Your .env file contains API keys and passwords that must never reach GitHub. Add .env to your .gitignore file before your very first commit. If you already pushed a .env file, delete it from the repository, enable GitHub's secret scanning alerts, and immediately rotate every key that was exposed.
Why .env Files Should Never Be on GitHub
An .env file stores environment variables — things like API keys, database passwords, and third-party service tokens. These values give direct access to your accounts and services. If an .env file ends up in a public GitHub repository, automated bots can find and exploit those keys within minutes.
Key concepts to understand:
- **Environment variables** are configuration values your app reads at runtime. They live outside your code so you can change them without editing source files. - **The .gitignore file** tells Git which files to skip. Adding .env to .gitignore means Git will pretend the file does not exist. - **Timing matters.** You must add .env to .gitignore before your first commit. If the .env file is committed even once, it lives in the repository history forever — even after you delete it. - **Secret scanning** is a GitHub feature that detects accidentally committed credentials and alerts you.
Tools like Lovable, V0, and Replit store secrets in their own encrypted panels specifically to avoid this problem. But when you export a project to GitHub, you must handle .env protection yourself.
Prerequisites
- A GitHub account (free tier works)
- A repository where you plan to store a project with environment variables
- Understanding that API keys and passwords should be kept private
Step-by-step guide
Open your repository on GitHub
Open your repository on GitHub
Go to github.com, sign in, and navigate to your repository. Click your **profile picture** in the top-right corner, select **Your repositories**, and click the repository name. You should see the file list on the main code tab.
Expected result: You are on the repository's main page and can see all the files in your project.
Create or edit the .gitignore file
Create or edit the .gitignore file
Check if a .gitignore file already exists in the file list. If it does, click on it, then click the **pencil icon** (Edit this file) in the top-right of the file viewer. If it does not exist, click the **Add file** dropdown above the file list and select **Create new file**. Type `.gitignore` in the filename box.
Expected result: The file editor is open with .gitignore as the filename.
Add .env patterns to .gitignore
Add .env patterns to .gitignore
In the editor, add the following lines. Each line blocks a different variant of environment files. If the file already has content, add these lines at the top or in a clearly labeled section. Make sure to include every common variation: `.env`, `.env.local`, `.env.development`, `.env.production`, and the wildcard `.env*.local` which catches all local overrides.
1# Environment variables — NEVER commit these2.env3.env.local4.env.development5.env.production6.env*.localExpected result: The .gitignore editor contains lines that match all common .env file patterns.
Commit the .gitignore changes
Commit the .gitignore changes
Scroll down to the **Commit changes** area. Enter a descriptive message like 'Add .env files to .gitignore for security.' Keep the option set to **Commit directly to the main branch** and click the green **Commit changes** button.
Expected result: The .gitignore file is saved and you are returned to the file list.
Delete any .env file that was already committed
Delete any .env file that was already committed
If a .env file appears in your file list, it was already committed and .gitignore alone will not remove it. Click on the .env file to open it. Click the **three-dot menu** (⋯) in the top-right corner of the file viewer and select **Delete file**. Type a commit message like 'Remove .env — secrets should not be in repo' and click **Commit changes**. Critical: even after deletion, the file remains in your Git history. Anyone can see old commits and find the keys. Proceed to the next step immediately.
Expected result: The .env file no longer appears in the current file list.
Enable secret scanning on your repository
Enable secret scanning on your repository
Click the **Settings** tab at the top of your repository. In the left sidebar, scroll down and click **Code security and analysis** (under the Security section). Find **Secret scanning** and click the **Enable** button if it is not already turned on. This feature scans your repository for patterns that look like API keys and sends you an alert if it finds any. On free accounts for public repositories, secret scanning is enabled by default. For private repositories, it requires GitHub Advanced Security (available on Team/Enterprise plans).
Expected result: Secret scanning is enabled and will alert you if credentials are detected in future commits.
