DEV Community: Clay Pask

How I Built GitCleanse: A CLI Tool That Removes Secrets From Git History

Clay Pask — Sat, 21 Mar 2026 12:19:46 +0000

You committed a secret to git. Maybe an API key, a database password, a .env file that slipped through. It happens to everyone.

The bad news: deleting the file and pushing a new commit does not remove it. The secret is still there in git history, accessible to anyone who clones your repo.

I built GitCleanse to fix this.

What it does

GitCleanse is a CLI tool that scrubs secrets from your git history. Point it at a repo, tell it what to remove, and it rewrites history as if the secret was never there.

npx gitcleanse --repo ./my-project --pattern "AKIA[0-9A-Z]{16}"

It uses git filter-branch under the hood but wraps the messy parts in a clean interface. No more staring at git documentation trying to remember the exact incantation.

Why git delete is not enough

When you delete a file and commit, git records the deletion — but the old commits still exist. Anyone with access to your repo history can run git log and find the file in a previous commit.

This is why secret leaks are so dangerous even after you "fix" them. The fix only works if you:

Revoke and rotate the secret (always do this first)
Remove it from git history so it cannot be retrieved

GitCleanse handles step 2.

How it works

GitCleanse rewrites your git history by:

Identifying commits that contain the target secret or file
Rewriting each affected commit to remove the secret
Cleaning up refs and running garbage collection so the old data is not recoverable

After running it you will need to force-push to your remote. This is the expected behaviour — you are rewriting history.

The companion tool

GitCleanse pairs naturally with EnvGuard, which audits your .env files before commits and catches secrets before they reach git. EnvGuard is prevention. GitCleanse is the cure.

If you are reading this because something already leaked: revoke the secret first, then run GitCleanse, then switch to EnvGuard to make sure it never happens again.

Get it

GitCleanse is available on Gumroad for €15: https://incredibroxp.gumroad.com/l/hcunuf

One-time purchase, instant download.

Part of a series on building small developer tools. Also in this series: EnvGuard and ReadmeGen.

How I Built ReadmeGen: A CLI Tool That Writes Your README For You

Clay Pask — Sat, 21 Mar 2026 10:12:54 +0000

Every developer has that one (or ten) repos with no README. You know the project, you built it, but writing the docs always feels like a chore you will get to later. Later never comes.

I built ReadmeGen to solve this for myself. It is a CLI tool that scans your codebase and generates a professional README automatically.

What it does

Point it at any project directory and it:

Detects your language, framework, and dependencies from package files
Identifies the entry point and main purpose of the project
Generates a structured README with description, installation, usage, and license

One command. Done.

Why I built it

I was cleaning up side projects for my portfolio. Half had no README. The other half had a two-line placeholder from years ago.

Writing READMEs is tedious. The structure is always the same: description, install, usage, license. The only thing that changes is the content. So I automated it.

How it works

ReadmeGen reads your manifest files (package.json, requirements.txt, Cargo.toml) to understand the project. It uses heuristics to identify the entry point, scripts, and purpose. No AI, no API calls, no internet. Just static analysis and sensible templates.

The result

I have used it on 8 projects. Gets you 80 percent of the way there in seconds. The remaining 20 percent is a quick edit rather than staring at a blank page.

Get it

ReadmeGen is available on Gumroad for 9 EUR: https://incredibroxp.gumroad.com/l/jfryv

One-time purchase, instant download, no subscription.

Part of a series building small dev tools. Previous tool: EnvGuard (https://dev.to/clay_pask_53467eeab521893/how-i-built-envguard-a-cli-tool-to-stop-leaking-env-secrets-to-git-k45) which audits .env files for exposed secrets before they reach git.

I automated README writing — here's what it generates

Clay Pask — Sat, 21 Mar 2026 00:17:39 +0000

Every developer has done it. You finish a project, push it to GitHub, and then stare at the empty README.md for 20 minutes before writing "# my-project" and calling it a day.

A bad README costs you stars, contributors, and credibility. A good one takes forever to write. So I automated it.

