sensitive-file/keystore

Keystore / certificate bundle

criticalSensitive filesensitive-file

What it detects

Binary key/certificate container (.pfx/.p12/.jks/.keystore). Usually holds private keys plus a password.

Delete from repo and rotate both the key and its password.

Path / basename / content-header match. No content body is stored — only the path.

Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.