DEV Community

Cover image for Recovering from Accidentally Pushing Sensitive Information to a Remote Git Repository
Atsushi Suzuki
Atsushi Suzuki

Posted on

Recovering from Accidentally Pushing Sensitive Information to a Remote Git Repository

I'm Atsushi Suzuki, and I'm a software developer at a startup in Tokyo. I'm interested in working abroad in the future, so I've decided to start sharing my thoughts and experiences on dev.to, both to practice my English and to connect with the global community.

While there may be over 100 similar articles out there, I've put together a fresh recap specifically for beginner engineers.

Situation

For illustration purposes, consider the following situation.

  • A file in the .serverless subdirectory generated when deploying the Serverless Framework contained API key information.
  • The .serverless subdirectory should not be Git-managed, but was accidentally pushed to a remote repository.
  • The project uses git-flow for branch management, and there are multiple feature branches.

Step 1: Remove the relevant directory from Git management

Generate a feature branch from the latest develop branch for git-flow.
In this feature branch, delete the .serverless directory.

git rm -r --cached .serverless
Enter fullscreen mode Exit fullscreen mode

Add .serverless to the .gitignore file so that future commits will ignore this directory.

echo ".serverless" >> .gitignore
Enter fullscreen mode Exit fullscreen mode

After committing the changes, remote push and merge them into develop.
Merge the latest develop into the feature branch you are working on, and remove .serverless from Git management as well.
*If you forget to do this, when you merge feature into the latest develop, .serverless and .gitignore will be reverted.

Now you can follow the git-flow and merge in the order develop -> staging -> main, and .serverless will be removed from the active branch.

Step 2: Install git-secrets

Have all development members install git-secrets.
git-secrets allows us to detect and block commits containing sensitive information before they are pushed.
*Originally, git-secrets is introduced when a developer clones a repository.

First, instruct all development members to install git-secrets.
The installation procedure varies by platform.

# macOS
brew install git-secrets

# Linux
git clone https://github.com/awslabs/git-secrets.git
cd git-secrets
make install
Enter fullscreen mode Exit fullscreen mode

Each member activates git-secrets by running the following command in the local repository.

cd <your_repository>
git secrets --install
git secrets --register-aws
Enter fullscreen mode Exit fullscreen mode

Normally, git-secrets is activated as a global setting during installation.
Therefore, there is no need to rerun git-secrets --install and git secrets --register-aws when creating a new feature branch.

Step 3: Delete inactive branches in the remote repository

Don't forget to delete branches that have been left uselessly in remote branches.

Step 4: Remove confidential information from past commit history

Use git filter-branch to rewrite previous commits that contain sensitive information.

git filter-branch --force --index-filter 'git rm -r --cached --ignore-unmatch .serverless' --prune-empty --tag-name-filter cat -- --all
Enter fullscreen mode Exit fullscreen mode

Remove the .serverless directory from all previous commits that contain it.
It does not affect other developers' repositories and must be force-pushed to a remote repository.

git push origin --force --all
git push origin --force --tags
Enter fullscreen mode Exit fullscreen mode

It seems that tools like BFG Repo-Cleaner can do the same.

Top comments (4)

Collapse
 
kalkwst profile image
Kostas Kalafatis

Hey there, welcome to the community! It's great to have you here. I just stumbled upon your post and I gotta say, it's awesome! Thanks for sharing your thoughts with us.

Don't be shy, come say hi in the welcome thread! We're a friendly bunch and we'd love to get to know you better. Plus, it's a great way to jump right in and start making some connections with other members.

Collapse
 
caroline profile image
Caroline

Big +1 to this awesome comment!

Collapse
 
mistval profile image
Randall

Nice post. This isn't really related to git but it's also critically important to go and invalidate the leaked secrets and generate new ones if this happens.

Collapse
 
ankurk91 profile image
Ankur K