What ReadmeGen does

ReadmeGen scans your project and generates a complete, structured README in seconds.

npm install -g readmegen
readmegen generate

It detects your stack automatically:

Node.js ‚Äî reads package.json, detects React/Vue/Next.js/Express, finds your scripts
Python ‚Äî detects requirements.txt or pyproject.toml
Go ‚Äî reads go.mod
Rust ‚Äî reads Cargo.toml

And generates:

Title with version and license badges
Description (pulled from package.json or existing README)
Table of contents
Features section (with placeholders to fill in)
Requirements with correct versions
Installation instructions (correct for your package manager)
Usage examples
Configuration table for environment variables
Docker setup (if you have a Dockerfile)
Test instructions (if you have a test script)
Contributing guide
License section

Example

Running it on a Node.js CLI tool:

$ readmegen generate

  üîç Detecting project type...
  üì¶ Detected: JavaScript / Express
  üìù Generating README...
  ‚úÖ README.md generated

  Tip: Fill in the Features section and add real usage examples.

Output:

# my-api

![Node.js](https://img.shields.io/badge/node-%3E%3D16-green) 
![Version](https://img.shields.io/badge/version-1.2.0-blue)
[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](...)

> A fast REST API built with Express

## Table of Contents
- [Features](#features)
- [Installation](#installation)
...

## Installation
git clone https://github.com/you/my-api.git
cd my-api
npm install

## Usage
npm start

Needs some filling-in for the features section, but the structure and boilerplate is done.

The 80/20 of README writing

A good README needs:

What it does ‚Äî one sentence, immediately
How to install it ‚Äî exact commands that work
How to use it ‚Äî a real example, not pseudocode
How to configure it ‚Äî env vars, config files
How to contribute ‚Äî if it's open source

ReadmeGen handles the structure and all the repetitive parts. You just fill in what only you know ‚Äî the actual features and examples.

Get it

‚Üí ReadmeGen on Gumroad ‚Äî ‚Ç¨9, one-time purchase

If you're building multiple projects, it pays for itself on the first README.

Your AWS keys are in git history — here's how to remove them

Clay Pask — Sat, 21 Mar 2026 00:16:04 +0000

GitHub just sent you a secret scanning alert. Or maybe you noticed your AWS bill jumped overnight. Either way, you've got credentials in your git history and you need them gone.

Here's the complete guide to removing secrets from git history ‚Äî and how to make sure it never happens again.

Why deleting the file isn't enough

This is the most common mistake:

git rm .env
git commit -m "remove env file"
git push

That removes the file from the current state of the repo. But anyone who clones it can still run:

git log -p | grep AWS_ACCESS_KEY

And see your secret in full. Every commit that ever contained your .env file is permanently stored in git history ‚Äî until you rewrite that history.

Step 1: Rotate your credentials immediately

Before doing anything else ‚Äî rotate the exposed credentials. Assume they're already compromised. AWS keys, Stripe keys, GitHub tokens ‚Äî rotate them all before proceeding.

Git history rewrites take time. The keys might already have been scraped.

Step 2: Check what's in your history

# Check if any .env files were ever committed
git log --all --full-history -- "*.env" ".env*"

# Search for specific patterns in history
git log -p --all | grep -E "AKIA[0-9A-Z]{16}"  # AWS keys
git log -p --all | grep -E "sk_(live|test)_"    # Stripe keys

Or use GitCleanse to do it automatically:

npm install -g gitcleanse
gitcleanse scan           # scans full history for secrets
gitcleanse check          # quick .env check

Step 3: Remove from history

Option A: git-filter-repo (recommended)

Install it first:

pip install git-filter-repo

Remove specific files:

git filter-repo --path .env --invert-paths --force
git filter-repo --path .env.production --invert-paths --force

Option B: BFG Repo Cleaner

# Install BFG
brew install bfg  # macOS

# Remove files
bfg --delete-files .env
git reflog expire --expire=now --all && git gc --prune=now --aggressive

Option C: git filter-branch (always available, slower)

git filter-branch --force --index-filter \
  'git rm --cached --ignore-unmatch .env .env.production' \
  --prune-empty --tag-name-filter cat -- --all

git reflog expire --expire=now --all
git gc --prune=now --aggressive

Or generate these commands automatically:

gitcleanse clean --auto --output cleanup.sh
# Review cleanup.sh, then:
bash cleanup.sh

