Removing sensitive information from git history

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi this is ryan orsinger with removing sensitive information from get history every so often uh this happens to folks so we need a way out of this following scenario imagine that you or somebody on your team has committed a file with something secret and sensitive inside of it to your git history this could be passwords ssh key api key either way these credentials are toast they're completely compromised at this point so let's let's start fixing this the first thing you need to do is obviously go into whatever system this is change your password immediately uh immediately lock off access to anybody who's managed to get a copy of this of this git repo and its history okay the first thing a lot of folks think to do is let's delete the file so we're going to delete the file locally we'll add that file we'll commit the fact that we deleted it remove secrets text credentials and we no longer have that file locally and when we push to our remote here things look good at first but as shakira says my commits don't lie and when we look at the history of commits we see that while the file is no longer in the current version of the latest version of the repo we see that the history is still there we see that the original commit that accidentally sent up those comp those credentials compromising them is still in history okay so uh how do we get this fixed so we're going to say how to remove a password from git history that's that's a great search to do and look hey github documentation on the github documents uh documentation here we've got two different tools there's a open source tool called the bfg repo cleaner i don't feel like installing that right now so i'm going to use a filter branch it's a it's a tool built into git so let's use that all right so we've removed that file from the file system again when we look at the get log we see that those commits are still there accidentally committed the secrets let's check out maine and make sure that we've got uh a latest and greatest version of this repository okay locally and the documentation says use using filter branch make sure you've got a fresh clone if you don't have a local version already then move into that repository and here's a nice little command that we're going to run with the filter branch we can copy this and we'll put this in a nice little text editor uh these uh forward slashes at the end are are there to keep us from having a new line character breaking everything so let's kind of get all of that on one line if we can get filter branch force index filter get rm cached ignore path and the documentation says path to your file with sensitive data should be replaced with the path and file name so that my file name was in the current folder secrets.txt it was in the main folder here of this repository so i'm going to copy that and just like the documentation says path your file with sensitive data so if you're if your sensitive file with sensitive data is in a subfolder subfolder you got to provide the path in there okay let's go and run this from our from our terminal we get a warning that there are a lot of gotchas with get filter branch feel comfortable that we're running a command given to us from good documentation okay this claims that the we get a message that the rewrite of these two commits these two commits that touched that file happened i don't want to take uh take it take anything on faith so we see that we've got the current file system right now and the main and the tip of the branch is is removed but when we look at the get history we see that these two commits remember i had two different commits here a commit for adding that secrets.text and another commit for deleting that secret stop text those are gone so we have rewritten history get history locally so there's not a commit i can check out and if i try and gosh if i try and grab this this rewrite right here or grab the the first commit get check out that commit right it we see that that can that that history is there but that file is no longer there that's fabulous okay what next let's pull out the docs we overrided i'm sorry we overwrote history right and now we need to make sure that if we use uh secrets.text again in this repository that it is get ignored and we'll we will be creating a git ignore file to do that to create a git ignore file echo the file name secrets.txt and quotes double angle bracket into dot get ignore okay that creates a dot get ignore file which tells git hey good ignore this so we've got to add commit and push that get ignore here's what we do after we've made our commits for the git ignore and filter the branch we do get push origin force all let's copy that right out of the docs and i don't have any tags on this project but if you had any tags on this project you would do the same thing to remove mentions of that sensitive file or the file with sensitive information from from your tags okay and so after we get push origin double dash force tags and push origin double dash force all branches what we see on the repo folks check this out this is beautiful when we go to our commits those commits that contain the password are gone so even if we look at through the history we can't see them they're gone we only see the program we only see the readme we only see the license and that's it your repo is now safe and at this point because our git ignore exists with that appropriate file name inside uh we can now create a secrets.txt file or move a secrets.txt file into this repo and then it will be completely ignored and we won't have any risk of adding it or committing it or pushing it my name is ryan orsinger thanks so much happy coding
Info
Channel: Ryan Orsinger
Views: 384
Rating: 5 out of 5
Keywords:
Id: liCAFV8Rmbs
Channel Id: undefined
Length: 6min 43sec (403 seconds)
Published: Thu Apr 08 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.