Remove credentials from Git
Master System Design with Codemia
Enhance your system design skills with over 120 practice problems, detailed solutions, and hands-on exercises.
If you've accidentally committed sensitive data, like passwords or API keys, to a Git repository, it's crucial to act quickly to remove this data to prevent security breaches. This article will provide a detailed guide on how to remove credentials from a Git repository, including the implications and best practices.
Understanding the Problem
When you commit files to a Git repository, the history of each change is stored and can be retrieved. This is problematic if sensitive data is included in any of those changes. Even if you delete the file or remove the sensitive data in a new commit, the history remains accessible. Therefore, simply making new commits to hide or remove the data is not sufficient.
Steps to Remove Credentials from Git
1. Using git filter-branch
One of the most common tools to handle this task is git filter-branch. It allows you to rewrite Git history by altering commit data, effectively removing the unwanted data from the repository's history.
Replace PATH_TO_SENSITIVE_FILE with the path to the file containing the sensitive data. This command will remove the file completely from the history of your Git repository.
2. Using BFG Repo-Cleaner
An alternative to git filter-branch is the BFG Repo-Cleaner, a simpler, faster tool designed for cleaning up Git repositories, especially when removing unwanted data like large files or passwords.
Again, replace PATH_TO_SENSITIVE_FILE with the relative path of the file within the repository.
3. Exclude the file from future commits
After removing the file from your history, ensure it is not accidentally re-committed to the repository by adding it to your .gitignore file:
Verify and Reflect Changes
Once you have executed the removal command, use the following command to verify that the sensitive data is no longer in the history:
If no commits are returned, it has been successfully removed from the repository history.
Pushing Changes
After verification, force-push the changes to the remote repository. This step is critical, as it ensures that the remote history is rewritten as well:
Caveats and Considerations
- Warning about
git push --force: This command alters history on the remote repository. If other users have based work on this repository, it will disrupt their history. Coordinate with your team when performing such actions. - Potential for Data Leakage: Even after these changes, sensitive data may still exist in forks or clones or might have been indexed by search engines or other tools. Consider credentials compromised and rotate them as necessary.
Summary Table
| Step | Command/example | Description |
Remove with git filter-branch | git filter-branch --force --index-filter "git rm --cached --ignore-unmatch PATH_TO_SENSITIVE_FILE" --prune-empty --tag-name-filter cat -- --all | Rewrites history to remove specific files. |
| Remove with BFG Repo-Cleaner | java -jar bfg.jar --delete-files PATH_TO_SENSITIVE_FILE my-repo.git | Faster, simpler alternative to git filter-branch for removing files. |
| Ignore future commits | echo "PATH_TO_SENSITIVE_FILE" >> .gitignore | Prevents the file from being re-committed. |
| Verify removal | git log --all -- PATH_TO_SENSITIVE_FILE | Ensure file is removed from all commits. |
| Push changes | git push origin --force --all
git push origin --force --tags | Applies the history rewrite to remote repositories. |
Conclusion
Removing sensitive credentials from a Git repository is a crucial task, requiring careful handling to ensure information security. Always take preventive measures, such as using environment variables or secure vault solutions (e.g., HashiCorp Vault, AWS Secrets Manager) to manage sensitive configurations safely out of source control.

