First: [Archive] Laurent Bugnion 🏡 🇨🇭 on Twitter: “@IrisClasson What I do is use a tool AND nuke the secret. For example generate new tokens, modify the connection string etc.” / Twitter.
I agree to nuke the secret before, as opposed to after: [Archive] Matt Kerr on Twitter: “@grahamcox82 @IrisClasson That’s why it’s best practice to issue a new key after removing it. There’s no need to worry about the old one being compromised if you’ve revoked it.” / Twitter.
For my reading list:
- [Wayback/Archive.is] Remove sensitive data from your git repository – DEV Community has two approaches:
- Removing sensitive bits of the local data followed by
git rebaseto rewrite all commits containing the sensitive data git filter-branchcombined withgit rmto remove the sensitive data
- Removing sensitive bits of the local data followed by
- This might not be enough according to Jesper:
- [Archive] Jesper Alf on Twitter: “@IrisClasson The previous commits will still exist until they get GC’ed. Then they’ll be completely gone. You need to be careful to remove all references to those commits though (in a local repo, the reflog often holds references to commits you *thought* were gone, keeping them alive)” / Twitter
- [Archive] Jesper Alf on Twitter: “@IrisClasson If you google a bit, you can find a script to search the *entire* repo for specific commits, so after rebasing and running git gc, you can run that to see if the bad commits are truly gone” / Twitter
- Via [Archive] Josh Price on Twitter: “@IrisClasson The commits will still be in the repo and any repo that has synced. ” / Twitter:
- [Wayback/Archive] Removing sensitive data from a repository – GitHub Docs which recommends to rewrite history using either:
git filter-repo- BFG Repo-Cleaner
- [Wayback/Archive] Removing sensitive data from a repository – GitHub Docs which recommends to rewrite history using either:
- BFG Repo-Cleaner is also recommended by [Archive] Sean Reilly on Twitter: “@IrisClasson I would use a dedicated repo cleaning tool like the BFG (…), and you’ll need to do a force push afterwards (and anyone else with a fork/checkout of the repo will still be a risk, of course).” / Twitter:
- [Wayback/Archive] BFG Repo-Cleaner by rtyley: BFG is a simpler, faster alternative to
git-filter-branchfor cleansing bad data out of your Git repository history
- [Wayback/Archive] BFG Repo-Cleaner by rtyley: BFG is a simpler, faster alternative to
All via [Archive] Iris Classon on Twitter: “Don’t shame me for asking this… but… is rebase a safe way to fix accidentally pushing sensitive info to a remote repo? Obviously you’d change the secrets etc. to be sure, but in theory, will rebase remove everything, or is it still in your history somehow?” / Twitter.
–jeroen
The Wiert Corner - irregular stream of stuff 