
**/*.pem
**/*.key
**/credentials/**
**/terraform.tfvars

For VS Code specifically, you can also configure workspace-level exclusions in .vscode/settings.json:

// .vscode/settings.json
{
  "github.copilot.chat.codeGeneration.instructions": [],
  "github.copilot.enable": {
    "*": true,
    ".env": false,
    "dotenv": false
  }
}

Fix 3 — Claude Code Permission Controls

Claude Code has the most granular permission model of any AI coding tool. You can explicitly deny access to files, directories, and even specific shell commands via .claude/settings.json in your project root:

// .claude/settings.json
{
  "permissions": {
    "deny": [
      "Read(.env)",
      "Read(.env.*)",
      "Read(secrets/**)",
      "Read(**/*.pem)",
      "Read(**/*.key)",
      "Read(.aws/credentials)",
      "Write(.env)",
      "Write(.env.*)",
      "Bash(curl:*)",
      "Bash(wget:*)",
      "Bash(nc:*)"
    ]
  }
}

The deny rules are enforced before Claude reads or modifies anything. Even if a task requires context that would normally cause it to read a .env file, the permission block stops it and tells you explicitly what was blocked.

TIP

Add .claude/settings.json to your repository and commit it. Every developer on your team gets the same protections without any individual setup.

Fix 4 — Enable Approval-First Edit Mode

The most important setting most developers never turn on: require explicit approval before any AI tool reads or modifies a file.

This means every file read, every edit, every shell command the AI wants to run — you see it and approve it before it executes. It slows you down slightly but eliminates an entire category of silent data leakage and unintended edits.

Claude Code — approval mode:

# Run Claude Code in interactive approval mode (default in most setups)
# Every tool call requires your explicit approval before executing

# In .claude/settings.json, avoid setting broad auto-permissions:
{
  "permissions": {
    "allow": []   // empty = nothing auto-approved, everything requires confirmation
  }
}

# Or set a conservative default — approve everything except safe reads
# of non-sensitive files
{
  "permissions": {
    "allow": [
      "Read(src/**)",
      "Read(app/**)",
      "Read(package.json)"
    ],
    "deny": [
      "Read(.env*)",
      "Read(secrets/**)",
      "Bash(*)"
    ]
  }
}

Cursor — disable auto-apply:

  • Open Cursor Settings → Features → Agent
  • Disable "Auto-apply edits" — every suggested change becomes a diff you approve
  • Enable "Ask before running terminal commands" — Cursor will prompt before executing any shell command in agent mode

VS Code + Copilot — review before applying:

  • In Copilot Chat, use the "Review" button instead of "Apply" — shows a diff view before any edits land
  • Never use "Apply All" on multi-file edits without reviewing each file individually
  • Enable "Editor: Diff Editor" workflow in settings so changes always show as diffs
RULE

Treat AI edits the same way you treat pull requests — review the diff, understand what changed, then approve. An AI tool that can silently edit files is a supply chain attack waiting to happen.

Fix 5 — Never Put Real Secrets in .env for Local Dev

The most robust protection is removing the target entirely. Use scoped, limited-permission credentials for local development instead of production secrets:

# .env.example — commit this (no real values)
DATABASE_URL=postgresql://user:password@localhost:5432/mydb
STRIPE_SECRET_KEY=sk_test_...
AWS_ACCESS_KEY_ID=AKIA...
OPENAI_API_KEY=sk-...

# .env — never commit this, and make your AI tools ignore it
DATABASE_URL=postgresql://dev:devpassword@localhost:5432/mydb_dev
STRIPE_SECRET_KEY=sk_test_51ABC...   # test key, restricted to test mode only
AWS_ACCESS_KEY_ID=AKIAIOSFODNN7DEV  # IAM user with read-only S3 access only
OPENAI_API_KEY=sk-proj-...           # project key with $5 monthly spend limit
  • Use Stripe test keys (sk_test_...) locally — they cannot touch real money even if leaked
  • Create AWS IAM users with minimal permissions for local dev — read-only, single bucket, no production access
  • Use OpenAI project API keys with monthly spend limits — a leaked key can only cost you $5
  • Use database users with only SELECT/INSERT on dev databases — never the production admin credentials

Fix 6 — Audit What Your AI Tool Actually Sent

Most developers have no idea what context their AI tool included in its last request. Here's how to find out:

Claude Code — every session is logged. Check the transcript:

# View recent Claude Code session logs
ls ~/.claude/projects/
# Each project has a .jsonl file — every tool call, every file read, is recorded
# grep for sensitive patterns
grep -r "DATABASE_URL|API_KEY|SECRET" ~/.claude/projects/

Cursor — enable request logging in developer mode:

# In Cursor, open the Output panel → select "Cursor" from the dropdown
# Every request to the AI backend is logged, including context sent

General rule — use a tool like ggshield (GitGuardian) as a pre-commit hook to catch any secrets before they leave your machine:

npm install -g @gitguardian/ggshield

# Add as a pre-commit hook
ggshield secret install-hook --mode pre-commit

# Scan your current project
ggshield secret scan repo .

The Minimal Secure Setup — Checklist

  • Create .cursorignore (or equivalent) and list all .env* files, *.key, *.pem, secrets/
  • Configure Copilot Content Exclusion in GitHub settings — not just .vscode/settings.json
  • Add .claude/settings.json with explicit deny rules for sensitive paths and dangerous shell commands
  • Enable approval-first mode in every AI tool — review every edit as a diff before it applies
  • Use test/scoped credentials locally — production secrets should never touch a dev machine
  • Install ggshield as a pre-commit hook to catch accidental secret commits
  • Commit your ignore/permission config files to the repo so the whole team is protected automatically
  • Rotate any credentials that were in a .env file while an AI tool was active in that project

Wrapping Up

AI coding tools are genuinely useful. But they were designed to be helpful, not to be secure — and those are different goals. By default, most of them will read everything in your project directory, send it to a remote server, and suggest changes without asking.

You can keep using them. Just spend 15 minutes setting up the guardrails above before your next session. The cost of a leaked production API key — in time, in money, in trust — is orders of magnitude higher than the time it takes to write a .cursorignore file.

The best AI workflow is one where the AI can only touch what you've explicitly said it can touch, and you see every change before it lands. That's not paranoia — that's just good engineering.

Need a security audit of your developer toolchain?

I build and ship production systems — happy to discuss your requirements.

Book a Call