← Back to glossary

.gitignore for PHP Projects

style PHP 5.0+ Beginner

Also Known As

.gitignore PHP PHP gitignore ignore vendor

TL;DR

A well-structured PHP .gitignore excludes vendor/, generated files, IDE configs, .env secrets, and OS artifacts from version control.

Explanation

A PHP project's .gitignore should exclude: vendor/ (reinstallable via composer install — never commit), .env (contains secrets — commit .env.example instead), .env.local, .env.*.local. Build outputs: /public/build/, /public/hot, /storage/*.key. IDE files: .idea/, .vscode/, *.suo, .DS_Store, Thumbs.db. Cache and logs: /var/cache/, /var/log/, /storage/logs/, /storage/framework/cache/. Test artefacts: .phpunit.result.cache, /coverage/. Generated files: bootstrap/cache/*.php (Laravel), var/ (Symfony). Commit composer.lock (ensures reproducible installs) but not composer.phar. Use a global ~/.gitignore_global for IDE-specific patterns so they don't pollute per-project .gitignore with personal tooling preferences.

Common Misconception

✗ The vendor/ directory can be committed to speed up CI. Committing vendor/ bloats the repository history, causes enormous merge conflicts, and means dependency updates are not tracked semantically. composer.lock achieves reproducibility without committing thousands of dependency files.

Why It Matters

A proper .gitignore prevents committing sensitive files (.env, credentials), generated files (vendor/, cache/), and IDE metadata — keeping the repository clean and secrets out of version control.

Common Mistakes

Not ignoring .env — database passwords and API keys committed to version control.
Not ignoring vendor/ — bloats the repository; should be installed via composer install.
Not ignoring IDE files (.idea/, .vscode/) — pollutes the repo with developer-specific settings.
Not ignoring generated files (storage/, cache/, *.log) that change constantly and produce noisy diffs.

Code Examples

✗ Vulnerable

# Missing .gitignore entries — common PHP mistakes:
# .env committed with DB_PASSWORD=secret123
# vendor/ tracked — 50MB of dependencies in git history
# storage/logs/*.log tracked — log files in version control

# Correct .gitignore:
.env
vendor/
storage/
*.log
.idea/
.vscode/
*.cache

✓ Fixed

# .gitignore for PHP projects

# Dependencies
/vendor/

# Environment
.env
.env.local
.env.*.local

# Build artifacts
/public/build/
/public/hot/
*.phar

# Framework caches
/bootstrap/cache/
/storage/
!/storage/.gitkeep

# IDE
.idea/
.vscode/
*.swp

# OS
.DS_Store
Thumbs.db

# Test artifacts
/coverage/
.phpunit.result.cache

# Logs
*.log

# NEVER ignore:
# composer.lock  — always commit this
# .env.example   — commit template, never the real .env

References

↗ https://www.toptal.com/developers/gitignore/api/php,composer,phpstorm

Tags

Added 15 Mar 2026

Edited 22 Mar 2026

Curated in Warsaw under one editorial standard. 1,444 terms, single voice. About this reference →

Rate this term

5.0 (1 rating)

🤖 AI Guestbook educational data only

| |

Last 30 days

Agents 1

No pings yesterday

Amazonbot 16 Perplexity 12 Ahrefs 3 Google 2 ChatGPT 2 Majestic 1

Also referenced

CHANGELOG — Keeping a Good One 34 Twelve-Factor App 33 Composer & Dependency Management 29 EditorConfig for PHP Projects 27

How they use it

crawler 35 crawler_json 1

Related categories

php 6.3k architecture 1.8k style 987

⚡ DEV INTEL Tools & Severity

🟢 Low ⚙ Fix effort: Low

⚡ Quick Fix

Use GitHub's PHP gitignore template as a starting point — the essential rules: /vendor/, .env (never /.env.example), /storage/, /cache/, *.log, .phpunit.cache

📦 Applies To

PHP 5.0+ web cli

🔗 Prerequisites

configuration management Developer Experience (DX) Docker Multi-Stage Builds

🔍 Detection Hints

vendor/ committed to git; .env file committed; cache or log files in repo; IDE config files committed without .gitignore

Auto-detectable: ✓ Yes git gitleaks

⚠ Related Problems

Hardcoded Credentials Developer Experience (DX) configuration management

🤖 AI Agent

Confidence: Medium False Positives: Low ✓ Auto-fixable Fix: Low Context: File

CWE-312