IT

InstaTunnel Team

Published by our engineering team

Ghosts in the Machine: How to Permanently Purge Secrets from Your Git History 👻

Every developer’s nightmare: you’re reviewing your latest commit when you notice it—an API key, a database password, or an AWS access token staring back at you from your code. Your heart sinks. You immediately create a new commit removing the secret, breathe a sigh of relief, and move on. But here’s the terrifying truth: that secret is still there, lurking in your Git history like a ghost in the machine.

Understanding why simply deleting a secret in a new commit isn’t enough—and knowing how to truly exorcise these digital ghosts—is critical knowledge for any developer working with version control systems.

Why Deleting Isn’t Enough: Understanding Git’s Immutable History

Git wasn’t designed with forgetfulness in mind. Its fundamental architecture is built around preserving every change, every commit, and every file version throughout a repository’s entire lifetime. This design philosophy makes Git excellent for tracking changes and recovering lost work, but it becomes a serious security liability when sensitive data enters the repository.

When you commit a file containing a secret to your repository, Git stores a complete snapshot of that file in its object database. Even if your next commit removes the secret, the previous commit—along with its snapshot containing the secret—remains permanently accessible in the repository’s history.

Anyone with access to your repository can travel back through time using commands like git log, git checkout, or git show to view the exact state of any file at any point in history. If your repository is public or has been cloned by multiple developers, that secret has potentially been distributed to dozens or hundreds of locations.

The situation becomes even more critical when you consider that the number of detected hard-coded secrets increased by 67% from 2021 to 2022, with 10 million new secrets found solely within public commits on GitHub. These statistics underscore the scale of the problem and why proper secret removal is essential.

The Scope of the Problem: What Happens After Exposure

Once a secret enters your Git history, several troubling scenarios can unfold:

Automated Secret Harvesting: Malicious actors use automated tools to continuously scan public repositories for exposed credentials. These bots can detect and exploit secrets within minutes of their exposure. GitHub and other platforms have responded by implementing secret scanning capabilities, with GitHub secret scanning protecting users by searching repositories for known types of secrets such as tokens and private keys.

Repository Forks and Clones: If your repository is public or has been forked, the secret exists in multiple locations beyond your control. Even if you could rewrite your repository’s history, all existing clones and forks would retain the compromised data.

CI/CD Pipeline Logs: Secrets in your repository might be logged during automated build processes, creating additional exposure vectors that extend beyond the repository itself.

Backup Systems: Repository backups and archives capture your Git history at specific points in time, potentially preserving secrets indefinitely even after you’ve cleaned your primary repository.

Understanding these risks highlights why immediate and thorough action is necessary when secrets are accidentally committed.

Before You Begin: Critical Preparation Steps

Before attempting to purge secrets from your Git history, you must complete several essential preparatory steps:

1. Rotate the Compromised Secret Immediately

Your first action should be to invalidate the exposed secret. Generate new credentials, revoke API tokens, or change passwords. This step must happen before any history rewriting because the secret has potentially been compromised the moment it entered your repository.

2. Back Up Your Repository

History rewriting is a destructive operation. Create a complete backup of your repository before proceeding:

git clone --mirror https://your-repository-url.git backup-repo

This mirror clone preserves all branches, tags, and references, allowing you to recover if something goes wrong during the cleanup process.

3. Coordinate with Your Team

If multiple developers work on the repository, communicate your plans clearly. History rewriting will require everyone to re-clone the repository or carefully rebase their local branches. Schedule the cleanup during a low-activity period if possible.

4. Document All Affected Branches

Identify every branch that might contain the compromised secret:

git log --all --full-history --oneline -- path/to/file/with/secret

This command shows every commit across all branches that modified the file containing your secret.

Tool Selection: git-filter-repo vs BFG Repo-Cleaner

Two primary tools dominate the landscape for rewriting Git history: git-filter-repo and BFG Repo-Cleaner. Each has distinct strengths and ideal use cases.

git-filter-repo: The Flexible Powerhouse

git-filter-repo is the modern, officially recommended replacement for the deprecated git-filter-branch command. It offers unparalleled flexibility for complex repository rewrites.

Advantages: - Extremely flexible filtering capabilities - Can perform sophisticated path-based filtering - Handles complex scenarios like splitting repositories or combining multiple repos - Actively maintained with regular updates - Better performance than git-filter-branch for most operations

Best For: - Complex rewriting scenarios requiring precise control - Repositories where secrets appear in specific paths or file patterns - Situations requiring multiple types of filtering simultaneously - Teams comfortable with Python-based tools

BFG Repo-Cleaner: The Speed Specialist

BFG Repo-Cleaner is described as a simpler, faster alternative to git-filter-branch for cleansing bad data from Git repository history, capable of removing passwords, credentials, and other private data.

