Remove sensitive information from your Git repository

• notes
• devlog
• git

We've all done this. You're working on your side project without a care in the world. And before you know it, your code and git history are littered with API tokens, passwords and your own personal information!

Removing information from your repository can be done with git commands, but it's a pain and very error-prone. Luckily, other people thought the same and creates tools, such as git-filter-repo (Github). With this tool you can search for any sensitive information in your git repository and replace with any text you like.

![WARNING] Rewriting your git history is inherently dangerous, and can mess things up royally for your entire team. Make sure you know what you're doing and that everyone is informed properly.

TLDR

Execute the following commands in a temporary directory;

#!/bin/zsh
export URL_TO_REPO="https://example.com/your/repository.git"
export TO_REDACT="YOUR_API_TOKEN\nYOUR_PERSONAL_INFO\nYOUR_PASSWORD"
echo $TO_REDACT > redact.txt
git clone --mirror $URL_TO_REPO repository-mirror
curl -O https://raw.githubusercontent.com/newren/git-filter-repo/refs/heads/main/git-filter-repo
cd repository-mirror
python3 ../git-filter-repo --replace-text ../redact.txt
git remote add origin $URL_TO_REPO
git push --force --mirror origin
cd ..
rm -rf redact.txt git-filter-repo repository-mirror/

Step-by-step

1. Create a redaction file

Create a text file with the sensitive information that you want to redact. You can append ==> to choose your own replacement string;

ASDFGHJKLQWERTYUIOPZXCVBNM
1234AB==>0000ZZ
t0pS3cr37==>

We'll use the above file named redact.txt to tell git-filter-repo what to do:

• replace the API token ASDFGHJKLQWERTYUIOPZXCVBNM with ***REMOVED***,
• replace the code 1234AB with 0000ZZ,
• and remove the password t0pS3cr37 entirely.

echo "ASDFGHJKLQWERTYUIOPZXCVBNM\n1234AB==>0000ZZ\nt0pS3cr37==>" > redact.txt

2. Make a clean copy of the repository

Just to be sure, we don't want to work in our regular repository directly. But we can make a mirror and use git-filter-repo on there.

git clone --mirror https://example.com/your/repository.git repository-mirror

3. Get the script

You can follow the instruction in the repository's documentation, or you can download the relevant Python script directly.

curl -O https://raw.githubusercontent.com/newren/git-filter-repo/refs/heads/main/git-filter-repo

4. Replace all the sensitive information!

Use the Python script to redact all sensitive information according to your redaction file, from within the mirrored repository directory.

cd repository-mirror
python3 ../git-filter-repo --replace-text redact.txt

Now, double-check your work! It's easy to make a mistake here, and you don't keep those.

5. Push the changes!

git-filter-repo removes your origin to remind you that rewriting your git history is dangerous. But, since you've already gone this far, we can re-add it and push!

git remote add origin https://example.com/your/repository.git
git push --force --mirror origin

6. Cleanup!

Make sure to get rid of redact.txt, since that's full of sensitive info now! Or do a full cleanup;

cd ..
rm -rf git-filter-repo redact.txt repository-mirror/

Conclusion

With git-filter-repo you can easily remove sensitive information from your entire git repository… carefully!

Happy cleaning!