Git's dirty little secret: ignored files that still lurk in your repo
You added .env to .gitignore, breathed a sigh of relief, and moved on—only to later discover that file still lurks in your repo, pushed to GitHub and cloned by everyone else. That’s not a fluke. It’s how Git works by design: .gitignore only prevents untracked files from being added. Anything already committed stays tracked, ignore rule or not.
## The hidden cleanup you didn’t know you needed
That’s where gitslip comes in—a zero-dependency CLI that scans your repository and flags every tracked file your own ignore rules say should be ignored. Run npx gitslip and it’ll show you something like:
2 tracked files are ignored by your rules but still committed: config/secrets.env ↳ .gitignore:7 *.env logs/app.log ↳ .gitignore:2 *.log
The output even tells you which rule caught each file, so there’s no guessing. Want it fixed? Use gitslip --apply to run git rm --cached without deleting your local copy.
## Why grep won’t cut it—and why gitslip does
You could grep your .gitignore patterns against git ls-files, but that approach misses critical nuances. Negation rules (!important.log), nested .gitignore files, and global ignore settings can trip you up. gitslip avoids reinventing Git’s ignore logic by relying on Git itself.
Under the hood, it combines git ls-files -i -c --exclude-standard to find tracked and ignored files, then uses a clever trick with git check-ignore -v against an empty index to reliably name the matching rule—without false positives.
## A safety net for teams and CI pipelines
The tool is available as both a Node and Python CLI (npx gitslip or pip install gitslip), producing identical output across both versions. It’s designed to fail builds when ignored files slip through, exiting with status 1 if anything is found. For teams that git add -A before writing .gitignore, it’s a simple way to catch mistakes before they become security risks or repo bloat.
Source: DEV Community. AI-assisted editorial synthesis — TechnoExpress.