This week: 20 repos in the scanned fleet exposed this category (73 matches).See Radar #4 →

What it is

A .key file typically contains a private key in PEM or DER form, used for TLS certificates, code signing, JWT signing, or SSH. Anyone with the key can impersonate the service or decrypt its traffic.

Why it matters for AI context

If a private key sits in the working tree, an AI tool can read its contents, include it in context windows, or surface fragments in generated code or logs. Private keys are among the highest-impact secrets to expose.

How to keep it out of AI tools

  1. Never commit private keys; store them in a secrets manager or environment-specific vault.
  2. Add *.key (and specific filenames) to .gitignore.
  3. Add the same patterns to your AI ignore file so assistants skip them.
  4. Rotate and reissue any key that has been committed or shared.
Add to your ignore file
*.key
*.pem
secrets/

Ignore files that exclude this

FAQ

What is the risk of an AI tool reading a private key?
The key can leak into prompts sent to a model provider or appear in generated output. A leaked private key generally must be rotated immediately.

Check your own project

158 of 499 repos this week exposed sensitive paths to AI tools. Check yours in seconds:

Run the same local check with Offsend CLI:

brew install --cask offsend/tap/offsend-cli
offsend show
offsend prepare --dry-run

Everything runs locally. No file contents are uploaded.