PKCS#12 keystores (.p12, .pfx)
PKCS#12 files (.p12, .pfx) bundle a certificate with its private key — common for code signing and client authentication.
This week: 4 repos in the scanned fleet exposed this category (12 matches).See Radar #4 →
What it is
PKCS#12 is a binary archive format that packages a private key together with its certificate chain, usually protected by a password. It is widely used for TLS client certs and code-signing identities.
Why it matters for AI context
Because a .p12 contains a private key, an assistant reading it (or its password from nearby config) can expose signing material. These files should be treated like any other private key.
How to keep it out of AI tools
- Store .p12/.pfx identities in a secrets manager, not the repo.
- Add *.p12 and *.pfx to .gitignore.
- Add the same patterns to your AI ignore file.
- Rotate certificates whose keystore may have leaked.
*.p12
*.pfxIgnore files that exclude this
FAQ
- Is a password-protected .p12 safe to commit?
- No. Passwords are often weak or stored nearby, and committing the file still exposes it to anything that reads the repo, including AI tools.
Check your own project
158 of 499 repos this week exposed sensitive paths to AI tools. Check yours in seconds:
Run the same local check with Offsend CLI:
brew install --cask offsend/tap/offsend-cli
offsend show
offsend prepare --dry-runEverything runs locally. No file contents are uploaded.