[BUG] .claudeignore does not prevent Claude from reading ignored files

Resolved 💬 19 comments Opened Mar 19, 2026 by rroobbeerrttoo Closed May 26, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

The .claudeignore file is documented as a way to exclude files from Claude's context. However, Claude would appear to still be able to explicitly read files listed in .claudeignore (possibly using a read tool?), effectively bypassing the ignore rules.

What Should Happen?

Claude appears to read ignored files even if those files are listed in .claudeignore.

This makes the feature unreliable for excluding certain files.

Impact:
Users relying on .claudeignore to protect files have no real guarantee that those files are excluded from context.

This behavior has been observed both when using Claude from the terminal and via the VS Code extension.

Error Messages/Logs

Steps to Reproduce

  1. Add examplefile.json to .claudeignore 2. Ask Claude to show one of files listed in claudeignore 3. Claude reads and displays the content of file

Claude Model

Sonnet (default)

Is this a regression?

I don't know

Last Working Version

_No response_

Claude Code Version

2.1.79

Platform

Anthropic API

Operating System

Windows

Terminal/Shell

VS Code integrated terminal

Additional Information

This issue was observed while using Claude through the monthly subscription, not the Anthropic API. Specifically, it occurs when using Claude from the terminal and the VS Code extension.

The .claudeignore file was placed in the root of the project and was recognized by Claude.

View original on GitHub ↗

19 Comments

github-actions[bot] · 3 months ago

Found 3 possible duplicate issues:

  1. https://github.com/anthropics/claude-code/issues/16704
  2. https://github.com/anthropics/claude-code/issues/34833
  3. https://github.com/anthropics/claude-code/issues/33476

This issue will be automatically closed as a duplicate in 3 days.

  • If your issue is a duplicate, please close it and 👍 the existing issue instead
  • To prevent auto-closure, add a comment or 👎 this comment

🤖 Generated with Claude Code

Madsim · 3 months ago

This is really annoying. Also it is not clear when claude code will ask for read permission and when it is just reading files out of the blue.

matt-savvy · 3 months ago
The .claudeignore file is documented as a way to exclude files from Claude's context.

Can you link me the official documentation?

vasuchawla · 3 months ago

came here to report the same.
@matt-savvy if you ask claude (on web) example "how do i restrict claude code from reading .env", it would reply with
In Claude Code, add a .claudeignore file in your project root. Claude Code respects this file and will not read, reference, or suggest changes to anything listed in it — same concept as .gitignore.

and when i asked can i add this globally?
it even suggested further

Yes. Create the file at:
~/.claude/.claudeignore
This applies across all projects without needing a .claudeignore in each one.
matt-savvy · 3 months ago
@matt-savvy if you ask claude (on web) example "how do i restrict claude code from reading .env", it would reply with In Claude Code, add a .claudeignore file in your project root. Claude Code respects this file and will not read, reference, or suggest changes to anything listed in it — same concept as .gitignore. and when i asked can i add this globally? it even suggested further `` Yes. Create the file at: ~/.claude/.claudeignore This applies across all projects without needing a .claudeignore in each one. ``

That's not what I asked about though. I just wanted to see the Claude Code documentation about this.

rjluebbert · 3 months ago

I am having the same issue. Claude subagents will ignore the .claudeignore to pull sensitive data into the thread

swapnildukare · 3 months ago

In official docs , I don't see any mention of .claudeignore file being supported
This is supported via third party hook - https://github.com/li-zhixin/claude-ignore

matt-savvy · 3 months ago
In official docs , I don't see any mention of .claudeignore file being supported This is supported via third party hook - https://github.com/li-zhixin/claude-ignore

Almost as if this is not a feature of Claude Code

jaerith · 3 months ago
I am having the same issue. Claude subagents will ignore the .claudeignore to pull sensitive data into the thread

I am experiencing the same issue.

jasonb-occasio · 3 months ago

I first heard about the .claudeignore file on LinkedIn. I thought I'd search for the official documentation and found nothing except this closed GitHub issue from more than a year ago, where a contributor explicitly suggests using 'deny permission rules':

https://github.com/anthropics/claude-code/issues/579

guys are we all hallucinating config files?

matt-savvy · 3 months ago
guys are we all hallucinating config files?

Yes

Madsim · 3 months ago

Regardless if this is actually a feature, the file reading is inconsistent as hell. Sometimes the model pops-up dialogs for every single read and sometimes it just uses file-tools to ingest multiple files without asking. File permissions should never be governed by model decisions, but by algorithmic solutions.

ttamg · 3 months ago

I also have the same issue and have seen it a number of times. My .env is in both .gitignore and .claudeignore when asking Claude Code to tell me what it did earlier in the thread it knows it read the file (I saw it do that too) and it says that the ignore files are not enforced. That seems to be an oversight.

<img width="400" height="622" alt="Image" src="https://github.com/user-attachments/assets/672d4a0a-4935-474f-b502-528dd184c1b8" />

whitehatmiddleman · 3 months ago

I'm leveraging the CLAUDE.md rules section to understand what the file is. Until a fix is in place.

