sensitive-file/kubeconfig

Kubernetes kubeconfig

criticalSensitive filesensitive-file

What it detects

Kubernetes kubeconfig file with embedded cluster CA, user tokens, and/or client certs.

Rotate any tokens/certs inside, remove from repo, and use short-lived auth (OIDC, exec plugins).

Path / basename / content-header match. No content body is stored — only the path.

Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.