Over a million developers have joined DZone.

Avoid Keeping Sensitive Info in a Code Repo: How to Remove Files From Git Version History

DZone's Guide to

Avoid Keeping Sensitive Info in a Code Repo: How to Remove Files From Git Version History

When using sites like GitHub in development, developers may be accidentally leaving vulnerabilities in their gits. Learn how to remove these vulnerabilities.

· Security Zone ·
Free Resource

Learning by doing is more effective than learning by watching - that’s why Codebashing offers a hands-on interactive training platform in 10 major programming languages. Learn more about AppSec training for enterprise developers.

One of the vulnerabilities that are really easy to exploit is when people leave super-sensitive information in source code – and you get your hands on this source code. In early prototyping, a lot of people will hardcode passwords and certificate keys in their code, and remove it later when moving to production code. Sometimes it is not even removed from production. But even in the case where you do remove it, this sensitive information can linger in your version history. What if your app is an open source app where you are sharing the code on GitHub? You probably don’t want to share your passwords.

Getting this sensitive info out of your repository is not as easy as deleting the file from the repo and adding it to the .gitignore file – because this does not touch your version history. What you need to do this is:

  • Merge any remote changes into your local repo, to make sure you don’t remove the work of your team if they have committed after your own last merge/commit.
  • Remove the file history for your sensitive files from your local repo using the filter-branch command:
git filter-branch –force –index-filter \
‘git rm –cached –ignore-unmatch \

Although the command above looks somewhat scary it is not that hard to dig out – you can find in the Github doc files. When that’s done, there are only a few more things to do:

  • Add the files in question to your.gitignore file.
  • Force write to the repo (git push origin –force –all).
  • Tell all your collaborator to clone the repo as a fresh start to avoid them merging in the sensitive files again.

Also, if you have actually pushed sensitive info to a remote repository, particularly if it is an open source publicly available one, make sure you change all passwords and certificates that were included previously – this info should be considered compromised.

Find out how CxSAST can help you scan uncompiled and unbuilt code while identifying hundreds of security vulnerabilities in the most prevalent coding languages.

security ,git ,source code

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}