OpenSSH private key
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 25 points from that category, once per scan, no matter how many places it turns up.
What it detects
An OpenSSH private key header was found. It can be used to SSH into any host that trusts the matching public key.
Why it matters
A committed OpenSSH private key can be used to SSH into any host that trusts the matching public key. That is direct server access for anyone who reads the repo. The key stays in git history after removal.
How to fix it
Remove the key from source, add it to .gitignore, and store SSH keys outside the repo (for example in ~/.ssh or an SSH agent). Rotate the key: remove the exposed public key from authorized_keys everywhere and deploy a new pair.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo