Remove sensitive data from the GIT repository

GIT, 2015-06-17 00:07:57 UTC

In case, you have committed several times and you didn't notice that you have uploaded sensitive data into the repository. Even though you create .gitignore in the server repository, it will not affect. The file still can be trace and others see your sensitive data.

Here are alternatives to remove sensitive data from your repository;


Using push --force command

Simple alternative to removing sensitive data from your repository is by --force option. This option will replace all files on your repository server. But this can be bad to another project collaborators. If you don't mind to replace all of your files in the repository, you can execute this command;

$ git push --force



But, there is another alternative that you can do just removing a sensitive data in the repository server by git filter-branch + git rm command.



Using filter-branch

Below is the step by step how to remove sensitive data using filter-branch;

1. Change directory to your cloning git

2. Run git filter-branch, forcing (--force) Git to process—but not check out (--index-filter)—the entire history of every branch and tag (--tag-name-filter cat -- --all), removing the specified file ('git rm --cached --ignore-unmatch Rakefile') and any empty commits generated as a result (--prune-empty). Note that you need to specify the path to the file you want to remove, not just its filename.

$ git filter-branch --force --index-filter 'git rm --cached --ignore-unmatch config/database.yml' --prune-empty --tag-name-filter cat -- --all



3. Don't forget to ignoring the file

$ nano .gitignore

.gitignore

config/database.yml



4. Dereferenced

$ git for-each-ref --format='delete %(refname)' refs/original | git update-ref --stdin
$ git reflog expire --expire=now --all
$ git gc --prune=now



5. Make sure you have removed all of your sensitive data from your local repository and now you can push to your repository server

$ git push origin --force --all



6. Tell your collaborators to rebase.


Using the BFG

This method more simple. It's using java application. Repository https://github.com/rtyley/bfg-repo-cleaner

1. If you don't want to compile the source by yourself, you can download the jar file here

2. You can run command

$ java -jar bfg.jar --delete-files config/database.yml



Reading list;
1. https://help.github.com/articles/remove-sensitive-data/
2. https://github.com/rtyley/bfg-repo-cleaner


Share: