How to scan and remove secrets such as API keys and passwords from your git repo

Posted on September 2, 2024

Gitleaks – Scan for secrets

https://github.com/gitleaks/gitleaks

BFG Repo Cleaner Tool

Download the tool from: https://rtyley.github.io/bfg-repo-cleaner

Setup alias for the BFG tool:

alias bfg="java -jar /xyz/bfg.jar"

To remove secrets completely:

Replace all secrets listed in a file (prefix lines ‘regex:’ or ‘glob:’ if required) with ***REMOVED*** wherever they occur in your repository :

$ bfg --replace-text secrets.txt
$ git reflog expire --expire=now --all && git gc --prune=now --aggressive
$ git push -f

To remove false positives:

1) Use .gitleaksignore <– This did not work for me

2) Use #gitleaks:allow

For 2), in your secrets.txt have it as “xyz”==>”xyz” #gitleaks:allow i.e. SEARCH==>REPLACE format.

$ bfg --replace-text secrets.txt
$ git reflog expire --expire=now --all && git gc --prune=now --aggressive
$ git push -f

Leave a Reply