noort notes

Removing Secrets from Git History with BFG Repo-Cleaner

Posted on Mar 25, 2025

Removing Secrets from Git History with BFG Repo-Cleaner

When sensitive data accidentally gets committed to Git, removing it from history requires careful handling. BFG Repo-Cleaner provides a safer and faster alternative to git filter-branch.

The Complete Cleanup Process

1. Install BFG Repo-Cleaner

brew install bfg

2. Create a Full Backup

Critical first step - always backup before rewriting history:

cp -r xxx xxx-backup

3. Prepare Secrets List

Create a file with secrets to replace (outside your repository):

echo "password123" > secrets.txt

Add multiple secrets, one per line. BFG will replace each occurrence with “REMOVED”.

4. Run BFG Cleanup

bfg --replace-text ../secrets.txt

BFG operates on the .git directory and is much faster than git filter-branch for large repositories.

5. Clean Git Objects

Remove the rewritten objects from Git’s internal storage:

git reflog expire --expire=now --all
git gc --prune=now --aggressive

6. Force Push Changes

⚠️ Destructive Operation - coordinate with your team:

git push --force origin develop

Repeat for all branches that contained the secrets.

Important Considerations

Before You Start:

  • Notify all team members - force pushing rewrites history
  • Ensure no one has pending work on affected branches
  • Consider the secrets already compromised - rotate them regardless

BFG Advantages:

  • 10-720x faster than git filter-branch
  • Simpler syntax and safer defaults
  • Preserves commit metadata better
  • Handles large repositories efficiently

After Cleanup:

  • Delete the secrets.txt file
  • Update any deployment keys or credentials
  • Review logs to ensure complete removal
  • Consider adding pre-commit hooks to prevent future leaks

Alternative Approaches

For more complex scenarios:

  • git-secrets: Prevents secrets from being committed
  • trufflehog: Scans for secrets in repository history
  • GitHub secret scanning: Automatic detection for public repos

Recovery Plan

If something goes wrong:

  1. Stop immediately
  2. Restore from your backup: rm -rf xxx && cp -r xxx-backup xxx
  3. Reassess your approach
  4. Consider professional Git recovery services for critical repositories

Remember: once secrets are in Git history, consider them compromised. The cleanup process prevents future exposure, but doesn’t undo past visibility.