Removing Sensitive Information from Git History
Git Rebase FTW !
We all have gone through this problem once in our development career. We mistakenly have pushed sensitive info into
github and we need to remove it. The sensitive info can be anything like a prod
.env file or passwords hard-coded in the code.
Luckily, it's pretty straight forward to remove that change from git history both from your local repository and remote repository.
For the demonstration, I've create a local git repository.
And populated with some fake git commits to demonstrate what you may actually do.
$ git log --oneline d5d9f70 (HEAD -> main) some more changes to main c05631b Added Password ac547a8 Added Main File to Project
Here, I have made clear using commit message to show that the commit with has
c05631b adds sensitive information to our git history. Now, we need to remove that.
If you're having hard time finding which commit actually changed the password. You can use the following git command...
git log -p fileName
git rebase using this commit hash to rebase our git history from that commit onwards.
$ git rebase -i c05631b pick c05631b Added Password pick d5d9f70 some more changes to main # Rebase ac547a8..d5d9f70 onto ac547a8 (2 commands) # <Hidden for Content Purpose>
Now, edit the text in the editor. We need to edit the commit which added password into the git history. So, I'll rewrite the first line as follows...
edit c05631b Added Password pick d5d9f70 some more changes to main # Rebase ac547a8..d5d9f70 onto ac547a8 (2 commands)
Note the first line, I've replaced the pick with edit. Now, after saving and exiting the text editor, git will put me right into the staging area of that commit.
Now, edit your password file.
I will remove the password from
.env file in this case.
And, I will add the changes into the commit using the given command.
$ git commit --amend -a -m "Removed Sensitive Content"
This will update the message in that commit and also the changed file.
Now, I will continue the rebase using the following command...
$ git rebase --continue
Now, git will try and update the git history by updating that specific commit with our new change.. We may also get some conflicts in the process.
This section is optional. If that's all you want you can go ahead and skip this section and follow the pushing into GitHub section.
Now, I will drop the same repository.
Use the git rebase command as before, but keep in mind the commit hash will be changed. So, again grab your commit hash using git log.
git rebase -i ab5edff
Now, change the pick line into drop which will actually remove the commit from git history.
Make sure you aren't dropping a repository which has other changes, it's generally bad idea to drop a commit. Or, it was a bad idea to create :D.
$ git rebase -i c05631b drop c05631b Removed Secure Content pick d5d9f70 some more changes to main # Rebase ac547a8..d5d9f70 onto ac547a8 (2 commands) # <Hidden for Content Purpose>
Now, after saving and exiting this file. git automatically removes your commit and updates the git history.
$ git log --oneline 9f865e5 (HEAD -> main) some more changes to main ac547a8 Added Main File to Project
Pushing To Github
If this repository is already pushed into the github, it's always a bad news to rebase a remote repository, because it'll make conflict on all of your co-workers git history.
The command given below will do the job.
$ git push origin main --force