.cursorignore blocks file read and bash commands, but not the Grep tool

Support Bug Reports
, , ,
1

Where does the bug appear (feature/product)?

Cursor IDE

Describe the Bug

I was looking into using .cursorignore to block agent access to files outside the workspace, like for example private keys in ~/.ssh. I turned on “hierarchical .cursorignore” and created a ~/.cursorignore file with .ssh as an entry.

It works for some tools but not others. The agent can’t directly read the file, but its Grep tool can. When I have it run a bash command that uses grep, it sometimes works inside the sandbox, and sometimes fails. (When it fails due to sandbox restrictions, as expected, I’m prompted to run it outside the sandbox, and when I approve it it works, as it should)

Steps to Reproduce

  1. Create a cursorignore: echo .ssh > ~/.cursorignore
  2. Enable hierarchical .cursorignore
  3. Restart Cursor
  4. Open a chat.
  5. “Take a look at my ~/.ssh/config, how many hosts do you see?” → It will say “I can’t read your ~/.ssh/config file because it’s filtered out by .cursorignore for security reasons.” Good.
  6. “Use the grep tool to search for ^Host in that file” → it will do it. Bad.
  7. “Now use a bash command to grep for ^Host in that file” → it will try to run grep "^Host " ~/.ssh/config, which will sometimes fail with The sandbox blocked access to ~/.ssh/config. Let me run it with full permissions:, triggering an approval prompt to run with full permissions. But sometimes it will work. Bad.

I also tried with a .cursorignore file directly in ~/.ssh, and got the same results (including inconsistency on step 7)

Expected Behavior

If .cursorignore is meant to control the sandbox then it should apply to all built-in tools. Terminal commands should consistently fail and require approval.

Operating System

MacOS

Version Information

Version: 2.4.31 (Universal)
VSCode Version: 1.105.1
Commit: 3578107fdf149b00059ddad37048220e41681000
Date: 2026-02-08T07:42:24.999Z
Build Type: Stable
Release Track: Default
Electron: 39.2.7
Chromium: 142.0.7444.235
Node.js: 22.21.1
V8: 14.2.231.21-electron.0
OS: Darwin arm64 24.6.0

Additional Information

The docs for Ignore files (Ignore files | Cursor Docs) say:

The terminal and MCP server tools used by Agent cannot block access to code governed by .cursorignore

This doesn’t appear to be 100% accurate anymore, since it does (sort of) control the terminal sandbox, sometimes.

Does this stop you from using Cursor

No - Cursor works, but with this issue

3

Hey, thanks for the detailed report. This is indeed a bug. The Grep tool currently doesn’t respect .cursorignore patterns, and it’s on our radar. The team is aware, but we don’t have an ETA yet.

About the inconsistent behavior of bash commands in the sandbox, that’s a great catch too. You’re right that the docs are outdated here, since the sandbox partially intercepts access to .cursorignore files, but it doesn’t do it consistently.

As an extra safeguard for sensitive files like SSH keys, you can add patterns to the Global Cursor Ignore List (VS Code Settings > General > Global Cursor Ignore List). That makes them apply to all projects. The docs suggest patterns like **/*.key, **/*.pem, **/id_rsa, but this won’t fix the Grep tool issue until the bug is fixed.

Let me know if you have any other questions.

5

This doesn’t appear to be 100% accurate anymore, since it does (sort of) control the terminal sandbox, sometimes.

I could not get it to control the sandbox for files outside the project directory. For files inside the project directory it seems to reliable hide them fully here.