.bashrc series

Tell your AI Agents to stop leaking secrets

...because they will, if you let them

May 16, 2026 ~3 min
ai-agentssecuritydotfilesprocess

Here's a failure mode I see often enough that it deserves its own article in this series, even though — or especially because — the topic is mostly about avoiding it.

You give an AI coding agent access to your codebase. You ask it to write a blog post or README about security best practices. Specifically, "don't keep plaintext credentials in dotfiles." The agent — doing what agents do — reaches for the most concrete, real example it can find. Which on your system is, frequently, an actual production credential sitting in an actual .bashrc the article is telling people not to write.

The agent pastes the credential into the article as the cautionary example. The article ships. The credential is now public.

The irony writes itself. The remediation does not.

Why this happens

Three reasons, in order of how often I see them.

The agent's "concreteness" heuristic. A good piece of technical writing uses real examples. An AI agent has been trained on millions of articles where the example is, in fact, real. So when it has access to a real example on disk, the path of least resistance is to copy it. The agent's reasoning — this is the literal file we just fixed; using it makes the article authentic — is plausible but wrong. Authenticity is achieved by realistic-looking fictional values, not by real ones.

The agent doesn't carry a "this string is loaded; that string is inert" intuition. Humans glance at a chunk of code and clock the difference between $EXAMPLE_PWD and k9X#mPq2!ZnVw3 in milliseconds. The agent reads them as similar tokens of similar shape. The asymmetric cost — placeholder = free, real value = credential rotation event — is something an experienced engineer feels in their gut and an LLM doesn't.

The human reviewer skims. Even when a human is in the loop, the article looks fine on a quick read. The code block is doing the right thing structurally. The advice around it is correct. Unless the reviewer is specifically scanning for credential-shaped strings, the bad line slides past.

The rule that prevents it

One sentence:

Any credential-shaped value in any public artifact must be a fabricated placeholder.

Public artifact = web page, blog post, README, slide deck, social-media post, public Git commit, email to anyone outside the inner circle. Credential-shaped = password, API key, token, private key, OAuth secret, recovery code, anything that resembles base64/hex over 16 characters.

Valid placeholders look like this:

YOUR_PASSWORD_HERE
<REDACTED>
$EXAMPLE_PWD
xxxxx_redacted_xxxxx
ghp_yourTokenHere
s3cr3t_2024!     # fictional but realistic-looking

Any of these convey the structure of the line ("this is where the password goes") without putting a loaded weapon in front of every scraper on the internet.

The architectural fix the article was supposed to land on

So you don't lose the actual technical content this slot was meant for, here's the pattern, with placeholders done correctly.

Move credentials out of world-readable ~/.bashrc into a 0600 file the bashrc sources:

# ~/.mysql_env.sh — mode 0600 (owner-only)
export MYSQL_HOST="127.0.0.1"
export MYSQL_USER="$YOUR_DB_USER"
export MYSQL_PWD="$YOUR_DB_PASSWORD"
export MYSQL_DATABASE="$YOUR_DB_NAME"

Also write a 0600 ~/.my.cnf for the MySQL/MariaDB CLI to auto-read:

# ~/.my.cnf — mode 0600
[client]
host     = 127.0.0.1
user     = YOUR_DB_USER
password = YOUR_DB_PASSWORD
database = YOUR_DB_NAME

And source the env file from .bashrc only if it exists:

# ~/.bashrc — mode 0644 (world-readable). No secrets in this file.
[ -f "$HOME/.mysql_env.sh" ] && source "$HOME/.mysql_env.sh"

Both 0600 files. Both owner-only. Verify with ls -la after creation — the mode should display as -rw-------. If it shows -rw-r--r--, you've moved the password into a different file but kept it world-readable, which is the worst of all possible outcomes.

And the Ansible role that enforces it

If you're deploying this pattern across a fleet, the playbook should include a verification step that fails the run if the credential leaks back into a managed file:

- name: Verify .bashrc no longer contains the active password
  shell: |
    grep -c -F -- '{{ db_password }}' {{ user_home }}/.bashrc || echo 0
  register: pwd_check
  failed_when: pwd_check.stdout | int > 0
  no_log: true     # never echo the password value to Ansible stdout

Two important pieces. First, -F (fixed-string match) so the grep doesn't choke on regex special characters in the password. Second, no_log: true so the password isn't sprayed across Ansible's stdout where someone might paste it into Slack later. Both nuances matter.

And tell your AI agents

If you work with AI coding agents — any of them, any vendor — bake this rule into the system prompt or operational guide they read at every session:

When writing any public-facing content about secrets, security, credentials, or sensitive configuration: every credential-shaped value in the artifact MUST be a fabricated placeholder. Never the literal value from any real file, even when discussing how to migrate away from that exact bad pattern.

The agent will follow it. The agents can be careful about this. They just need to be told.

The hidden tiger has teeth. So does the assistant that helps you train it. Watch both.

Next: One File, Whole Fleet.

All .bashrc articles