SoterAI Blog
How AI Coding Tools Can Leak Secrets — and How to Reduce the Risk
AI coding assistants are useful precisely because they read a lot of context: the file you have open, your selection, nearby files, your terminal output, and sometimes your whole workspace. That same reach is why they leak secrets. The assistant does not know that line 14 of your config is a live database password — it just sees text, and it forwards that text to a model running on someone else's servers.
This post walks through the concrete ways credentials end up in AI prompts, why the usual protections do not help, and a practical, local-first checklist you can apply today. Every example here uses fake canary values — never paste a real secret to test anything.
Where the leaks actually happen
Secret leakage to AI tools rarely looks like a dramatic breach. It looks like an ordinary Tuesday. Here are the common paths.
1. The open .env file
You ask the assistant to “explain why my app can’t connect to the database.” To help, it reads the files in scope — including the .env that happens to be open in another tab:
# .env (example — fake values only)
DATABASE_URL=postgres://app:CANARY_db_pw_EXAMPLE@db.internal:5432/prod
STRIPE_SECRET_KEY=sk_live_CANARY0000EXAMPLE0000
JWT_SIGNING_SECRET=CANARY-jwt-signing-secret-EXAMPLENow those values are in the prompt. The file was in .gitignore, so it never hit your repo — but .gitignore has nothing to do with what an assistant reads from your working tree.
2. Pasting a stack trace or log
Debugging output is a classic leak vector. Connection strings, bearer tokens, and signed URLs routinely appear in error messages and request logs. When you paste that log into a chat to ask “what does this error mean?”, the embedded token goes with it.
3. Autocomplete on a secrets file
Inline completion tools send surrounding context to generate a suggestion. If your cursor is inside a credentials file, that context can include neighboring secret values — even if you never explicitly asked a question.
4. “Fix my whole repo” agent runs
Agentic modes that scan or refactor across many files widen the blast radius. A single “update all API calls” task can pull dozens of files — configs, seed data, test fixtures with hardcoded tokens — into the model’s context in one shot.
Why the usual defenses miss this
- Git secret scanners run at commit or push time. The AI read the file long before any commit.
- .gitignore and .dockerignore govern packaging, not editor context. An ignored file open in your IDE is fully visible to an assistant.
- Provider “no-training” settings reduce one risk (your data becoming training data) but do not change the fact that the secret left your machine and reached a third party.
- Vaults and secret managers help only if the secret is never materialized into a file the assistant can read. In practice, local
.envfiles still exist during development.
The gap is consistent: existing tools protect the repository and the deployment, but the leak happens at the editor, in the moment context is assembled for the model.
A local-first checklist to reduce the risk
You cannot make this risk zero, but you can make it much smaller by moving the check to where the leak happens — your machine, before the prompt is sent.
- Scan context before you send it. Run a local secret and PII scan on the file, selection, or workspace you are about to share. Catching a token before the request is the whole game.
- Redact, don’t delete. Replace detected secrets with placeholders in a copy of the context so the assistant still gets useful structure without the live value. Your real files stay untouched.
- Route prompts through a local broker. A loopback proxy that speaks the OpenAI/Anthropic format can redact requests in transit, covering tools that call the provider directly. See the Local AI Broker.
- Keep an access ledger. Record what context was shared per session so you can review exposure after a heavy AI-assisted change. This is what the AI Memory Inspector does.
- Test with canaries. Plant an obviously fake secret, then verify it never appears in prompts, logs, or model output. If your canary leaks, your real secrets would too.
- Prefer
.env.examplein context. Generate a safe example file with keys but no values, and keep the real.envout of scope.
What “good” looks like
A healthy setup treats the boundary between your editor and the model as a checkpoint. Before context crosses it, secrets and PII are scanned and redacted locally; risky terminal commands are flagged; and every crossing is recorded so you can audit it later. This is the idea behind an AI context firewall, which the next post explains in depth.
Honest limitations
Local scanning is heuristic. It catches common key and token formats and many PII patterns, but it cannot guarantee that every secret in every custom format is detected, and it only protects context that is actually routed through it. Treat it as a strong reduction in risk and one layer of defense-in-depth — not a guarantee. We do not claim any tool can make secret leakage impossible. For the full boundary list, see our limitations page.
The practical takeaway: the cheapest place to stop a secret from reaching an AI model is on your own machine, one moment before the prompt is sent. That is exactly where AI data leakage prevention belongs.
Frequently asked questions
Do AI coding assistants store my secrets?
It depends on the provider and your settings. Even when a provider does not train on your data, a secret you paste into a prompt has still left your machine and traveled to a third party. The safest assumption is that anything sent in a prompt is out of your control, so the goal is to avoid sending secrets in the first place.
Isn't .gitignore enough to protect secrets?
No. .gitignore stops files from being committed to Git. It does nothing to stop an AI assistant from reading an ignored .env file that is open in your editor or included in workspace context. The two problems are unrelated.
How can I tell if a secret already leaked into a prompt?
Use a local access ledger that records what context was shared with the assistant, and plant fake canary secrets to test whether your redaction actually works. SoterAI's AI Memory Inspector and canary workflow are built for exactly this.
Scan your AI context locally
SoterAI IDE Guard scans secrets, prompts, MCP tools, and terminal commands on your machine before they reach an AI model. Free to install, local by default.
Install the VS Code extension