Error
Detected a private key in the code.
Why this matters
Private keys enable impersonation and decryption. SSH keys grant server access, PGP keys can forge signatures, and TLS keys compromise encrypted communications. Any exposure requires immediate rotation.
Detected patterns
Matches these PEM header lines:
- RSA private keys (
-----BEGIN RSA PRIVATE KEY-----) - DSA private keys (
-----BEGIN DSA PRIVATE KEY-----) - EC private keys (
-----BEGIN EC PRIVATE KEY-----) - OpenSSH private keys (
-----BEGIN OPENSSH PRIVATE KEY-----) - PGP private key blocks (
-----BEGIN PGP PRIVATE KEY BLOCK-----)
How to fix
Remove the key from the repository immediately.
Store keys outside the repo -- use SSH agent, an encrypted vault, or cloud KMS.
Load keys from the environment at runtime:
keyPath := os.Getenv("PRIVATE_KEY_PATH") key, err := os.ReadFile(keyPath)If the key was exposed, rotate it: generate a new key, update all systems that use the old one, then revoke it.
Configuration
To skip detection for test fixtures, disable the pattern:
[validators.secrets]
disabled_patterns = ["private-key-rsa"]Or allow specific test key filenames:
[validators.secrets]
allow_list = [
"test[_-]key",
"example[_-]key",
]Git history cleanup
If a key was already committed, strip it from history with git-filter-repo:
git filter-repo --invert-paths --path path/to/private.keyRelated
Hook output
When this error is triggered, klaudiush writes JSON to stdout:
permissionDecisionReason (shown to Claude):
[SEC003] Potential secrets detected: private key found in code. Remove private key from code; use secure key storage.
systemMessage (shown to user): Formatted error with fix hint and reference URL.
additionalContext (behavioral guidance):
Automated klaudiush validation check. Fix the reported errors and retry the same command.