sensitive-file/ssh-key

SSH private key

criticalSensitive filesensitive-file

What it detects

SSH private key (id_rsa/id_ed25519/id_ecdsa/id_dsa). Grants direct access to any host trusting the corresponding public key.

Rotate the key on every server, remove from repo, and store only in ~/.ssh/ or a secrets manager.

Path / basename / content-header match. No content body is stored — only the path.

Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.