DEV Community

Cover image for Removing a .env file from Git history
Chris Bongers
Chris Bongers

Posted on • Originally published at daily-dev-tips.com

Removing a .env file from Git history

I'm sure this happens to everyone sometimes. You accidentally pushed a file with secrets or a password that shouldn't have gotten into the Git history.

In the following example, I "accidentally" pushed my .env file to Git simply because I forgot to add it to me .gitignore file.

Removing a secret file from Git history

Note: If you accidentally pushed secret keys to a repo, you should always revoke them and generate fresh keys!

Removing the file right away

The best thing to do now is to remove the file right away and add it to your .gitignore file.

In my case, I added the following to the .gitignore.



# Secret file
.env


Enter fullscreen mode Exit fullscreen mode

Let's try and push that to see what happens.

Gitignore doesn't work on existing files

Yep, the .gitignore file doesn't untracked already committed changes. So how can we fix this now?

Removing a file from Git only

You can remove a file from Git by running the following command.



git rm -r --cached .env


Enter fullscreen mode Exit fullscreen mode

If we then push this change, you will see that the file is gone in GitHub.

Removing a file from Git

However, this didn't completely solve our issue. If we look at our Git history, we can still find the file and expose the secrets!

Exposing secrets through Git history

Completely remove a file from Git history

To remove the file altogether, we can use the following command.



git filter-branch --index-filter "git rm -rf --cached --ignore-unmatch .env" HEAD


Enter fullscreen mode Exit fullscreen mode

You will get some warnings about this messing up your history as this goes through your whole history and 100% removes its occurrence.

To push this, you have to run the following command.



git push --force


Enter fullscreen mode Exit fullscreen mode

If we look at our history, we can still see the commits that include this .env file, but the content is empty.

Fully removed file in Git

Few, thanks for having our back Git!

You can find the repo it tried this in on GitHub.

Thank you for reading, and let's connect!

Thank you for reading my blog. Feel free to subscribe to my email newsletter and connect on Facebook or Twitter

Top comments (20)

Collapse
 
raulbarriga profile image
raulbarriga

This is the most succinct and direct guide I've ever read on this issue!. Thank you so much! I have to save this now for future reference.

Collapse
 
dailydevtips1 profile image
Chris Bongers

Glad it helped πŸ’–

Collapse
 
pedropenduko profile image
Rommel Laranjo • Edited

Thanks Chris! This saves me from future troubles.

Collapse
 
pervezc profile image
Pervez Choudhury

Good article - you should add a paragraph about needing to rotate the secrets that were checked since they have now been publicly exposed (albeit briefly)

Collapse
 
dailydevtips1 profile image
Chris Bongers

I've added a small note for that :)

Forgot it in the initial draft.

Collapse
 
drishit96 profile image
Drishit Mitra

I tried this on my repository, got the same result on GitHub.
However, I found a small gotcha. If you put the file name in commit message like 'Add .env' and you do git log --all --grep='.env', then you get 2 commits pointing to it. One is the old commit and the other one is the new rewritten commit.
And if you copy the old commit id and search it in GitHub, then you will be able to see the content of the file.
Even if you don't put the name of the file in the commit msg, there's still a possibility of an attacker going through all the commits and finding the .env file.

Collapse
 
dailydevtips1 profile image
Chris Bongers

Wow, nice catch Drishit!

Didn't think that far ahead to be honest!
So well done on exposing this, def worth while fixing that as well.

Collapse
 
juanvqz profile image
Juan Vasquez

I guess, we should take into account the affected commits will change their SHA it will cause conflicts with already cloned repositories, doesn’t it?

Collapse
 
dailydevtips1 profile image
Chris Bongers

Good question actually!

Not to sure how it behaves on cloned repo's.

Collapse
 
mrgnth profile image
Thomas Schmitt

Oh this will mess up the history of the repo real good and anybody who tries to pull force-pushed commits will get errors. But if anyone is pushing secrets to a central branch that a team is pulling from, that team has bigger problems anyway.

Thread Thread
 
juanvqz profile image
Juan Vasquez

The solution that I have in picture is just notify the team to wait for the fix then do the β€œpull β€”force”, because as you said it’s an important security fix then all will be sync and can work.

Thread Thread
 
dailydevtips1 profile image
Chris Bongers

Unfortunately things like this (maybe not a .env file) but a hardcoded secret perhaps? might ever be committed and even pass a PR.

Mistakes are human, and agree once this happens you should notify the team and work on getting this sorted right away and make sure everyone is up to date in source again.

Collapse
 
vigo profile image
Uğur "vigo" Γ–zyΔ±lmazel

brew install bfg

Collapse
 
leon0824 profile image
Leon

As long as a repo is private or local, a .env file could be commit into the repo.

Collapse
 
dailydevtips1 profile image
Chris Bongers

I would also urge to not do that.
What happens when you decide to introduce someone else, sell the project or code gets leaked?

Collapse
 
ishakmohmed profile image
Mohmed Ishak

Perfect, I've been looking for this my entire life. 😭

Collapse
 
dailydevtips1 profile image
Chris Bongers

Glad it helps Mohmed! πŸŽ‰

Collapse
 
abh1navv profile image
Abhinav Pandey

Nice article as usual Chris! πŸ‘

Have you thought about linking all the Git articles into a series? I think that would be helpful for someone who lands on them in the future.

Collapse
 
dailydevtips1 profile image
Chris Bongers

Good point Abhinav.

Always forget to do that as it's automatic on my blog!
Doing it right now! πŸ‘€

Collapse
 
uptoeleven profile image
Simon Brown • Edited

done this but the file is still there, if I look at the initial commit and at the commit I made to remove the file (last year).