Security Issue: Contrary to docs, Cursor does NOT check .gitignore

FrankieSimon · May 21, 2026, 7:38am

Where does the bug appear (feature/product)?

Cursor IDE

Describe the Bug

The documentation explicitly states

Cursor automatically ignores files in .gitignore

(Ignore File | Cursor Docs)

Steps to Reproduce

Do this first, without Cursor:

Setup a git repository with a .gitignore file containing just:

secrets.json

Stage and commit the .gitignore file.
Create a secrets.json file containing some fake secret. Make sure it’s not tracked by git.

Now, open the folder in Cursor.

Ask to build something using an api key without explicitly mentioning the file. My prompt was:

Write a tiny python app that would connect to a backend service: http://www.weather.com/api/isitraining and it passes an api key in the request and prints out the result from the call (don’t worry about it working the service isn’t up yet)

Expected Behavior

According to the documentation, files in .gitignore are supposed to be ignored by Cursor by default. In reality nothing blocks it from reading and printing out the files.

Screenshots / Screen Recordings

Operating System

MacOS

Version Information

Version: 3.5.17
VSCode Version: 1.105.1
Commit: d5b2fc092e16007956c9e5047f76097b9e626ca0
Date: 2026-05-20T02:43:31.559Z (1 day ago)
Layout: glass
Build Type: Stable
Release Track: Default
Electron: 39.8.1
Chromium: 142.0.7444.265
Node.js: 22.22.1
V8: 14.2.231.22-electron.0
OS: Darwin arm64 25.5.0

For AI issues: which model did you use?

Opus 4.7 (Extra High)

Does this stop you from using Cursor

No - Cursor works, but with this issue

Colin · May 21, 2026, 8:52am

Hey @FrankieSimon!

Have a look at this thread.

FrankieSimon · May 26, 2026, 2:41pm

I’m sorry Colin but that is not the way most humans (and the AI agents I shared the documentation with) interpret it. If that’s the intention - saying that .gitignore is only considered by Cursor for indexing - the instructions really should be reworded to make this explicit and clear.

When the docs say “Cursor automatically ignores files in .gitignore” and that section does not talk about indexing at all - it’s very difficult to reach another conclusion and I’m not at all surprised the person in the other ticket called it out.

I do suggest to anyone interested to try this prompt on your favorite set of AI agents:

https://cursor.com/docs/reference/ignore-file ( Ignore File | Cursor Docs ) Read this document. Now answer - if my repository has a .gitignore file with “secrets.json” and no .cursorignore file, would Cursor have access to the file named “secrets.json” to read and output it?

Colin · May 27, 2026, 8:49am

I’m sure we can make the docs clearer here. I’ll work on a PR. Thank you.

Topic		Replies	Views
Cursor does not ignore files in .gitignore Bug Reports indexing , context , security	4	364	March 18, 2026
Cursor reads .env files by default Bug Reports tab , context , security , docs	5	600	February 18, 2026
.cursorignore ignored for command prompt functions Bug Reports terminal , rules , security	2	65	January 16, 2026
Indexing and Glob follow gitignore without honoring VS Code search settings (search.useIgnoreFiles, search.useGlobalIgnoreFiles) Bug Reports rules , indexing , context	3	75	February 10, 2026
.cursorignore blocks file read and bash commands, but not the Grep tool Bug Reports sandbox , terminal , rules , security	2	105	February 25, 2026