Developing with @regmicmahesh

Removing Sensitive Information from Git History

Removing Sensitive Information from Git History

Git Rebase FTW !

Har Har Mahadev!'s photo
Har Har Mahadev!
·

3 min read

We all have gone through this problem once in our development career. We mistakenly have pushed sensitive info into github and we need to remove it. The sensitive info can be anything like a prod .env file or passwords hard-coded in the code.

Luckily, it's pretty straight forward to remove that change from git history both from your local repository and remote repository.

For the demonstration, I've create a local git repository.

And populated with some fake git commits to demonstrate what you may actually do.

$ git log --oneline
d5d9f70 (HEAD -> main) some more changes to main
c05631b Added Password
ac547a8 Added Main File to Project

Editing Commit

Here, I have made clear using commit message to show that the commit with has c05631b adds sensitive information to our git history. Now, we need to remove that.

If you're having hard time finding which commit actually changed the password. You can use the following git command...

git log -p fileName

Now, run git rebase using this commit hash to rebase our git history from that commit onwards.

$ git rebase -i c05631b
pick c05631b Added Password
pick d5d9f70 some more changes to main

# Rebase ac547a8..d5d9f70 onto ac547a8 (2 commands)
# <Hidden for Content Purpose>

Now, edit the text in the editor. We need to edit the commit which added password into the git history. So, I'll rewrite the first line as follows...

edit c05631b Added Password
pick d5d9f70 some more changes to main

# Rebase ac547a8..d5d9f70 onto ac547a8 (2 commands)

Note the first line, I've replaced the pick with edit. Now, after saving and exiting the text editor, git will put me right into the staging area of that commit.

Now, edit your password file. I will remove the password from .env file in this case.

And, I will add the changes into the commit using the given command.

$ git commit --amend -a -m "Removed Sensitive Content"

This will update the message in that commit and also the changed file.

Now, I will continue the rebase using the following command...

$ git rebase --continue

Now, git will try and update the git history by updating that specific commit with our new change.. We may also get some conflicts in the process.

Dropping Commit

This section is optional. If that's all you want you can go ahead and skip this section and follow the pushing into GitHub section.

Now, I will drop the same repository.

Use the git rebase command as before, but keep in mind the commit hash will be changed. So, again grab your commit hash using git log.

git rebase -i ab5edff

Now, change the pick line into drop which will actually remove the commit from git history.

Make sure you aren't dropping a repository which has other changes, it's generally bad idea to drop a commit. Or, it was a bad idea to create :D.

$ git rebase -i c05631b
drop c05631b Removed Secure Content
pick d5d9f70 some more changes to main

# Rebase ac547a8..d5d9f70 onto ac547a8 (2 commands)
# <Hidden for Content Purpose>

Now, after saving and exiting this file. git automatically removes your commit and updates the git history.

$ git log --oneline
9f865e5 (HEAD -> main) some more changes to main
ac547a8 Added Main File to Project

YAY!

Pushing To Github

If this repository is already pushed into the github, it's always a bad news to rebase a remote repository, because it'll make conflict on all of your co-workers git history.

The command given below will do the job.

$ git push origin main --force
GitGitHubcoding