Back to Docs

Sensitive Paths

Configure custom high-risk paths for your repositories

Overview

Sensitive paths allow you to define custom glob patterns that mark specific files or directories as high-risk. When a pull request modifies files matching these patterns, Axiomo will flag them in the analysis and increase the risk score accordingly.

This is useful for repositories with domain-specific sensitive areas that aren't covered by the default patterns, such as internal APIs, proprietary algorithms, or compliance-related code.

Default Patterns

Axiomo automatically detects changes to common sensitive paths. Your custom patterns are added to these defaults:

Pattern Category
**/auth/** Authentication
**/security/** Security
**/payments/** Payments
**/.github/workflows/** CI Config
**/terraform/** Infrastructure
**/migrations/** Database Migrations
**/.env* Environment

Adding Custom Patterns

You can configure custom sensitive paths for each repository in your Settings page.

1. Navigate to Settings

Go to your Account Settings and scroll to the "Repository Settings" section.

2. Add Repository Configuration

Enter the repository name in owner/repo format and add your sensitive path patterns.

Example patterns:

src/internal/**
**/api/v1/admin/**
config/production.yml
**/compliance/**

3. Analyze PRs

When you analyze a PR for the configured repository, your custom patterns will automatically be applied. Files matching your patterns will appear in the "Governance" section of the analysis.

Pattern Syntax

Sensitive path patterns use glob syntax for flexible matching:

Pattern Matches
* Any characters except /
** Any characters including / (recursive)
? Any single character
[abc] Any character in the set

Tip: Use ** prefix for deep matching

Patterns like **/secrets/** will match files in any subdirectory, while secrets/** only matches at the root.

API Access

You can also manage sensitive paths via the API. See the API Reference for details.

Save Configuration 
curl -X POST https://axiomo.app/api/repos/github/owner/repo/config \
  -H "Cookie: axiomo_session=YOUR_SESSION" \
  -H "Content-Type: application/json" \
  -d '{
    "sensitive_paths": [
      "src/internal/**",
      "**/api/v1/admin/**"
    ]
  }'

How It Works

When you analyze a PR, Axiomo checks each changed file against both the default patterns and your custom patterns. Files matching any pattern are:

  • Listed in the Governance section of the signal
  • Weighted in the Risk Assessment calculation
  • Highlighted in the Focus Files for review priority

Custom patterns receive a weight of 0.30 in the risk calculation, similar to configuration files. This ensures they contribute meaningfully to the overall risk score without overwhelming other signals.

Next Steps

API Reference

Manage configurations programmatically

Settings

Configure your repositories