Security: Read tool bypasses .gitignore patterns, exposing sensitive files to agents

[cupton-paa]

Description

The read tool does not respect .gitignore patterns, allowing agents to read sensitive files that should be ignored (e.g., .env files, credentials, secrets). This contradicts user expectations and the documentation about ignore patterns.

Impact

Security risk: Agents can read sensitive files even when they are explicitly listed in .gitignore, potentially exposing:

• Environment variables (.env, .env.*)
• Credentials and secrets
• Private configuration files
• Any other files intended to be excluded from version control

Steps to Reproduce

1. Add a directory to .gitignore:

.scratch/

2. Create a file with sensitive content in that directory:

mkdir -p .scratch/test
echo "SECRET_API_KEY=super-secret-123" > .scratch/test/secrets.txt

3. Test different tools:

Tools that WORK correctly (respect .gitignore):

# glob tool - returns "No files found" ✅
glob pattern="**/.scratch/test/*.txt"

# grep tool - returns "No files found" ✅
grep pattern="super-secret" path="."

Tool that FAILS (ignores .gitignore):

# read tool - successfully reads the file ❌
read filePath="/full/path/to/.scratch/test/secrets.txt"
# Returns: SECRET_API_KEY=super-secret-123

Expected Behavior

The read tool should respect .gitignore patterns by default, just like glob, grep, and list tools do. If a file is in .gitignore, agents should not be able to read it unless explicitly permitted.

Actual Behavior

The read tool can read ANY file with an absolute path, regardless of .gitignore patterns.

Current Documentation

The docs at https://opencode.ai/docs/tools/#ignore-patterns state:

"Internally, tools like grep, glob, and list use ripgrep under the hood. By default, ripgrep respects .gitignore patterns"

However, the documentation does NOT mention that the read tool bypasses ignore patterns entirely.

Proposed Solutions

1. Preferred: Make read respect .gitignore patterns by default (consistent with other tools)
2. Alternative: Add a permission setting like permission.read.respectIgnoreFiles (default: true)
3. Minimum: Update documentation to clearly warn users that read bypasses .gitignore

Environment

• OpenCode version: Latest (as of Feb 4, 2026)
• Platform: macOS
• Configuration: Default tool permissions

Additional Context

This was discovered while testing ignore patterns for sensitive evaluation documents. The inconsistency between tools creates a false sense of security - users expect .gitignore to protect sensitive files from agents, but read silently bypasses this protection.

Common sensitive files that may be exposed:

• .env, .env.local, .env.production
• credentials.json, secrets.yaml
• *.pem, *.key (private keys)
• .aws/credentials
• Any custom paths in .gitignore

[github-actions]

This issue might be a duplicate of existing issues. Please check:

• Unignoring the .gitignore with .ignore should allow reading the file #4739: Unignoring the .gitignore with .ignore should allow reading the file - related to read tool and gitignore respect
• Files mentioned in .gitignore are not getting ignored #4694: Files mentioned in .gitignore are not getting ignored - directly related to gitignore not being respected
• Potential path traversal in file read/write tools #11703: Potential path traversal in file read/write tools - related security concern with file read/write tools
• Exclude files from being used #3164: Exclude files from being used - related feature request to exclude sensitive files

Feel free to ignore if none of these address your specific case.

[tredondo]

This is an important issue. Related: #4961. CC @rekram1-node