Certificates and PEM keys (.pem)
.pem files store certificates and keys in a base64 PEM container. They often include private keys, which AI assistants should never index.
This week: 21 repos in the scanned fleet exposed this category (578 matches).See Radar #4 →
What it is
PEM is a text encoding used for X.509 certificates, RSA/EC private keys, and certificate chains. A single .pem can hold a public certificate, a private key, or both.
Why it matters for AI context
Because PEM files commonly bundle private keys, an assistant that reads them can pull signing or TLS secrets into its context. Public certificates are low risk, but the file format makes it hard to tell them apart automatically.
How to keep it out of AI tools
- Separate public certificates from private keys and keep private material out of the repo.
- Add *.pem to .gitignore unless a file is verified to be a public certificate only.
- Add *.pem to your AI ignore file to keep private keys out of assistant context.
- Rotate any private key found in committed PEM files.
*.pem
*.key
certs/Ignore files that exclude this
FAQ
- Are all .pem files sensitive?
- No — a .pem can be a public certificate. But because the format also carries private keys, treat .pem as sensitive unless you have confirmed otherwise.
Check your own project
158 of 499 repos this week exposed sensitive paths to AI tools. Check yours in seconds:
Run the same local check with Offsend CLI:
brew install --cask offsend/tap/offsend-cli
offsend show
offsend prepare --dry-runEverything runs locally. No file contents are uploaded.