Claude Code should detect and refuse to commit credential/key files
Summary
Claude Code will happily git add and commit files containing live device credentials, signing keys, and other secrets without any warning or pushback. It should recognize common sensitive file patterns and either refuse or at minimum flag them before committing.
Real-world example
During a firmware debugging session, Claude Code committed a Sidewalk MFG provisioning hex (mfg.hex) containing live device private keys and certificates to a public GitHub repo. The commit message even described what it was doing — "Re-provision MFG hex to restore private keys" — but Claude didn't recognize the contradiction of committing private keys to a public repo.
The file sat in the repo for two weeks before a human noticed and removed it.
What should have happened
Claude Code should have:
- Recognized that a file named
mfg.hexcontaining key material is sensitive - Noticed the commit message itself mentioned "private keys"
- Warned the user before staging/committing: "This file appears to contain device credentials. Are you sure you want to commit it?"
- Suggested adding it to
.gitignore
Broader pattern
This isn't just about .hex files. Claude Code should have built-in awareness of common secret/credential patterns:
- Key files (
.pem,.key,.p12,.pfx,.jks) - Credential stores and provisioning data (MFG hex,
.binkey dumps) - Environment files (
.env,.env.local) - Cloud credentials (
credentials.json,service-account.json) - Token files, API key files
- Anything where the commit message or file contents reference "private key", "secret", "credential", "password"
The system prompt mentions "Do not commit files that likely contain secrets (.env, credentials.json, etc)" but this guidance is too narrow and easily missed when Claude is focused on solving a technical problem (in this case, fixing PSA crypto errors after a reflash).
Suggested improvement
Add a pre-commit check within Claude Code itself (not relying on user-configured hooks) that scans staged files against a broad pattern list and flags potential secrets before committing.
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