Security: .gitignore missing critical patterns (defense in depth)

[hendrixfreire]

Description

The current .gitignore is well-structured but missing 6 patterns that could lead to accidental commits of sensitive files:

Missing Patterns

Pattern	Risk
*.log	Log files may contain tokens/keys in URL query params or error messages
*.db	Local SQLite databases may contain sensitive data
*.sqlite	Same as above, alternative extension
secrets*	Catch-all for any file named "secrets" (e.g. secrets.sh, secrets.yaml)
config.local.*	Local developer configuration overrides
credentials*	Redundant catch-all (already have credentials.json but not wildcard)

Current .gitignore (relevant section)

# Environment / secrets
.env
.env.*
!.env.example

# Certificates and credentials
*.pem
*.key
*.p12
*.pfx
credentials.json
service-account.json
client_secret*.json

Impact

• Severity: Low-Medium (defense-in-depth)
• If a developer creates debug.log containing API responses with tokens, it would be committed
• Same for test.db with customer data or secrets.sh with environment setup

Proposed Fix

Add to .gitignore:

# Logs
*.log

# Databases
*.db
*.sqlite

# Wildcard catch-alls for secrets/configs (defense in depth)
credentials*
secrets*
config.local.*

Full proposed .gitignore patch:

 # Certificates and credentials
 *.pem
 *.key
 *.p12
 *.pfx
 credentials.json
 service-account.json
 client_secret*.json
+
+# Logs (may contain tokens in query params)
+*.log
+
+# Databases (may contain sensitive data)
+*.db
+*.sqlite
+
+# Wildcard catch-alls (defense in depth)
+credentials*
+secrets*
+config.local.*

 # Python

Note

This is purely a defense-in-depth measure. No actual secrets were found exposed thanks to the existing patterns. Adding these reduces the risk surface for future development.

Found during a full security audit of the repository.