GitHub secret leak: step-by-step fix

GitHub is very good at detecting secrets — removing them from every copy of history is hard. This guide aligns with GitHub’s own documentation and pairs with our committed API key playbook.

1. Read the alert carefully

GitHub secret scanning can trigger on:

  • Pushed commits to GitHub-hosted repos.
  • Public forks and mirrors (worst case).

Official overview: About secret scanning.

Push protection may block before push — if you bypassed it, treat as high severity.

2. Phase A — Revoke before you rewrite history

  1. Go to the provider (Stripe, AWS, Slack, etc.) and revoke or rotate the credential.
  2. Update deployments and CI with the new value.

Why: mirrors, local clones, and attacker scrapers may already have the blob. History rewrite is hygiene, not time travel.

3. Phase B — Remove from future commits

git rm --cached .env   # if .env was tracked
# edit files to remove embedded tokens
git commit -m "Remove leaked secrets (credentials rotated)"

Ensure .gitignore covers the path — practical Git guide.

4. Phase C — Purge from history (coordination required)

GitHub documents the supported tool: git filter-repo.

Guide:
Removing sensitive data from a repository

Outline (read the full doc before running):

  1. Install git-filter-repo.
  2. Clone a fresh mirror or follow GitHub’s recommended clone pattern.
  3. Run filter-repo to remove paths or replace strings across history.
  4. git push --force all affected branches and tags — every collaborator must re-sync.
  5. Consider cache on GitHub side per GitHub instructions (they may retain backups briefly — still rotate secrets).

Do not use tutorials that recommend deprecated filter-branch without understanding recovery.

5. Phase D — Org-wide hygiene

  • Enable secret scanning + push protection for private repos where policy allows.
  • Add gitleaks in CI on pull requests.
  • Train on why .env leaks.

6. If the repo was public

Assume full compromise of the secret. Rotate immediately; consider legal/comms if customer data access was possible.

7. Developer laptops after the incident

Remove stale material from:

  • Local .env / .env.backup.
  • PassStore archives (delete old rotated entries after grace period).

Related