Removing sensitive data from history

By admin , 29 April 2026

Incident response

You committed an API key, password, or private key. Removing it from the latest commit is not enough — Git keeps the file in every previous commit until you rewrite history. This page walks through the full incident response.

Step 1: rotate immediately

Before touching the repo, revoke the credential. Assume any pushed history has already been mirrored, scraped, or cached by GitHub's archive program. Rotating is the only true fix; rewriting just slows attackers.

Step 2: rewrite history with filter-repo

git clone --mirror [email protected]:org/repo.git repo-mirror
cd repo-mirror
git filter-repo --path config/secrets.yml --invert-paths

For pattern-based removal across many files (e.g., AWS keys), use a replacements file:

cat > replace.txt <<'EOF'
regex:AKIA[0-9A-Z]{16}==>REDACTED
literal:hunter2==>REDACTED
EOF
git filter-repo --replace-text replace.txt

Step 3: force-push

git push --force --all
git push --force --tags

Coordinate with collaborators: every clone they hold contains the secret. They must reclone or rebase. Old PRs and forks may still expose the data; on GitHub, contact support to purge cached views.

Step 4: prune local objects

Locally, expire reflogs and run aggressive gc to drop the unreachable blobs:

git reflog expire --expire=now --all
git gc --prune=now --aggressive

Detecting secrets early

Prevention beats cleanup. Install a pre-commit hook that scans staged content with a tool like gitleaks or trufflehog:

#!/usr/bin/env bash
gitleaks protect --staged --redact || exit 1

See "Git hooks: pre-commit, prepare-commit-msg, commit-msg" for installation patterns.

Common mistakes

Believing a force-push is enough — caches, forks, mirrors, and team clones still hold the data. Skipping rotation. Using git filter-branch, which is deprecated and slow; use filter-repo. Forgetting tags: secrets often live in tagged releases too.

Audit

After the rewrite, search the rewritten history to confirm:

git log -p --all -S "AKIA"
git grep "hunter2" $(git rev-list --all)

See "filter-repo: rewriting history safely" for the underlying tool, and "GPG signing commits and tags" for proving authorship after a rewrite.