As you might know, it isn’t a good idea to store any kind of credentials under your VCS (like git).

Although if you have some private gems you probably wrote this on your Gemfile:

  source ''

And then someone told you you should have the username and password stored in Environment Variables so you went and assigned the username and password to them and your Gemfile became like this:

  source "https://#{ENV['USERNAME']}:#{ENV['PASSWORD']}"

But… did you notice what happens when you run bundle?

Your Gemfile.lock now has the username and password written there, so much for the environment variables right?

The bundler team heard your prayers and they actually implemented something to solve this problem!

So all you need to do is go back to your Gemfile and remove the credentials from the url like so:

  source ""

And now create an environment variable called BUNDLE_GEMSERVER__COM, this will match the url where the dot (.) becomes two underscores (__).

I would suggest you to wrap those two ENV’s with the new BUNDLE_*, specially if you have to go and change your continuous integration setup and then you have to go and change your staging and production servers, or maybe you are already using those values somewhere in your project, don’t worry you can wrap them like so:


This is the equivalent of doing the following:


Now all you have to do is go through all the stages of your project that need that ENV and you will be fine.

Also, you might have to update your bundler, I’ve updated mine to 1.10.6 as version 1.7.4 didn’t had this feature.

Thank you for reading.

David Silva