In a nutshell:
1. Just in case make a backup of your repo. 2. https://rtyley.github.io/bfg-repo-cleaner/ Download bfg-1.13.0.jar file and copy to project folder. 3. Then create a passwords.txt file and write the password you want to remove from the repository 4. Run following commands: java -jar bfg-1.13.0.jar --replace-text passwords.txt git reflog expire --expire=now --all && git gc --prune=now --aggressive git push --force
If you have inadvertently committed confidential data, e.g. passwords, there is a way to delete this information from git commits history. I use BFG Repo-Cleaner that you can download from: https://rtyley.github.io/bfg-repo-cleaner/
Before any steps please make a backup of your repo to ensure you don’t lose anything.
I show example commits and solution to deal with it. For example, in your project you have the file appsettings.json, and in ConnectionStrings you wrote the password and then committed it. Even if you changed it the next commit, your password still remains in history.
So at the beginning we have Password=MyVeryOwnPaS$721
After first commit on Github:
Then I updated file with new pass: Password=123456789
After second commit on Github (the old password is visible):
I downloaded bfg-1.13.0.jar file (https://rtyley.github.io/bfg-repo-cleaner/) and copy it to my project folder. Then I created passwords.txt file and wrote there pass that I want to remove.
Password “MyVeryOwnPaS$721” that I want to find in my repo and remove:
Next run command (java -jar bfg-1.13.0.jar –replace-text passwords.txt) to replace all passwords listed in a passwords.txt file with “REMOVED“ string wherever they occur in your repository:
In the console output we can see the name of the file that had our password and this file will be changed.
Next command (git reflog expire –expire=now –all && git gc –prune=now –aggressive) to perform action:
Also, BFG report with full details are logged in newly created folder:
And this folder contains three files, so also there we can check which files contain our password:
Now, we can remove bfg-1.13.0.jar and passwords.txt files.
And last command (git push –force) to push our changes to repo:
So we can check that commits from history were changed:
‘Git init’ commit, Password=***REMOVED***:
‘Updated appsettings.json’ commit, also Password=***REMOVED***:
That’s all, I hope this post will help someone.