sensitive-file/private-key

Private key file

criticalSensitive filesensitive-file

What it detects

Private cryptographic key file (.pem/.key). Should never be committed — used to sign tokens, authenticate to TLS endpoints, or decrypt data.

Remove from repo, rotate the key, and move to a secrets manager (Vault, AWS Secrets Manager, GCP Secret Manager).

Path / basename / content-header match. No content body is stored — only the path.

Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.