Hi — I found this while scanning public repos for exposed credentials using rafter, a security CLI I work on. Wanted to give you a heads up before anyone with bad intentions finds it.
Your file .env.local.backup contains multiple live API keys:
- Supabase service role key — full admin access, bypasses RLS
- Groq API key (
gsk_...)
- FatSecret client secret
- OpenWeather API key
- OpenCage API key
- Supabase anon key + project URL
Recommended immediate steps:
- Rotate all keys in their respective dashboards
- Remove
.env.local.backup from Git history (git filter-repo or BFG Repo Cleaner) — just deleting the file isn't enough
- Add
.env* to .gitignore
Tools to prevent this going forward:
- rafter — secret scanning + policy enforcement for AI coding agents
- gitleaks — pre-commit secret detection
- trufflehog — Git history scanner
No judgment — this is super common with .env backup files that bypass standard .gitignore rules. Best of luck with VITAL-AI!
Hi — I found this while scanning public repos for exposed credentials using rafter, a security CLI I work on. Wanted to give you a heads up before anyone with bad intentions finds it.
Your file
.env.local.backupcontains multiple live API keys:gsk_...)Recommended immediate steps:
.env.local.backupfrom Git history (git filter-repoor BFG Repo Cleaner) — just deleting the file isn't enough.env*to.gitignoreTools to prevent this going forward:
No judgment — this is super common with
.envbackup files that bypass standard.gitignorerules. Best of luck with VITAL-AI!