Keeping sensitive files secure

You will often have files that you do not want Git to add to your repository (or even show as being untracked). These are typically files that are automatically generated (for example .log files); however, they may also be files that contain sensitive information. In such cases, you can use .gitignore.


.gitignore is not an explicit command. Instead, it is a plain text file that tells Git which files to ignore. Below is an example of what a .gitignore file might look like:

# ignore the file doc/patient_ids.txt

# ignore the file doc/patient_notes.txt, but not doc/anonymised/patient_notes.txt

# ignore all .pdf files in the "sensitive/"-directory as well as any of its subdirectories

Each line in the .gitignore file specifies a pattern. These patterns are then checked against the file names in your repository, to determine which of them should be ignored.

The following rules for writing .gitignore file patterns can be found in the Git Pro book:

  • Blank lines or lines starting with # are ignored.

  • Standard glob patterns work, and will be applied recursively throughout the entire working tree.

  • You can start patterns with a forward slash (/) to avoid recursivity.

  • You can end patterns with a forward slash (/) to specify a directory.

  • You can negate a pattern by starting it with an exclamation point (!).

GitHub also maintains a collection of .gitignore templates to help you get started.

Creating a .gitignore file

To create a .gitignore file, open a new file in a text editor of your choosing (for example TextEdit), name the file .gitignore (including the . at the beginning), and save it in your repository. Alternatively, you can create a .gitignore file through the terminal by first navigating to your repository and then running the command touch .gitignore.

To double check that your .gitignore file is working as you intended, and the correct files are being ignored, you can run the command git status --ignored, which will generate a list of all ignored files.

Ignoring a file that has already been committed

.gitignore only works on files that are untracked. Files that are already tracked by Git (that is, files that has previously been staged or committed) will not be ignored. It is therefore often a good idea to create a .gitignore file when you set up a new repository, so that you do not accidentally commit files that you do not want to.

It is, nevertheless, possible to ignore files that are already tracked by Git. To do this, you will first need to delete the file from your repository and then add a new rule to your .gitignore file.

Committing a file that has previously been ignored

Sometimes, you may want to ignore all but one file that follows a general pattern. In these instances, you can either 1) force an ignored file to be committed by adding -f (or --force) when you perform git add or 2) define an exception to the pattern within the .gitignore file (see example .gitignore file above).

Having multiple .gitignore files (and rules)

In most cases (or at least in the simplest of cases), your repository will have a single .gitignore file in its root directory. It is, however, possible to have multiple .gitignore files within subdirectories of the same repository. In such cases, the rules within the .gitignore file will only be applied to the subdirectory within which it is located. This means that different .gitignore rules can be applied across the same repository.