DEV Community

Cover image for Removing a .env file from Git history

Removing a .env file from Git history

Chris Bongers on November 10, 2021

I'm sure this happens to everyone sometimes. You accidentally pushed a file with secrets or a password that shouldn't have gotten into the Git hist...
Collapse
 
raulbarriga profile image
raulbarriga

This is the most succinct and direct guide I've ever read on this issue!. Thank you so much! I have to save this now for future reference.

Collapse
 
dailydevtips1 profile image
Chris Bongers

Glad it helped 💖

Collapse
 
pedropenduko profile image
Rommel Laranjo • Edited

Thanks Chris! This saves me from future troubles.

Collapse
 
pervezc profile image
Pervez Choudhury

Good article - you should add a paragraph about needing to rotate the secrets that were checked since they have now been publicly exposed (albeit briefly)

Collapse
 
dailydevtips1 profile image
Chris Bongers

I've added a small note for that :)

Forgot it in the initial draft.

Collapse
 
drishit96 profile image
Drishit Mitra

I tried this on my repository, got the same result on GitHub.
However, I found a small gotcha. If you put the file name in commit message like 'Add .env' and you do git log --all --grep='.env', then you get 2 commits pointing to it. One is the old commit and the other one is the new rewritten commit.
And if you copy the old commit id and search it in GitHub, then you will be able to see the content of the file.
Even if you don't put the name of the file in the commit msg, there's still a possibility of an attacker going through all the commits and finding the .env file.

Collapse
 
dailydevtips1 profile image
Chris Bongers

Wow, nice catch Drishit!

Didn't think that far ahead to be honest!
So well done on exposing this, def worth while fixing that as well.

Collapse
 
juanvqz profile image
Juan Vasquez

I guess, we should take into account the affected commits will change their SHA it will cause conflicts with already cloned repositories, doesn’t it?

Collapse
 
dailydevtips1 profile image
Chris Bongers

Good question actually!

Not to sure how it behaves on cloned repo's.

Collapse
 
mrgnth profile image
Thomas Schmitt

Oh this will mess up the history of the repo real good and anybody who tries to pull force-pushed commits will get errors. But if anyone is pushing secrets to a central branch that a team is pulling from, that team has bigger problems anyway.

Thread Thread
 
juanvqz profile image
Juan Vasquez

The solution that I have in picture is just notify the team to wait for the fix then do the “pull —force”, because as you said it’s an important security fix then all will be sync and can work.

Thread Thread
 
dailydevtips1 profile image
Chris Bongers

Unfortunately things like this (maybe not a .env file) but a hardcoded secret perhaps? might ever be committed and even pass a PR.

Mistakes are human, and agree once this happens you should notify the team and work on getting this sorted right away and make sure everyone is up to date in source again.

Collapse
 
vigo profile image
Uğur "vigo" Özyılmazel

brew install bfg

Collapse
 
leon0824 profile image
Leon

As long as a repo is private or local, a .env file could be commit into the repo.

Collapse
 
dailydevtips1 profile image
Chris Bongers

I would also urge to not do that.
What happens when you decide to introduce someone else, sell the project or code gets leaked?

Collapse
 
ishakmohmed profile image
Mohmed Ishak

Perfect, I've been looking for this my entire life. 😭

Collapse
 
dailydevtips1 profile image
Chris Bongers

Glad it helps Mohmed! 🎉

Collapse
 
abh1navv profile image
Abhinav Pandey

Nice article as usual Chris! 👏

Have you thought about linking all the Git articles into a series? I think that would be helpful for someone who lands on them in the future.

Collapse
 
dailydevtips1 profile image
Chris Bongers

Good point Abhinav.

Always forget to do that as it's automatic on my blog!
Doing it right now! 👀

Collapse
 
uptoeleven profile image
Simon Brown • Edited

done this but the file is still there, if I look at the initial commit and at the commit I made to remove the file (last year).