DEV Community

Cover image for How to remove a sensitive file from your commit history on GitHub
Sophia Enakpoya
Sophia Enakpoya

Posted on

How to remove a sensitive file from your commit history on GitHub

Yes! this has happened to most of us at least once in our career, especially when we are just starting. We accidentally commit sensitive data to GitHub. We forget to gitignore our config file containing database passwords or API keys or jwt secrets. And we immediately start to panic.

This happened to me a couple of days ago. I forgot to ignore my default JSON file that contained my database connection password and jwt secret. I had just gotten a feature to finally work and in the excitement, I immediately committed and pushed to GitHub. I only realized my error when I got a notification from GitGuardian that my latest commit contained secret keys.

If you find yourself in the same position, the first thing you do is change the visibility of the repo. So, if it's a public repo, make it private. This way, you're sure no one else sees the file while you're working on deleting it.

Next thing, if you aren't already in the project folder, cd into it on git bash or whatever terminal you are using. Let's assume my project folder is My-Project and I have a file named secretFile.json I want to delete.

cd My-Project
Enter fullscreen mode Exit fullscreen mode

then run the following command. You have to include the path to the file and not just the file name.

git filter-branch --force --index-filter \
  "git rm --cached --ignore-unmatch config/secretFile.json" \
  --prune-empty --tag-name-filter cat -- --all
Enter fullscreen mode Exit fullscreen mode

replacing config/secretFile.json with the path to the file you want to be removed. In my case, secretFile.json is inside of a folder named config.

Note: The command above deletes the file from your local repository too, so ensure you have copied the content to a notepad or whatever you use before running the command.

Then create and add your file to .gitignore so you don't accidentally push it to GitHub again. You can do that with

echo "name-of-your-file" >> .gitignore
Enter fullscreen mode Exit fullscreen mode
git add .gitignore
Enter fullscreen mode Exit fullscreen mode
git commit -m 'add file to .gitignore'
Enter fullscreen mode Exit fullscreen mode

Once you are satisfied with your changes, you can then push them to GitHub

git push origin --force --all
Enter fullscreen mode Exit fullscreen mode

And that's it! Your repo history is clean without any trace of your sensitive file.

Thanks for reading.

Discussion (7)

Collapse
talorlanczyk profile image
TalOrlanczyk

This is a great solution much better then rebase
The only little drawback is the time it takes
As much commit it have the longer the time it takes

Collapse
sophie profile image
Sophia Enakpoya Author

Thanks for the nice comment. And yes, I suspect it could take a little time if the commit is way behind and you don’t discover sooner. Although, if you have GitGuardian connected, you get notified immediately the file gets pushed to GitHub and then, you can quickly remove it.

Collapse
gilfewster profile image
Gil Fewster

Very helpful post to resolve a problem we all get caught out by every once in a while!

Collapse
sophie profile image
Sophia Enakpoya Author

Thanks Gil. πŸ‘πŸ»

Collapse
waize profile image
Paul Reicherzer • Edited on

What will happen if your project ist no one-maintainer-code and some buddy already has this change checked out.
Will he get troubles if he pulls the current changes?

Collapse
sophie profile image
Sophia Enakpoya Author

Not at all. Once they pull in the current changes, they have to rebase and not merge any branches created off of the old history. Cos a merge could potentially reintroduce the history you just filtered out

Collapse
segnova profile image
Joshua Segura

Awesome