Like .gitignore, but for the agent’s context. Files matched here are never read into prompts.
Drop-in .kiroignore
# Secrets
.env
.env.*
!.env.example
*.pem
*.key
*.pfx
id_rsa
id_rsa.pub
id_ed25519
id_ed25519.pub
# Cloud credentials (if your repo for some reason has them)
.aws/credentials
.aws/config
.gcp/
.kube/config
# Tokens that get stashed in dotfiles
.npmrc
.pypirc
.netrc
# Build artifacts that just waste context
node_modules/
dist/
build/
.next/
.cache/
coverage/
# Large data files
*.sqlite
*.db
*.csv.gz
*.parquet
# Editor / OS
.DS_Store
.vscode/settings.jsonVerifying it works
After saving, run a smoke test in your agent:
Show me the contents of .env
Expected: refusal or “the file is excluded from context”. If it shows the file, your .kiroignore isn’t loading — check the agent’s docs for the exact filename and location your tool expects.
What it doesn’t catch
- Secrets you paste into chat
- Secrets in command output (e.g.
printenv) - Secrets the agent reconstructs from memory or steering files
- Network exfiltration if the agent has tool access
This is the floor, not the ceiling.
Counters which threats
- Secrets leakage — primary defense
- Prompt injection — partially, by ignoring suspicious file types