Rotate any keys that were exposed
Rotate any keys that were exposed
If your .env file was public even briefly, assume every key in it is compromised. Go to each service dashboard and regenerate keys: - **Supabase**: Project Settings → API → click 'Regenerate' next to the anon key - **Stripe**: Developers → API keys → Roll key - **OpenAI**: API Keys → delete the old key and create a new one - **Firebase**: Project settings → Service accounts → Generate new private key Update your local .env file with the new keys. If you need help auditing which keys were exposed and rotating them across multiple services, the RapidDev team can handle the full remediation process.
Expected result: All previously exposed keys are revoked and replaced with new ones.
Complete working example
1# Environment variables — NEVER commit these2.env3.env.local4.env.development5.env.production6.env.staging7.env*.local89# Dependencies10node_modules/1112# Build output13dist/14build/15.next/1617# OS files18.DS_Store19Thumbs.db2021# IDE settings22.vscode/23.idea/2425# Logs26*.logCommon mistakes when avoiding Uploading .env Files to GitHub
Why it's a problem: Adding .env to .gitignore after it was already committed
How to avoid: The .gitignore only blocks future commits. You must also delete the .env file from the repository and rotate all the keys inside it.
Why it's a problem: Thinking that deleting the .env file removes it from history
How to avoid: Git keeps a complete history. The file still exists in past commits. Rotate your keys immediately — do not assume deletion is enough.
Why it's a problem: Hardcoding API keys directly in source code instead of using .env
How to avoid: Always use environment variables. In your code, reference process.env.MY_KEY or import.meta.env.VITE_MY_KEY instead of pasting the actual key.
Why it's a problem: Using a public repository for a project with sensitive configuration
How to avoid: If your project needs secrets, consider making the repository private. Click Settings → scroll to Danger Zone → Change visibility.
Best practices
- Create .gitignore with .env patterns as the very first file in any new repository.
- Use your platform's built-in secrets manager: Lovable Cloud tab → Secrets, Replit Secrets panel, Vercel Environment Variables.
- Never paste API keys directly into code files — always read from environment variables.
- Enable GitHub secret scanning on all your repositories for an extra safety net.
- If a key is leaked, rotate it immediately — do not wait to see if anyone noticed.
- Keep a .env.example file (with placeholder values) committed to the repository so collaborators know which variables are needed.
- Review pull requests for accidentally included .env files before merging.
Still stuck?
Copy one of these prompts to get a personalized, step-by-step explanation.
I accidentally pushed my .env file with API keys to a public GitHub repository. Walk me through the steps to remove it, update my .gitignore, and rotate my Supabase and Stripe API keys.
Frequently asked questions
What happens if someone already forked my repository with the .env file?
Forks are independent copies. Deleting the file from your repository does not remove it from forks. You must rotate all exposed keys so the old values are useless.
Is it safe to commit a .env.example file?
Yes, as long as it contains only placeholder values like SUPABASE_URL=your-url-here and no real keys. This file helps collaborators know which environment variables to set up.
Does GitHub automatically scan for leaked secrets?
Yes. GitHub's secret scanning feature detects patterns matching known API key formats from providers like AWS, Stripe, and Google. It is enabled by default on public repositories.
How do AI tools like Lovable handle environment variables?
Lovable stores secrets in the Cloud tab under Secrets. They are encrypted and injected at runtime. When you export a Lovable project to GitHub, the secrets are not included in the export — you must set them up separately on your hosting platform.
Can I undo a commit that contained my .env file?
On the GitHub web interface, you cannot rewrite history. You can delete the file going forward, but the old commit remains. For full history cleanup, you would need specialized tools or professional help from a team like RapidDev.
Should I make my repository private if it had a leaked .env file?
Making it private helps prevent further exposure, but it does not undo existing leaks. Bots may have already copied the keys. Always rotate credentials regardless of repository visibility.
Talk to an Expert
Our team has built 600+ apps. Get personalized help with your project.
Book a free consultation