alt text

Imagine you’ve checked in an API key into Git by accident and pushed it to a public Git repo.

It happens!

Lets (try to) fix it.

GitHub docs on removing sensitive data from a repo

How to remove file from git repo

The Problem

Using the GitHub we can demonstrate the problem:

alt text

Pressing the history button on the file I know that had an API key checked in brings up the commit history

alt text

I don’t really care about the history of this file, so lets delete the history

BFG

BFG Repo Cleaner is a handy tool, however there is no apt get way to install it, so I did the following:

# install java
sudo apt install default-jre

# cd into the root of the repo you are working on

# download the jar 
# c current dir, O is shell output 
wget -cO - https://repo1.maven.org/maven2/com/madgag/bfg/1.13.0/bfg-1.13.0.jar > bfg.jar

# many people alias bfg='java -jar bfg.jar'
java -jar bfg.jar --delete-files Enquiry.cshtml.cs

# strip out the unwanted dirty data
git reflog expire --expire=now --all && git gc --prune=now --aggressive

# I had to do a force
git push --force

It works (mostly)

alt text

Yes it did - I can no longer see the history.

Hmmmm but I can still see them from this link

alt text

Why can I still see it on GitHub

However there is still a sneaky way to see the old commit, and for me the link was

https://github.com/djhmateer/password-postgres/commits/a73f27214c3b56a6337aebde99b0ca38ca129de3/src/PasswordPostgres.Web/Pages/Enquiry.cshtml.cs

And I could still see the file

This exaplains why in Scenario 4.

GitGuardian

GitGuardian is an automated secrets detection and remediation service which should help stop secrets being checked in.

After installing you can then view that status on the Gitguardian Dashboard

Conclusion

Be careful with secret keys.

It is a real pain if you’ve checked in a key into a public repo on GitHub.

If it’s your own project and you don’t care about the history, delete everything and start again. By far the most secure and easiest way.