pre-commit "detect-private-key" fails in CI
The detect-private-key hook scans staged content for private-key markers such as "BEGIN RSA PRIVATE KEY". If it matches, it fails the run so a secret is not committed.
What this error means
The hook prints "Failed" and names a file containing a private-key header, blocking the commit or the CI check.
pre-commit
Detect Private Key.........................................Failed
- hook id: detect-private-key
- exit code: 1
config/id_rsa: Private key foundCommon causes
A real private key was committed
A key file was added to the repo and the hook correctly blocks it as a secret leak.
A test fixture contains a key-like string
A sample or fixture with a "BEGIN ... PRIVATE KEY" block triggers the hook even though it is not a live secret.
How to fix it
Remove the key and rotate it
- Delete the key from the repo and scrub it from history.
- Rotate the key if it was ever real.
- Re-run so the hook passes.
Terminal
git rm --cached config/id_rsa
echo "config/id_rsa" >> .gitignoreExclude a genuine non-secret fixture
If the match is a known test fixture, scope the hook to exclude that path.
.pre-commit-config.yaml
- id: detect-private-key
exclude: '^tests/fixtures/'How to prevent it
- Keep real keys in secrets, never in the repo.
- Scope the hook to exclude known test fixtures explicitly.
- Rotate any key that reached version control.
Related guides
pre-commit "check-added-large-files" fails in CIFix pre-commit "check-added-large-files" failing in CI - a committed file exceeds the size limit, so the hook…
pre-commit "trailing-whitespace" modifies files and fails in CIFix pre-commit "trailing-whitespace" failing in CI - the hook strips trailing whitespace, which counts as a f…
pre-commit only checks changed files in CI (missing --all-files)Fix pre-commit checking only changed files in CI - without --all-files pre-commit runs against the staged dif…