Your .gitignore keeps secrets out of version control. But does your AI coding assistant actually respect those same boundaries?
A new open-source test report from the aiignore-cli project put seven popular AI coding tools through file exclusion reliability testing - checking whether each tool honors rules that say "don't read this file." The results are not reassuring.
The Ratings
The report graded each tool on how reliably it respects file exclusion rules (like .gitignore, .cursorignore, or tool-specific ignore files):
- High reliability: JetBrains AI
- Medium reliability: Claude Code, Windsurf, Aider
- Low reliability: Cursor, Gemini CLI
- No file exclusion support: GitHub Copilot (for individual developers)
GitHub Copilot's gap stands out: there is no way for an individual developer to exclude files. The exclusion controls exist only at the organization admin level, and even those don't apply to Copilot's Agent or CLI modes.
The Terminal Bypass Problem
The most concerning finding cuts across nearly every tool tested. When AI coding assistants operate in "agent mode" - where they can run shell commands on your behalf - most of them will happily execute cat secrets.env even if that file is on the exclusion list.
The tool tells itself "I shouldn't read this file with my built-in file reader," then turns around and reads it through the terminal instead. It is the digital equivalent of a locked front door with an open window.
Claude Code was the only tool where the deny patterns block both the built-in Read tool and Bash commands like cat, closing that terminal loophole.
Cursor had two documented CVEs related to file exclusion: a case-sensitivity bypass (where .cursorignore rules for Secret.env wouldn't catch secret.env) and an agent rewrite bypass. Its @ file reference feature also ignores .cursorignore rules entirely.
Gemini CLI's negation patterns - the ! syntax that means "except this file" - simply don't work. Its list_dir command also ignores exclusion rules in certain modes.
What This Means for Your Workflow
If you're feeding proprietary codebases to AI coding tools, the ignore file is your primary defense against accidentally shipping API keys, credentials, or sensitive business logic into an AI provider's context window. A tool that can't reliably enforce those rules is a liability.
The practical takeaway: don't assume your AI coding assistant treats .gitignore or its own ignore file as a hard boundary. Test it yourself - especially in agent mode. And if you're working with sensitive files, verify that your tool of choice actually blocks terminal-based access, not just its own file-reading commands.