Neon Branch Passwords Committed to Git — A Full Audit

Neon's branch-per-preview architecture is a superpower — until every preview writes its own .env file and one of them lands in git.

Detect

git log --all -p -- .env.* 2>/dev/null |   grep -E "postgres(?:ql)?:\/\/[^@]+@[^/]+\.neon\.tech" | sort -u

Every line is a credential that's in perpetuity in git history.

Rotate

Neon's dashboard → Branches → each branch → Roles → Reset password. Do this for every branch you found, starting with main. Rebuilds your preview environments.

Prevent

• .gitignore your .env* files and add a pre-commit hook (pre-commit-hook-forbid-secrets).
• Use Neon's "Preview" role type (read-only) for preview branches by default.
• Rotate main branch credentials monthly.

Audit with VibeWShield

We scan deployed bundles, not your git — but the Secrets scanner catches the neon.tech connection string if it leaked into a JS chunk, which is the more common failure mode.