1

I accidentally committed a sensitive password into source control before pushing to the central repository.

I removed the password from my code and did git add -A . && git commit --amend and then git push origin master.

Is there any trace of the sensitive password in Git? In other words, when you run git commit --amend, does Git have any trace of the commit containing the sensitive data?

(I changed the password just to be sure.)

Angular noob
  • 437
  • 4
  • 11
  • 1
    I'm not sure about amend, but if you do a `git rebase -i --root master` and blow that commit away, then a `git push origin master --force`, it is purged to the depths of hell for good. Use cautiously though as you are permanently rewriting history! – Tommy Jun 25 '15 at 18:23
  • There will be some remnants of the change somewhere in the git database no matter what you do. So do what Tommy suggests and for certain, change the password. – Tim Jun 25 '15 at 18:26
  • If he amended before pushing, none of the git objects that contain the password should be on the server. – David Deutsch Jun 25 '15 at 18:27
  • possible duplicate of [Remove sensitive files and their commits from Git history](http://stackoverflow.com/questions/872565/remove-sensitive-files-and-their-commits-from-git-history) – Andrew C Jun 25 '15 at 19:11

3 Answers3

0

You'll first need to interactively rebase and remove the commit. This guide has some more information. This is done via git rebase -i --root master.

After locally rebasing, you will then need to force-push the commit to the remote. Note that this will mess up history on all cloned copies of the remote repository. You'll ideally need to remove the working copies completely and git clone them again. To force-push: git push --force origin master.

Will
  • 24,082
  • 14
  • 97
  • 108
0

If you didn't push before amending the commit, there is no trace of the password in the remote.

However, the sensitive password still exists in your local repo until the commit gets garbage collected. git reflog will show you the commit that still contains the password. Running git gc will trigger the garbage collecting and remove the said commit from your local repo too.

More info on git gc: https://www.kernel.org/pub/software/scm/git/docs/git-gc.html

1615903
  • 32,635
  • 12
  • 70
  • 99
-1

Assuming that the commit that contained the password was the latest commit when you did git commit --amend, then the password should be totally removed. You can confirm this by checking out the relevant commits and looking for the password.

David Deutsch
  • 17,443
  • 4
  • 47
  • 54