Accidentally pushed sensitive data? Follow these steps to undo the damage.
If you have accidentally pushed some sensitive information to a remote repository, you don’t need to panic. Take couple of deep breaths; Wipe the sweat off your forehead; And follow the steps below.
First, control the damage:
Any sensitive information pushed to a public repository should be considered compromised. So if there are passwords and private keys in those commits, change them right now!
Scenario 1: You pushed sensitive information in your last commit.
If the sensitive information was in the last commit you just pushed to remote, you can amend it right away. Here we use the
master branch as an example but you could do this on any branch.
Edit the file containing the sensitive information and stage your changes:
If you want to remove an entire file but keep it locally, use
git rm. Then add it to
.gitignore to prevent this from happening again. Stage the changes.
Amend the commit (add
--no-edit if you don’t want to edit the commit message).
Push to remote. Use
—force-with-lease to make sure you don’t overwrite the remote branch by mistake in case more people have committed to it after your last commit.
Scenario 2: There is sensitive information in an old commit.
In this scenario, some sensitive information was committed and pushed to a branch. Many more commits have been made afterwards to that branch.
This is a slightly tricky situation. I will use an example to guide you through it.
git log shown below, some sensitive data was added to a file in commit
d30716e Add api info to file. We are going to go back in history to that commit, change its content, amend it and get back.
Everyone involved in the project should close all their open pull requests and stash all their local changes.
Now you can do a clean pull from origin master:
It’s time for an interactive rebase. In this example, the offending commit is two commits behind current
HEAD. So we do an interactive rebase with its parent commit:
This will open the default editor and lists all the commits involved. Mark the commit you want to change by changing pick to edit . Save and close the editor. This will move
HEAD to that commit so that you can edit the files.
Go ahead and remove the sensitive info. Stage any edited files and amend the commit:
Continue the rebase process:
Fix any conflicts that might arise in favour of your changes.
Push your changes to the remote branch with force:
Now you can ask your collaborators to do a clean pull from origin of that branch.
Great job! You just undid the damage! 👏