When managing code repositories in Git, you must know how to remove sensitive files from Git history to keep your project secure. Accidentally committing sensitive information like API keys or credentials in files such as .env can pose a serious risk. Even if the file is removed from the current version, it may still be accessible in the repository’s history.
In this guide, I’ll show you how to permanently remove sensitive files from Git history using BFG Repo-Cleaner, and prevent the issue from happening again by using a .gitignore file.
Why Removing Sensitive Files from Git History is Important
Simply deleting sensitive files like .env from your project directory isn’t enough to ensure they’re gone. Git stores every commit in the repository’s history, which means anyone with access can still retrieve the file. To fully protect your sensitive data, you need to remove these files from the history of your Git repository.
What is a Head Commit in Git?
In Git, HEAD refers to the most recent commit in your current working branch. The head commit is the last commit you made. Even after deleting a file from your project, it remains part of the history in previous commits.
What is BFG Repo-Cleaner?
BFG Repo-Cleaner is a powerful tool designed to help you clean up your Git repository by removing unwanted files from history. It simplifies the process of deleting sensitive files from Git history compared to Git’s native git filter-repo command.
Steps to Remove Sensitive Files from Git History Using BFG Repo-Cleaner
Step 1: Update Your Local Repository
Before you start, ensure your local repository is up-to-date by running:
git pullStep 2: Install BFG Repo-Cleaner
Install BFG Repo-Cleaner by following the instructions on its official website, or use a package manager like Homebrew:
brew install bfgStep 3: Ensure .env is Removed From the Project
Confirm that the .env file is no longer in your project’s root directory by running:
find . -name ".env"This command should return no results if the file has been removed.
Step 4: Search Git History for .env
To see if the .env file still exists in the Git history, run the following:
git log --stat --all -- .envThis will show any commits where .env was added or removed.
Step 5: Use BFG Repo-Cleaner to Delete .env from History
Run this command to remove all instances of .env from your repository’s history:
bfg --delete-files .envStep 6: Clean Up the Repository
After running BFG Repo-Cleaner, use the following commands to clean up your repository:
git reflog expire --expire=now --all
git gc --prune=now --aggressiveStep 7: Verify .env is Removed from History
Run the search again to verify the .env file has been completely removed from your Git history:
git log --stat --all -- .envThis should return no results.
Step 8: Push Changes to GitHub
Push the cleaned repository to GitHub with the --force flag:
git push --forceWait for about 20 seconds, then refresh your GitHub page to ensure the .env file is no longer in the repository’s history.
Prevent Future Sensitive Files by Using .gitignore
After removing the sensitive files from Git history, it’s crucial to prevent them from being committed again by adding them to .gitignore.
Step 1: Update Your Repository
Ensure you’re working with the latest version of your repository:
git pullStep 2: Add .env to .gitignore
Add .env to your .gitignore file to prevent it from being committed in the future:
.env
Step 3: Commit and Push the Changes
Stage and commit the .gitignore file:
git add .gitignore
git commit -m "Add .env to .gitignore"Push the changes to GitHub:
git pushConclusion: Keep Your Git History Clean and Secure
By following these steps, you can completely remove sensitive files from Git history using BFG Repo-Cleaner and prevent them from being re-added by using .gitignore. This not only improves your project’s security but also ensures that you’re following best practices in Git repository management.
Leave a Reply