Advantages: - Significantly faster than git-filter-branch for simple operations - Simpler command-line interface for common tasks - Written in Scala, runs on any system with Java installed - Excellent for straightforward secret removal

Best For: - Removing specific text strings from all files across history - Straightforward cleanup operations - Teams wanting quick results with minimal configuration - Repositories where secrets appear as simple text strings

Method 1: Using BFG Repo-Cleaner for Quick Secret Removal

BFG Repo-Cleaner excels at removing specific text patterns from your entire repository history. Here’s a comprehensive step-by-step guide.

Installation

BFG requires Java 8 or above. Download the latest version from the official repository:

# Download BFG (check for the latest version)
wget https://repo1.maven.org/maven2/com/madgag/bfg/1.14.0/bfg-1.14.0.jar

# Create an alias for easier usage
alias bfg='java -jar /path/to/bfg-1.14.0.jar'

Step-by-Step Secret Removal

Step 1: Clone a Fresh Mirror

Create a bare mirror clone of your repository:

git clone --mirror https://your-repository-url.git temp-repo.git
cd temp-repo.git

The --mirror flag ensures you get all references, branches, and tags for complete cleanup.

Step 2: Create a Secrets File

Create a text file listing all the secrets you need to remove. Each secret should be on its own line:

sk_live_51AbCdEfGhIjKlMnOp
AKIAIOSFODNN7EXAMPLE
db_password_prod_2024
google_api_key_12345

Save this file as secrets.txt outside your repository directory.

Step 3: Run BFG

Execute BFG to replace all occurrences of these secrets:

bfg --replace-text secrets.txt temp-repo.git

BFG will scan your entire repository history and replace every occurrence of the listed secrets with ***REMOVED*** by default. You can customize the replacement text if needed.

Step 4: Clean Up the Repository

BFG updates your commits and all branches and tags to make them clean, but it doesn’t physically delete the unwanted data. You must use Git’s garbage collection to complete the removal:

cd temp-repo.git
git reflog expire --expire=now --all
git gc --prune=now --aggressive

These commands expire all reflog entries and aggressively garbage collect to physically remove the secret-containing objects from Git’s object database.

Step 5: Verify and Push

Verify that secrets have been removed by checking out a working copy:

cd ..
git clone temp-repo.git verification-repo
cd verification-repo
git log -p --all | grep -i "your-secret-pattern"

If the verification confirms successful removal, force-push to your remote repository:

cd temp-repo.git
git push --force --all
git push --force --tags

Method 2: Using git-filter-repo for Precision Removal

git-filter-repo offers more granular control when you need sophisticated filtering beyond simple text replacement.

Installation

Install git-filter-repo using pip or your package manager:

# Using pip
pip install git-filter-repo

# Or on Ubuntu/Debian
apt-get install git-filter-repo

# Or on macOS
brew install git-filter-repo

Step-by-Step Path-Based Filtering

Step 1: Clone Your Repository

Create a fresh clone (not a bare repository this time):

git clone https://your-repository-url.git cleanup-repo
cd cleanup-repo

Step 2: Remove Files Containing Secrets

If secrets are contained in specific files you want to remove entirely:

git filter-repo --path config/secrets.yaml --invert-paths

The --invert-paths flag removes the specified path from all commits throughout history.

Step 3: Remove Secrets from Specific Files

For removing content within files rather than entire files, use the --replace-text option:

echo "sk_live_51AbCdEfGhIjKlMnOp==>***REMOVED***" > replacements.txt
git filter-repo --replace-text replacements.txt

Step 4: Path-Based Filtering for Complex Cases

You can combine multiple filtering operations. For example, removing secrets only from a specific directory:

git filter-repo --path src/legacy/ --replace-text secrets.txt

Step 5: Verify and Push

After filtering, verify your repository state:

git log --all --oneline --graph
git log -p | grep -i "secret-pattern"

Add your remote (git-filter-repo removes remotes for safety):

git remote add origin https://your-repository-url.git
git push --force --all
git push --force --tags

After the Cleanup: Essential Follow-Up Actions

Successfully rewriting history is only the beginning. Several critical follow-up steps ensure complete remediation:

1. Update All Team Members

Send clear instructions to all team members:

IMPORTANT: Repository history has been rewritten to remove sensitive data.

Required Actions:
1. Delete your local clone
2. Fresh clone from: [repository-url]
3. Do NOT attempt to merge or rebase existing branches

If you have unpushed work, save your changes as patches first:
git format-patch origin/main

2. Update Existing Pull Requests

Any open pull requests based on the old history must be recreated. The old commits are no longer compatible with the rewritten history.

