What Happens When You Commit a Secret to Git (and How to Fix It)
Why git history is permanent, how to clean it with git-filter-repo, rotating keys, and prevention
It happens to everyone eventually. You're moving fast, you add a file you shouldn't have, and suddenly your Stripe secret key is sitting in a git commit. Maybe you caught it immediately. Maybe you didn't notice for weeks.
Either way, this is a "stop what you're doing and fix it now" situation. Let's walk through exactly what happens and exactly how to fix it.
Why This Is a Big Deal
When you commit a secret to git and push it, several things are now true:
-
The secret is in your git history permanently. Deleting the file in a new commit doesn't help. The old commit still contains the secret. Anyone who clones the repo can see every historical commit.
-
If the repo is public, bots found it already. Automated scanners monitor GitHub in real time. Within minutes of pushing a
This lesson is part of the Guild Member curriculum. Plans start at $29/mo.