Removing sensitive details from git history
In early stages of software development, it can sometimes be inviting to use a hard coded passwords for quick and dirty access. Later when the project has grown and has a more serious manner of handling authentication, you don’t want old passwords laying around in your git history. The history remains. Warning: Be sure to backup repo before trying this out!
So here is one way to replacing a password string to something else in git. An example: You have been using the password sUp3rs3cr3tpassw0rd since it’s actually a password you elsewhere you want it gone from your git history and replace by HIDDENPASS. This only works on one branch. So a good idea is to get rid off all other branches and concentrate on the master branch.
1 |
git filter-branch --tree-filter "find . -type f -exec sed -i -e 's/sUp3rs3cr3tpassw0rd/HIDDENPASS/g' {} \;" |
This will go through the entire commit history of the branch replacing and rewriting the commit. Depending on the size your project this can take a very long time! It’s not a perfect solution, but it does the job. So lesson learned never use hard coded passwords in code or in a repository. A much better idea is to store it in a text file that never should be included in any commit.
If there’s a file you really want to get rid of in your commit history you can do something like this:
1 |
git filter-branch --index-filter 'git rm --cached --ignore-unmatch <file>' |
Although, keep in mind that all of these operations is a gateway to a world of merge conflicts for people that are syncing against the repository.
There is also another tool written in Scala that does this a lot faster, and can remove large blobs from the git history called BFG.
Source:
http://www.davidverhasselt.com/git-how-to-remove-your-password-from-a-repository/
Leave a Reply