How to Remove Secrets from GitHub (Even from History!)

🚨 Why You MUST Remove Secrets from Git!

Imagine you accidentally shared your password with the world. That’s what happens when you push a secret key (like API keys, database passwords, or credentials) to GitHub. Even if you delete it from your code, it’s still visible in the Git history. This means hackers or automated bots can steal your sensitive information if they find it.

🛑 Step 1: Immediately Revoke & Replace the Secret

Before removing the secret from Git, assume it’s already compromised.

🔄 How to Fix It:

1. Go to your service provider (AWS, Google Cloud, Stripe, etc.).
2. Revoke (delete) the old key.
3. Generate a new key.
4. Store the new key safely (use environment variables, not hardcoded in your code).

✅ This ensures the leaked key cannot be used, even if someone finds it in the Git history.

💣 Step 2: Remove the Secret from Git History

If you only remove the secret from your code and push a new commit, it still exists in old commits. You need to erase it from history.

📌 Option 1: Fast & Easy Way (BFG Repo-Cleaner) ✅

Best for: Beginners, fast cleanup.

📌 Steps:

1. Install BFG Repo-Cleaner
   • If you use Mac with Homebrew: brew install bfg
   • Otherwise, download it here.
2. Run this command to remove the secret: bfg --replace-text <(echo 'SECRET_KEY=your_secret_value') (Replace SECRET_KEY=your_secret_value with your actual secret)
3. Clean up and push: git reflog expire --expire=now --all git gc --prune=now git push --force 🚀 Done! The secret is gone from your Git history.

📌 Option 2: Manual Way (Git Filter-Branch) ⚠️

Best for: People who can’t install BFG.

1. Run this command: git filter-branch --force --tree-filter 'sed -i "" "/SECRET_KEY/d" $(git ls-files)' -- --all
2. Push changes to GitHub: git push --force 🚀 Your secret is now erased from history.

🚀 Step 3: Tell Your Team to Update Their Git

Since you changed the Git history, your team members must reset their local repositories.

Ask them to run:

git fetch --all
git reset --hard origin/main

✅ This ensures they don’t have the old, leaked key in their local copy.

🔒 Step 4: Prevent Future Secret Leaks

To avoid leaking secrets again:

✅ 1. Use .env Files (Best Practice)

• Store secrets in a .env file (never commit it to Git!).
• Add .env to .gitignore to prevent accidental commits: echo ".env" >> .gitignore git rm --cached .env git commit -m "Ignore .env file" git push

✅ 2. Set Up Git Pre-Commit Hooks

• Install git-secrets to block secrets before pushing: brew install git-secrets git secrets --install git secrets --register-aws
• Now, if you accidentally add a secret, Git will warn you!

✅ 3. Enable GitHub Secret Scanning

If your repository is public, GitHub can automatically detect leaked secrets and warn you:

• Go to Settings → Code security and analysis.
• Enable Secret Scanning.
• If GitHub finds any secrets, follow the steps to revoke them.

🎯 Conclusion

If you accidentally push a secret to GitHub:

1. Revoke the secret immediately (don’t risk it!).
2. Remove it from Git history using BFG Repo-Cleaner or filter-branch.
3. Force push & tell your team to reset their repositories.
4. Use .env files, Git hooks, and GitHub security tools to avoid future leaks.

By following these steps, you can protect your sensitive data and ensure your code is secure. 💡

💬 Did you find this guide helpful? Share your experience in the comments! 🚀