DevSecOps: Scenario-Based Questions
99. What should you do if secrets are accidentally committed to a Git repository?
Committing secrets to Git poses immediate security risks β especially in public or shared repos. Prompt detection and remediation are critical to prevent unauthorized access or breaches.
π¨ Immediate Response
- Revoke the exposed secret (API key, password, token) immediately
- Notify relevant teams (security, DevOps, product owners)
- Audit logs for any unauthorized access using the secret
π§Ή Cleaning Up Git History
- Use tools like
git filter-repoorBFG Repo-Cleanerto remove secrets from all commits - Force-push cleaned history if itβs a private repo
- If public, consider rotating and invalidating the entire repo if needed
π‘οΈ Prevention Tools
- Git hooks or CI checks using tools like Gitleaks, TruffleHog
- Pre-commit scanners that block committing known patterns
- Enable secret scanning in GitHub, GitLab, or Bitbucket
β Best Practices
- Use environment variables or secret managers for sensitive data
- Audit repos regularly for secrets and credentials
- Train developers on secure handling and Git hygiene
π« Common Mistakes
- Revoking a secret but not removing it from Git β still visible
- Assuming private repos are safe from scans or leaks
- No monitoring for leaked secrets usage after exposure
π Final Insight
Secrets in Git are a high-risk situation β treat them like a breach. Automate prevention, react quickly, and educate your team to keep source code secure.