How to remove credentials from GIT history!
·If you happen to read my other article about GIT push to multiple servers you might noticed that if you have your secret files pushed in your GIT at first place, just removing those files from your branch does not make them inaccessible throughout your GIT history.
Reviewing the GIT history can easily reveal those information. If you could change your secret information and create new ones, then you are fine. But what if you can’t really change those information? Here I explain how to alter your GIT history to get rid of those footprints.
So, let’s purge credentials from GIT history.
WARNING: ALTERING ANY RCS (INCLUDING GIT) IS HIGHLY DISCOURAGED BECAUSE IT KILLS THE PURPOSE OF RCS, I HIGHLY RECOMMEND TO CHANGE YOUR CREDENTIALS IF POSSIBLE AND LEAVE YOUR RCS HISTORY INTACT.
How is it possible?
GIT has a command called ‘filter-branch’. This powerful tool allows you to rewrite your GIT history. I’m going to use this tool to alter GIT history and remove all references to my secret files.
filter-branch
in action:
--index-filter
argument to filter-branch
causes rewrite history for all indexes in GIT.
The actual command to run over every index stored in GIT is a parameter to this argument. We are going to use ‘git rm --cached --ignore-unmatch secrets.py
’. No need to say, you need to replace ‘secrets.py
’ with your secret files name(s) that your are going to remove.
To ignore empty commits that filter-branch may create we can use ‘--prune-empty
’.
To maintain tags we can use ‘--tag-name-filter
’ argument with ‘cat’ command. This simply updates those tags pointing to a rewritten object.
And finally for revision list we use ‘--all
’ to alter history for all revisions.
Put it all together:
git filter-branch --force --index-filter 'git rm --cached --ignore-unmatch secrets.py' --prune-empty --tag-name-filter cat -- --all
Final notes:
By using ‘filter-branch
’ you can alter your GIT history. Common use case of this command is to remove credentials from your GIT history. But please keep in mind that if there are such files renamed in your GIT history it’s your responsibility to find them. One can use
git log --name-only --follow -- secrets.py
to find such a renames/moves.
Reference:
- GIT man page. (
man git-filter-branch
)