Claude Code should detect and refuse to commit credential/key files

Resolved 💬 3 comments Opened Feb 24, 2026 by emmiford Closed Feb 27, 2026

Summary

Claude Code will happily git add and commit files containing live device credentials, signing keys, and other secrets without any warning or pushback. It should recognize common sensitive file patterns and either refuse or at minimum flag them before committing.

Real-world example

During a firmware debugging session, Claude Code committed a Sidewalk MFG provisioning hex (mfg.hex) containing live device private keys and certificates to a public GitHub repo. The commit message even described what it was doing — "Re-provision MFG hex to restore private keys" — but Claude didn't recognize the contradiction of committing private keys to a public repo.

The file sat in the repo for two weeks before a human noticed and removed it.

What should have happened

Claude Code should have:

  1. Recognized that a file named mfg.hex containing key material is sensitive
  2. Noticed the commit message itself mentioned "private keys"
  3. Warned the user before staging/committing: "This file appears to contain device credentials. Are you sure you want to commit it?"
  4. Suggested adding it to .gitignore

Broader pattern

This isn't just about .hex files. Claude Code should have built-in awareness of common secret/credential patterns:

  • Key files (.pem, .key, .p12, .pfx, .jks)
  • Credential stores and provisioning data (MFG hex, .bin key dumps)
  • Environment files (.env, .env.local)
  • Cloud credentials (credentials.json, service-account.json)
  • Token files, API key files
  • Anything where the commit message or file contents reference "private key", "secret", "credential", "password"

The system prompt mentions "Do not commit files that likely contain secrets (.env, credentials.json, etc)" but this guidance is too narrow and easily missed when Claude is focused on solving a technical problem (in this case, fixing PSA crypto errors after a reflash).

Suggested improvement

Add a pre-commit check within Claude Code itself (not relying on user-configured hooks) that scans staged files against a broad pattern list and flags potential secrets before committing.

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