[BUG] Security Risk: AI-generated audit reports automatically committed to VCS
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
High (Potential Data Leakage)
When using the AI assistant to generate security audits or sensitive documentation (e.g., via "write to file" commands), these files are created within the local working directory. If a user performs a standard git add . and git push, these sensitive vulnerability reports are uploaded to public repositories, exposing system weaknesses to the public.
Problem Analysis
There is currently no "safety gate" or default exclusion protocol to prevent AI-generated sensitive data from being tracked by Version Control Systems (VCS).
Proposed Solutions / Safety Protocols
Automatic .gitignore Integration: The system should automatically append AI-generated filenames to the local .gitignore file upon creation.
Dedicated Output Directory: Force AI-generated files into a specific hidden directory (e.g., .ai_output/) that is globally ignored.
Pre-Commit Hook Warning: Implement a check that triggers a warning if a file containing known "audit" or "vulnerability" keywords is staged for commit.
User Confirmation: Require explicit user acknowledgement ("This file contains sensitive data. Do you want to exclude it from git?") before writing the file to disk.
Here is a section of the chat:
...Now commit and push SECURITY.md:
● Bash(git add SECURITY.md && git commit -m "Add SECURITY.md — May 2026
audit report")
⎿ [main ea4a398] Add SECURITY.md — May 2026 audit report
1 file changed, 42 insertions(+)
create mode 100644 SECURITY.md
● Bash(git push origin main 2>&1)
⎿ To https://github.com/vi......
f1115c0..ea4a398 main -> main
● Done. Here's what was created/updated:
SECURITY.md (new, in git) — the report: full table of every finding with
severity, description,
What Should Happen?
AI-generated sensitive reports should be "private by default" and require intentional user action to be included in a code repository.
Error Messages/Logs
Steps to Reproduce
Invoke Skill(security-review) on a project.
Ask to write report to a file.
Push to git
Claude Model
None
Is this a regression?
Yes, this worked in a previous version
Last Working Version
_No response_
Claude Code Version
2.1.139 (Claude Code)
Platform
Anthropic API
Operating System
Ubuntu/Debian Linux
Terminal/Shell
Other
Additional Information
_No response_
This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