Azure Tips and Tricks - Remove Azure Secrets committed to GitHub
Remove Azure Secrets committed to GitHub
Remove passwords committed to GitHub on accident
Writing code day after day means secrets, connection strings and more get added to your code accidentally. And if you are like me, they get committed to your GitHub repo and then you have to live in shame. =) In this post, I'll walk you through removing secrets from a GitHub repo that you've already committed the secret to.
Part 1 - Initial setup:
Scenario: You have committed a password with the value of qph@}uC,7cGLBdsX to your GitHub repo. This password should be confidential and not stored in the code.
How do you fix it?
- Ensure you have the repo on your local disk or clone a fresh copy with HTTPS or SSH. I'll use SSH
git clone [email protected]:mbcrump/crumpbot.gitas a sample. - Clone a copy of your repo that has the secret stored using the mirror option, like the following
git clone --mirror [email protected]:mbcrump/crumpbot.git. - You'll now have a BARE repo. CD into it with
cd crumpbot.gitand runls -lto list out the contents on macOS ordiron Windows.
Below is an example of my repo.
Part 2 - Create a file of passwords that you'd like to remove:
- Create a
passwords.txtfile and place and enter the passwords that you'd like to remove from your GitHub repo.
I created mine on macOS with touch passwords.txt or echo some-text > passwords.txt on Windows and added the password that I accidentally committed:
- Save the file.
Part 3 - Install BFG:
Enter BFG (opens new window). According to the author:
BFG is a simpler, faster alternative to git-filter-branch for cleansing bad data out of your Git repository history: Removing Crazy Big Files Removing Passwords, Credentials & other Private data
- Install BFG with
brew install bfgassuming you have Homebrew installed and using a Mac or download the JAR file if you are on Windows.
Part 4 - Clean up the passwords previously committed:
-
Run
bfg --replace-text passwords.txt crumpbot.giton Mac orjava -jar bfg.jar --replace-text passwords.txt crumpbot.gitif using the JAR file. -
Below is output from that command:
Part 5 - Pushing to GitHub:
- Run
git reflog expire --expire=now --all && git gc --prune=now --aggressiveas indicated by the output. - Run
git pushto push it to your repo.
Part 6 - Wrap-up and verify your repo was updated successfully:
If you go back to your GitHub repo and look at prior commits, then you should see REMOVED like the following:
I hope this helps someone out there and if you want to stay in touch then I can be found on Twitch, Twitter or GitHub.
Create a trial account today and go and check it out!
Published on:
Learn moreRelated posts
Shrinking Azure Pipeline task extensions using esbuild
TL;DR We bundled an internal Azure Pipelines task extension into a single bundled JavaScript file using esbuild. The task package dropped from...
Building on Vercel’s eve + Azure Cosmos DB: An Agent That Remembers
Most “AI agent” demos forget everything the moment the process exits. That’s fine for a toy project, but useless for anythin...
Copilot Studio – Environment-level agent telemetry export to Azure Application Insights (Preview)
We are announcing the ability for administrators to export Copilot Studio agent telemetry at the environment level to Azure Application Insigh...
See our new Azure Cosmos DB Design Patterns
Design patterns are where good data modeling lives or dies. In a NoSQL database like Azure Cosmos DB, the difference between a schema that sca...
Need a different partition key in Azure Cosmos DB? Pick the right approach
Once you create a container, its partition key is fixed at creation, and you can’t change it in place. However, if your original key starts ca...
Azure SDK Release (June 2026)
Azure SDK releases every month. In this post, you'll find this month's highlights and release notes. The post Azure SDK Release (June 2026) ap...
Fundamentals of Azure DevOps with SQL projects
Building automated pipelines with your SQL database projects enables you to build a rich CI/CD ecosystem to ensure that your application is be...