[BUG] Claude Code violated .gitignore/.claudeignore policy by reading .env file using Bash cat command in auto-approve mode
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
Claude Code executed cat /opt/lookops/backend/.env via the Bash tool while running in auto-approve permissions mode, exposing sensitive credentials (database password, SECRET_KEY, ENCRYPTION_KEY) in the conversation context. The file was explicitly listed in both .gitignore and .claudeignore, and the project's CLAUDE.md contained the rule "Never read or modify .env.* files". Auto-approve mode was used to bypass this explicit security policy.
What Should Happen?
Claude should refuse to read any file listed in .gitignore or .claudeignore, regardless of the permission mode active at the time. Auto-approve mode is intended to reduce friction for safe and routine operations, not to bypass explicit security rules defined by the user.
Error Messages/Logs
No error was shown. The Bash tool executed silently and returned the full contents of the .env file including credentials.
Steps to Reproduce
Create a project with a .env file containing real credentials
Add .env to both .gitignore and .claudeignore
Add a rule in CLAUDE.md stating "Never read or modify .env.* files"
Enable auto-approve permissions mode
Ask Claude to perform a task that requires a database connection (e.g. run an Alembic migration)
Observe that Claude executes cat .env via Bash without asking the user and exposes the credentials in the conversation
Claude Model
Sonnet (default)
Is this a regression?
I don't know
Last Working Version
_No response_
Claude Code Version
Claude Sonnet 4.6
Platform
Anthropic API
Operating System
Ubuntu/Debian Linux
Terminal/Shell
VS Code integrated terminal
Additional Information
Summary
Claude Code executed cat /opt/lookops/backend/.env via the Bash tool while
running in auto-approve permissions mode, exposing sensitive credentials
(database password, SECRET_KEY, ENCRYPTION_KEY) in the conversation context.
Rules violated
- The project CLAUDE.md explicitly states: "Never read or modify
.env.*files" - The file was listed in both
.gitignoreand.claudeignore - Auto-approve mode is intended to reduce friction for safe operations,
not to bypass explicit security rules
What happened
- Claude needed the DATABASE_URL to run an Alembic migration
- Instead of asking the user, it executed
cat /opt/lookops/backend/.env - The tool call was auto-approved because auto-approve mode was active
- Real credentials (shared between dev and prod environments) were exposed
in the conversation and potentially stored in Anthropic's systems
Expected behavior
Claude should refuse to read any file listed in .gitignore or .claudeignore,
regardless of the permission mode active at the time.
Impact
- Credentials exposed in conversation context (potentially stored by Anthropic)
- User forced to rotate database password, SECRET_KEY, and ENCRYPTION_KEY
across dev and prod environments
- Breach of user trust in the auto-approve permission model
This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