3. Check Forks and Mirrors

If your repository has been forked or mirrored, contact the owners of those repositories. Explain the security issue and request that they update their copies or delete them if they’re outdated.

4. Review CI/CD Logs and Artifacts

Check your continuous integration system’s logs and artifacts for any instances of the exposed secret. These systems often cache build logs that may contain sensitive information.

5. Monitor for Unauthorized Usage

Even after rotation, monitor your systems for any unauthorized usage of the old credentials. Set up alerts for suspicious access patterns.

Prevention: Never Let It Happen Again

The best way to handle secrets in Git history is to prevent them from getting there in the first place:

1. Use Git Hooks for Pre-Commit Scanning

Implement pre-commit hooks that scan for potential secrets:

# .git/hooks/pre-commit
#!/bin/bash
if git diff --cached | grep -iE "password|secret|api[_-]?key|token"; then
    echo "⚠️  Potential secret detected! Commit blocked."
    exit 1
fi

2. Leverage Secret Scanning Tools

Modern secret scanning tools can detect leaked credentials before they’re pushed. Secret scanning tools search code, configs, and infrastructure for passwords, API keys, or other sensitive data using pattern recognition, entropy checks, and sometimes machine learning.

3. Use Environment Variables and Secret Management

Store secrets in environment variables or dedicated secret management systems:

• Local Development: Use .env files (and add them to .gitignore)
• Production: Use AWS Secrets Manager, HashiCorp Vault, or Azure Key Vault
• CI/CD: Use your platform’s secret storage (GitHub Secrets, GitLab CI/CD variables)

4. Maintain a Comprehensive .gitignore

Create and maintain a thorough .gitignore file:

# Environment variables
.env
.env.local
.env.*.local

# IDE configurations
.vscode/
.idea/

# Configuration files with secrets
config/secrets.yml
config/database.yml
credentials.json

# Cloud provider credentials
.aws/
.gcloud/

5. Implement Code Review Processes

Establish mandatory code reviews before merging to main branches. Train your team to watch for accidentally committed secrets during reviews.

6. Enable Push Protection

Secret scanning with push protection can automatically detect secrets matching specific patterns and prevent them from being pushed to repositories. Enable these features on platforms that support them.

Conclusion: Eternal Vigilance

Removing secrets from Git history is a complex, high-stakes operation that requires careful execution and thorough follow-up. While tools like BFG Repo-Cleaner and git-filter-repo make the technical process manageable, the surrounding coordination, verification, and prevention work is equally important.

Remember these key principles:

1. Act Immediately: Rotate compromised credentials before attempting history cleanup
2. Choose the Right Tool: Use BFG for speed and simplicity, git-filter-repo for complex scenarios
3. Communicate Clearly: Ensure all team members understand the process and their required actions
4. Verify Thoroughly: Don’t trust the cleanup until you’ve verified the secrets are truly gone
5. Prevent Recurrence: Implement comprehensive prevention measures to avoid repeating this painful process

The ghosts in your Git history may be invisible, but they’re very real threats to your security posture. With the right knowledge and tools, you can exorcise them completely and establish practices that keep your secrets safe from the start. Stay vigilant, stay secure, and remember: in the world of version control, what goes in doesn’t easily come out—unless you know how to make it happen.

Related Topics

#git secrets removal, remove secrets from git history, delete sensitive data git, git-filter-repo, BFG Repo-Cleaner, purge git history, remove credentials from git, git security, exposed API keys git, remove passwords from git, committed secrets fix, accidentally committed password, git history rewrite, how to remove secrets from git history permanently, leaked credentials git, API key in git history, git secret scanning, remove API keys from git repository, delete committed passwords git, clean git repository, fix git security issue, git sensitive data removal, rewrite git commits, exposed secrets github, security breach git, compromised credentials repository, git filter repo tutorial, BFG repo cleaner guide, permanently delete files from git history, remove credentials from all git branches, git secret remediation, credential rotation, repository cleanup, git force push, prevent secrets in git commits, version control security, git security best practices, GitHub secret scanning, secret detection tools, automated secret scanning, repository security audit, git filter-branch alternative, DevSecOps, CI/CD security, push protection, pre-commit hooks, secret management, git reflog, git garbage collection, GitHub secrets, clean compromised repository, remove leaked API keys, secure git repository, GitLab security, developer security, DevOps security practices, git object database, git history cleanup tools, Bitbucket repository cleaning, repository management, code security tutorial, software engineer guide, git advanced techniques, protect source code, environment variables best practices, gitignore sensitive files, git repository forensics, source code security, security incident response, eliminate security vulnerabilities git