sensitive-file/pypirc-auth

.pypirc with auth

highSensitive filesensitive-file

What it detects

.pypirc typically stores PyPI upload credentials or tokens (publishing supply-chain risk).

Remove from repo and rotate the PyPI token.

Path / basename / content-header match. No content body is stored — only the path.

Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.