This week: 4 repos in the scanned fleet exposed this category (12 matches).See Radar #4 →

What it is

PKCS#12 is a binary archive format that packages a private key together with its certificate chain, usually protected by a password. It is widely used for TLS client certs and code-signing identities.

Why it matters for AI context

Because a .p12 contains a private key, an assistant reading it (or its password from nearby config) can expose signing material. These files should be treated like any other private key.

How to keep it out of AI tools

  1. Store .p12/.pfx identities in a secrets manager, not the repo.
  2. Add *.p12 and *.pfx to .gitignore.
  3. Add the same patterns to your AI ignore file.
  4. Rotate certificates whose keystore may have leaked.
Add to your ignore file
*.p12
*.pfx

Ignore files that exclude this

FAQ

Is a password-protected .p12 safe to commit?
No. Passwords are often weak or stored nearby, and committing the file still exposes it to anything that reads the repo, including AI tools.

Check your own project

158 of 499 repos this week exposed sensitive paths to AI tools. Check yours in seconds:

Run the same local check with Offsend CLI:

brew install --cask offsend/tap/offsend-cli
offsend show
offsend prepare --dry-run

Everything runs locally. No file contents are uploaded.