Step 4: Force push to remote

‚ö†Ô∏è Coordinate with your team first. This rewrites history ‚Äî everyone will need to re-clone.

git push origin --force --all
git push origin --force --tags

Step 5: Ask GitHub/GitLab to purge caches

Even after rewriting history, hosted services may cache old objects. Contact GitHub support or go to Settings ‚Üí Danger Zone and request a cache purge.

Step 6: Prevent it from happening again

Add to .gitignore:

.env
.env.*
!.env.example

Use EnvGuard as a pre-commit hook:

npm install -g envguard
# .git/hooks/pre-commit:
envguard audit --strict

It'll catch secrets before they're ever committed.

TL;DR

Rotate all exposed credentials immediately
Use git filter-repo to remove the file from history
Force push to remote
Ask GitHub to purge caches
Add .env to .gitignore and use a pre-commit hook

The whole process takes about 15 minutes once you know the steps. The pain is in not knowing them at 2am when the alert hits.

How I built EnvGuard: a CLI tool to stop leaking .env secrets to git

Clay Pask — Fri, 20 Mar 2026 23:59:01 +0000

It happened on a Tuesday morning.

I pushed a commit, went to get coffee, came back to find an AWS bill alert for $847. A crypto miner had been running on my dime for six hours ‚Äî because my .env file with real AWS keys had just been committed to a public GitHub repo.

I rotated the keys, cleaned up the history with git filter-branch, filed a support ticket with AWS (they were actually great about it), and spent the rest of the day feeling sick.

That was the day I decided to build EnvGuard.

What EnvGuard does

EnvGuard is a CLI tool that audits your .env files and catches dangerous secrets before they make it into git.

npm install -g envguard
envguard audit

It detects:

üî¥ AWS Access Key IDs and Secret Keys
üî¥ Stripe live/test secret keys
üî¥ GitHub tokens (ghp_, ghs_, ghx_, etc.)
üî¥ Slack tokens and webhook URLs
üî¥ Database URLs with embedded credentials (postgres://user:pass@host)
üî¥ PEM private keys
üü† JWT tokens
üü° Generic API keys
‚ö†Ô∏è Weak placeholder values (changeme, password, secret, etc.)

It also checks:

Whether your .env file is tracked by git (the big one)
Whether it's missing from .gitignore

Example output

‚ïî‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïó
‚ïë            EnvGuard Audit Report             ‚ïë
‚ïö‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïê‚ïù

  File: .env
  Variables found: 8
  Git tracked: ‚ö†Ô∏è  YES (danger!)
  In .gitignore: ‚ö†Ô∏è  No

  üî¥ [CRITICAL] This file is tracked by git!
     ‚Üí Fix: git rm --cached .env && echo ".env" >> .gitignore

  üî¥ [CRITICAL] Possible AWS Access Key ID in "AWS_ACCESS_KEY_ID" (line 4)
     ‚Üí Fix: Rotate this credential immediately if real

  ‚ö†Ô∏è  [WARN] Weak value for "JWT_SECRET": looks like a placeholder
     ‚Üí Fix: Replace with a strong, randomly generated value

Generate a safe .env.example

envguard example

Strips all values, leaves just the keys ‚Äî safe to commit as a template for your team.

CI / pre-commit hooks

# .git/hooks/pre-commit
envguard audit --strict

Exits with code 1 if any high/critical issues found. Stops the commit before it happens.

Why $12?

I'm selling it for $12 as a one-time purchase. Cheap enough that it's an obvious yes for any developer, and it keeps the lights on so I can keep improving it.

If you've ever had to rotate credentials at 2am or explain to your boss why the AWS bill tripled, you know it's worth it.

‚Üí Get EnvGuard on Gumroad ‚Äî $12, includes all future updates.

Feedback welcome in the comments ‚Äî especially if there's a secret type you want me to add detection for.