DEV Community 👩‍💻👨‍💻

Cover image for Removing a .env file from Git history
Chris Bongers
Chris Bongers

Posted on • Originally published at daily-dev-tips.com

Removing a .env file from Git history

I'm sure this happens to everyone sometimes. You accidentally pushed a file with secrets or a password that shouldn't have gotten into the Git history.

In the following example, I "accidentally" pushed my .env file to Git simply because I forgot to add it to me .gitignore file.

Removing a secret file from Git history

Note: If you accidentally pushed secret keys to a repo, you should always revoke them and generate fresh keys!

Removing the file right away

The best thing to do now is to remove the file right away and add it to your .gitignore file.

In my case, I added the following to the .gitignore.

# Secret file
.env
Enter fullscreen mode Exit fullscreen mode

Let's try and push that to see what happens.

Gitignore doesn't work on existing files

Yep, the .gitignore file doesn't untracked already committed changes. So how can we fix this now?

Removing a file from Git only

You can remove a file from Git by running the following command.

git rm -r --cached .env
Enter fullscreen mode Exit fullscreen mode

If we then push this change, you will see that the file is gone in GitHub.

Removing a file from Git

However, this didn't completely solve our issue. If we look at our Git history, we can still find the file and expose the secrets!

Exposing secrets through Git history

Completely remove a file from Git history

To remove the file altogether, we can use the following command.

git filter-branch --index-filter "git rm -rf --cached --ignore-unmatch .env" HEAD
Enter fullscreen mode Exit fullscreen mode

You will get some warnings about this messing up your history as this goes through your whole history and 100% removes its occurrence.

To push this, you have to run the following command.

git push --force
Enter fullscreen mode Exit fullscreen mode

If we look at our history, we can still see the commits that include this .env file, but the content is empty.

Fully removed file in Git

Few, thanks for having our back Git!

You can find the repo it tried this in on GitHub.

Thank you for reading, and let's connect!

Thank you for reading my blog. Feel free to subscribe to my email newsletter and connect on Facebook or Twitter

Top comments (19)

Collapse
 
raulbarriga profile image
raulbarriga

This is the most succinct and direct guide I've ever read on this issue!. Thank you so much! I have to save this now for future reference.

Collapse
 
dailydevtips1 profile image
Chris Bongers Author

Glad it helped 💖

Collapse
 
pedropenduko profile image
Rommel Laranjo • Edited on

Thanks Chris! This saves me from future troubles.

Collapse
 
drishit96 profile image
Drishit Mitra

I tried this on my repository, got the same result on GitHub.
However, I found a small gotcha. If you put the file name in commit message like 'Add .env' and you do git log --all --grep='.env', then you get 2 commits pointing to it. One is the old commit and the other one is the new rewritten commit.
And if you copy the old commit id and search it in GitHub, then you will be able to see the content of the file.
Even if you don't put the name of the file in the commit msg, there's still a possibility of an attacker going through all the commits and finding the .env file.

Collapse
 
dailydevtips1 profile image
Chris Bongers Author

Wow, nice catch Drishit!

Didn't think that far ahead to be honest!
So well done on exposing this, def worth while fixing that as well.

Collapse
 
pervezc profile image
Pervez Choudhury

Good article - you should add a paragraph about needing to rotate the secrets that were checked since they have now been publicly exposed (albeit briefly)

Collapse
 
dailydevtips1 profile image
Chris Bongers Author

I've added a small note for that :)

Forgot it in the initial draft.

Collapse
 
juanvqz profile image
Juan Vasquez

I guess, we should take into account the affected commits will change their SHA it will cause conflicts with already cloned repositories, doesn’t it?

Collapse
 
dailydevtips1 profile image
Chris Bongers Author

Good question actually!

Not to sure how it behaves on cloned repo's.

Collapse
 
mrgnth profile image
Thomas Schmitt

Oh this will mess up the history of the repo real good and anybody who tries to pull force-pushed commits will get errors. But if anyone is pushing secrets to a central branch that a team is pulling from, that team has bigger problems anyway.

Thread Thread
 
juanvqz profile image
Juan Vasquez

The solution that I have in picture is just notify the team to wait for the fix then do the “pull —force”, because as you said it’s an important security fix then all will be sync and can work.

Thread Thread
 
dailydevtips1 profile image
Chris Bongers Author

Unfortunately things like this (maybe not a .env file) but a hardcoded secret perhaps? might ever be committed and even pass a PR.

Mistakes are human, and agree once this happens you should notify the team and work on getting this sorted right away and make sure everyone is up to date in source again.

Collapse
 
vigo profile image
Uğur "vigo" Özyılmazel

brew install bfg

Collapse
 
ishakmohmed profile image
Mohmed Ishak

Perfect, I've been looking for this my entire life. 😭

Collapse
 
dailydevtips1 profile image
Chris Bongers Author

Glad it helps Mohmed! 🎉

Collapse
 
abh1navv profile image
Abhinav Pandey

Nice article as usual Chris! 👏

Have you thought about linking all the Git articles into a series? I think that would be helpful for someone who lands on them in the future.

Collapse
 
dailydevtips1 profile image
Chris Bongers Author

Good point Abhinav.

Always forget to do that as it's automatic on my blog!
Doing it right now! 👀

Collapse
 
leon0824 profile image
Leon

As long as a repo is private or local, a .env file could be commit into the repo.

Collapse
 
dailydevtips1 profile image
Chris Bongers Author

I would also urge to not do that.
What happens when you decide to introduce someone else, sell the project or code gets leaked?

🌚 Friends don't let friends browse without dark mode.

Sorry, it's true.