Here's how to remove sensitive data, like certificate files or passwords in your files, from your git repo and history with BFG Repo-Cleaner.
1. Remove the sensitive files and secrets from your code and commit changes
Note that, by default, BFG doesn't modify the contents of your latest commit. So, remove the sensitive files and secrets from your code, commit the changes and ensure that your latest commit is clean with none of the undesired data in it before proceeding.
2. Install BFG
You can download a JAR from the site. If you're on Mac, brew install bfg
should suffice.
3. Clone a fresh copy of your repo, using the --mirror flag:
# Example
$ git clone --mirror git://example.com/my-repo.git
4. Clean sensitive files
Use --delete-files
to nuke files in your repo history.
# Examples
$ bfg --delete-files certificate.p12 my-repo.git
$ bfg --delete-files keystore.jks my-repo.git
$ bfg --delete-files id_{dsa,rsa} my-repo.git
$ bfg --delete-files *.{txt,log} my-repo.git
Note that the specified name matches on file name, not on path within repo. So $ bfg --delete-files path/to/certificate.p12 my-repo.git
won't work.
5. Clean sensitive strings
Use --replace-text
to clean strings from your repo history. Each string will be rewritten as "***REMOVED***" by default. This is a two-step process.
5.1. Create a file with a new line for each string you want to remove
Create a simple text file however you'd like.
# Example
echo "password123" >> passwords.txt
echo "123password" >> passwords.txt
5.2. Run the command
Run bfg --replace-text
referencing the file you just created.
# Example
$ bfg --replace-text passwords.txt my-repo.git
6. Take a look at your new history
Enter the folder of the git repo and make sure your history has been updated.
# Example
$ cd my-repo.git
# Use git commands to examine the history
$ git log
$ git show HEAD
$ git show HEAD~1
$ git show d89bb58
(You won't see the physical files of your working tree if you list files in this directory, since we did a bare/mirror clone, in case you were wondering.)
7. Strip out the unwanted dirty data
Once satisfied with the state of the history, clean up those sensitive files, which git now considers unnecessary.
$ git reflog expire --expire=now --all && git gc --prune=now --aggressive
8. Push
Finally, once you're happy with the updated state of your repo, push it back up and you're done!
$ git push
If you're with a team have everyone ditch their old copies of the repo and do fresh clones.
Thanks for following along. Cheers!
Top comments (0)