Skip to content
Latchkey

pre-commit "detect-private-key" fails in CI

The detect-private-key hook scans staged content for private-key markers such as "BEGIN RSA PRIVATE KEY". If it matches, it fails the run so a secret is not committed.

What this error means

The hook prints "Failed" and names a file containing a private-key header, blocking the commit or the CI check.

pre-commit
Detect Private Key.........................................Failed
- hook id: detect-private-key
- exit code: 1

config/id_rsa: Private key found

Common causes

A real private key was committed

A key file was added to the repo and the hook correctly blocks it as a secret leak.

A test fixture contains a key-like string

A sample or fixture with a "BEGIN ... PRIVATE KEY" block triggers the hook even though it is not a live secret.

How to fix it

Remove the key and rotate it

  1. Delete the key from the repo and scrub it from history.
  2. Rotate the key if it was ever real.
  3. Re-run so the hook passes.
Terminal
git rm --cached config/id_rsa
echo "config/id_rsa" >> .gitignore

Exclude a genuine non-secret fixture

If the match is a known test fixture, scope the hook to exclude that path.

.pre-commit-config.yaml
- id: detect-private-key
  exclude: '^tests/fixtures/'

How to prevent it

  • Keep real keys in secrets, never in the repo.
  • Scope the hook to exclude known test fixtures explicitly.
  • Rotate any key that reached version control.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →