I'm Atsushi Suzuki, and I'm a software developer at a startup in Tokyo. I'm interested in working abroad in the future, so I've decided to start sharing my thoughts and experiences on dev.to, both to practice my English and to connect with the global community.
While there may be over 100 similar articles out there, I've put together a fresh recap specifically for beginner engineers.
Situation
For illustration purposes, consider the following situation.
- A file in the
.serverless
subdirectory generated when deploying the Serverless Framework contained API key information. - The
.serverless
subdirectory should not be Git-managed, but was accidentally pushed to a remote repository. - The project uses git-flow for branch management, and there are multiple feature branches.
Step 1: Remove the relevant directory from Git management
Generate a feature branch from the latest develop branch for git-flow.
In this feature branch, delete the .serverless
directory.
git rm -r --cached .serverless
Add .serverless
to the .gitignore
file so that future commits will ignore this directory.
echo ".serverless" >> .gitignore
After committing the changes, remote push and merge them into develop.
Merge the latest develop into the feature branch you are working on, and remove .serverless
from Git management as well.
*If you forget to do this, when you merge feature into the latest develop, .serverless
and .gitignore
will be reverted.
Now you can follow the git-flow and merge in the order develop -> staging -> main, and .serverless
will be removed from the active branch.
Step 2: Install git-secrets
Have all development members install git-secrets
.
git-secrets
allows us to detect and block commits containing sensitive information before they are pushed.
*Originally, git-secrets
is introduced when a developer clones a repository.
First, instruct all development members to install git-secrets
.
The installation procedure varies by platform.
# macOS
brew install git-secrets
# Linux
git clone https://github.com/awslabs/git-secrets.git
cd git-secrets
make install
Each member activates git-secrets
by running the following command in the local repository.
cd <your_repository>
git secrets --install
git secrets --register-aws
Normally, git-secrets
is activated as a global setting during installation.
Therefore, there is no need to rerun git-secrets --install
and git secrets --register-aws
when creating a new feature branch.
Step 3: Delete inactive branches in the remote repository
Don't forget to delete branches that have been left uselessly in remote branches.
Step 4: Remove confidential information from past commit history
Use git filter-branch
to rewrite previous commits that contain sensitive information.
git filter-branch --force --index-filter 'git rm -r --cached --ignore-unmatch .serverless' --prune-empty --tag-name-filter cat -- --all
Remove the .serverless
directory from all previous commits that contain it.
It does not affect other developers' repositories and must be force-pushed to a remote repository.
git push origin --force --all
git push origin --force --tags
It seems that tools like BFG Repo-Cleaner can do the same.
Top comments (4)
Hey there, welcome to the community! It's great to have you here. I just stumbled upon your post and I gotta say, it's awesome! Thanks for sharing your thoughts with us.
Don't be shy, come say hi in the welcome thread! We're a friendly bunch and we'd love to get to know you better. Plus, it's a great way to jump right in and start making some connections with other members.
Big +1 to this awesome comment!
Nice post. This isn't really related to git but it's also critically important to go and invalidate the leaked secrets and generate new ones if this happens.
rtyley.github.io/bfg-repo-cleaner/