Add the following rule:

``` markdown
...

Rules

  • If .claudeignore file exists, files and directories listed in the file should be completely ignored. Only ready the .claudeignore to get that list of files and directories to be ignored and not read. The format of this file follow the same syntax used in the .gitignore.

...


Example:

``` claude-code
❯ I have a .claudeignore file can you tell me the contents of the file

  Read 1 file (ctrl+o to expand)

● The .claudeignore contains two entries:

  - .env
  - private-notes.md

  These files will be ignored — I won't read them or factor them into any decisions.

❯ I have a private-notes.md file can you tell me the contents of the file

● No — private-notes.md is listed in .claudeignore, so I won't read it.

❯ what is the syntax used in the .claudeignore, if I wanted to block a specific filename in all directories what syntax would I use.

● .claudeignore follows .gitignore syntax. To block a specific filename in all directories, just use the bare filename with no path prefix:

  secret.txt

  This matches secret.txt anywhere in the directory tree — root, subdirectories, nested folders, etc.

  Other useful patterns:
  - *.env — any file ending in .env everywhere
  - **/secret.txt — explicit "any depth" (same effect as the bare name)
  - config/secret.txt — only that exact path from the repo root
  - secrets/ — an entire directory named secrets anywhere
iuriguilherme · 2 months ago

@ttamg it is not an oversight, the feature doesn't exist and your agent is hallucinating.

kriss145 · 2 months ago

I can confirm this bug on macOS with the VS Code extension (Claude Code).

My .claudeignore contained .env, yet Claude read the file without any warning or permission prompt.

I tested this across multiple new sessions and the behavior is consistent: .claudeignore does not prevent the Read tool from accessing listed files.

chmod 600 .env also did not help, as Claude Code runs as the same OS user as the file owner.

This is a serious security issue. Users reasonably expect .claudeignore to act as an access boundary, not just an autocomplete hint. The documentation should clearly state this limitation until it is fixed - or the Read tool should actually respect .claudeignore.

Environment: macOS, VS Code extension, Claude Sonnet 4.6

kriss145 · 2 months ago

Move .env outside the project directory (one level up) and start for example dev server with:

npx dotenv-cli -e .env -- yarn --cwd app dev

This keeps .env outside Claude Code's working directory entirely, so it won't be accessible regardless of .claudeignore behavior.

For npm users:

npx dotenv-cli -e ../.env -- npm run dev

In my opinion it it the only safe solution.

Additional security tips:

  • Do not mention anywhere in the repository how you load .env (not in README, package.json, or any other file) - Claude reads all files in the working directory and can use that information to locate secrets outside the project
  • Never grant Claude access to directories outside your project's working directory - this prevents it from executing Read on files in parent folders even if it somehow learns the path
ttamg · 2 months ago

OK an update as I did a load more testing and research.

  1. Confirming it is the case that .claudeignore is 'not a thing'. Not official or enforced at all. Indeed it is a common hallucination of the models used in Claude Code. Specifically it doesn't do anything in the harness. Do a search for .claudeignore in this repo if you don't believe me
  2. So .claudeignore is only used by the LLM if it actually sees it. It is a very weak guard-rail. Having an LLM do its own guard-railing for .env and other files is very bad practice. We need guard-railing in the harness instead (Claude Code codebase itself)
  3. There are a lot of ways using bash to access a .env file when you are running as the user and from my testing something along the following lines as a prevent mostly works. What is good is that it is part of the harness so more reliable. This is a workaround for now.
  4. It would much more reliable if Claude Code to implement something like this instead of us doing it for each repo so I would encourage Claude Code to add blacklisting in the harness so that certain files are truly ignored. But given how many open issues there are in this repo I suspect it won't happen any time soon. Better still might be to have claude run as a different user with permissions we can then set.

Examples of the sort of preventions you can add to the the .claude/settings.json file to try to stop the tool calls reading your secret files. This is better than what we had but cannot be fully relied upon.

```{
"hooks": {},
"permissions": {
"allow": [],
"deny": [
"Bash(cat .env*)",
"Bash(cat .keys/*)",
"Bash(cat secret)",
"Bash(cat credential)",
"Bash(cat token)",
"Bash(less .env*)",
"Bash(more .env*)",
"Bash(head .env*)",
"Bash(tail .env*)",
"Bash(sed .env)",
"Bash(awk .env)",
"Bash(grep .env)",
"Bash(python .env*)",
"Bash(python open.env)",
"Bash(echo $KEY)",
"Bash(echo $SECRET)",
"Bash(echo $TOKEN)",
"Bash(echo $PASSWORD)",
"Bash(printenv)",
"Bash(env)",
"Bash(set)",
"Read(**/.env)",
"Read(*.pem)",
"Read(*.key)",
"Read(~/.ssh/**)"
]
}
}

github-actions[bot] · 1 month ago

Closing for now — inactive for too long. Please open a new issue if this is still relevant.