Accidentally Committed Sensitive Data

[gascogaskets-sys]

Discussion Type

General

Discussion Content

Hey Im Ganesh form Gasco Inc I accidentally committed an API key to my GitHub repository. I removed it in a later commit, but I’m worried it’s still accessible in the commit history. What is the correct way to completely remove sensitive data from GitHub?

[ultraslayyy]

It is possible. Here are a few steps I used once (I think this is right someone correct me if I'm wrong):

1. Backup main in case something goes wrong. It shouldn't, but just in the off chance:

   git branch main-backup

2. If you want to just remove the secret (e.g. committing it in a file you don't want removed, go to 2.a. If you want to remove the entire file (e.g. accidentally committing .env, go to 2.b)

   a) Rewrite commit history to remove the secret with something like REMOVED_SECRET (replace file with the name of the file containing the secret, and your_secret with the secret that was committed):

   git filter-branch --force --tree-filter '
   if [ -f file ]; then
       sed -i "s/YOUR_SECRET/REMOVED_SECRET/g" file
   fi
   ' -- --all

   b) Rewrite commit history to remove the file from any commit it was in (replace .env with the file):

   git filter-branch --force --index-filter "git rm --cached --ignore-unmatch .env" --prune-empty --tag-name-filter cat -- --all

3. Clean up old history:

   rm -rf .git/refs/original
   git reflog expire --expire=now --all
   git gc --prune=now --aggressive

4. Force push the new history to GitHub:

   git push origin --force --all
   git push origin --force --tags

Warning

Anyone who cloned the repo before this will still have all the old commits with the secret. They'll need to re-clone or reset their branches (which I can help with) to match the newer history. If the repo is public please rotate the secrets as I don't want anyone to have noticed and/or copied them. If it's private it should mostly be fine.

Someone tell me if this is wrong. This is basically a reword of a random .txt I have and made a while ago in case this happened, and it's been a while since I've tested this

[CyberVerve07]

Hey Ganesh! No worries — this happens more often than you’d think. Even if you removed the API key in a later commit, it still exists in your repo’s git history, which means it can be recovered unless you clean it properly.
Here’s how you can completely remove sensitive data from your GitHub repo:

🧼 Step 1: Use git filter-repo (Recommended)
If you have Python installed, this is the safest and fastest way:

• Install the tool:
  pip install git-filter-repo
• Run this in your repo folder:
  git filter-repo --path .env --invert-paths
• (Replace .env with the file that had the API key, or use --replace-text if it was inline)
• Force-push the cleaned history:
  git push origin --force --all
  git push origin --force --tags

🧯 Step 2: Revoke the Leaked Key Immediately
Even if you remove it from history, someone might have already seen it. Go to your API provider (e.g., AWS, Firebase, etc.) and revoke or rotate the key ASAP.

🧹 Step 3: Clear GitHub Cache (Optional)
GitHub might still cache the old data for a while. You can contact GitHub Support and request them to remove cached views of the sensitive data.

🛡️ Pro Tip for the Future

• Add sensitive files (like .env, config.json, etc.) to your .gitignore
• Use tools like git-secrets to prevent accidental commits
• Store secrets in environment variables or secret managers (like GitHub Actions Secrets, AWS Secrets Manager, etc.)