sensitive-file/htpasswd

.htpasswd file

highSensitive filesensitive-file

What it detects

Apache/nginx basic-auth file with hashed user passwords. Easy to brute-force if the hash is MD5/SHA1.

Rotate all passwords, move auth to an identity provider, and remove the file.

Path / basename / content-header match. No content body is stored — only the path.

Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.