Imagine you’ve checked in an API key into Git by accident and pushed it to a public Git repo.
Lets (try to) fix it.
Using the GitHub we can demonstrate the problem:
Pressing the history button on the file I know that had an API key checked in brings up the commit history
I don’t really care about the history of this file, so lets delete the history
BFG Repo Cleaner is a handy tool, however there is no
apt get way to install it, so I did the following:
# install java sudo apt install default-jre # cd into the root of the repo you are working on # download the jar # c current dir, O is shell output wget -cO - https://repo1.maven.org/maven2/com/madgag/bfg/1.13.0/bfg-1.13.0.jar > bfg.jar # many people alias bfg='java -jar bfg.jar' java -jar bfg.jar --delete-files Enquiry.cshtml.cs # strip out the unwanted dirty data git reflog expire --expire=now --all && git gc --prune=now --aggressive # I had to do a force git push --force
It works (mostly)
Yes it did - I can no longer see the history.
Hmmmm but I can still see them from this link
Why can I still see it on GitHub
However there is still a sneaky way to see the old commit, and for me the link was
And I could still see the file
This exaplains why in Scenario 4.
GitGuardian is an automated secrets detection and remediation service which should help stop secrets being checked in.
After installing you can then view that status on the Gitguardian Dashboard
Be careful with secret keys.
It is a real pain if you’ve checked in a key into a public repo on GitHub.
If it’s your own project and you don’t care about the history, delete everything and start again. By far the most secure and easiest way.