The Danger of Hardcoded Credentials
It starts innocently. You are testing an API, so you hardcode the `API_KEY` in your code. "I'll delete it before pushing," you promise yourself.
Three hours later, you `git commit -am "wip"` and push to GitHub.
Game over.
Why `git rm` Isn't Enough
Git is designed to never forget. Even if you delete the file in the next commit, the secret lives on in the `.git` history. Bots scrape GitHub public events in real-time. AWS keys are often compromised within seconds of being pushed.
The "TruffleHog" Reality
Attackers use tools like `trufflehog` and `gitleaks` to scan millions of repos. They don't just look at the latest version; they look at every diff in history.
How to Fix It
1. Rotate Immediately
If you pushed a key, assume it is compromised. Do not try to hide it. Revoke it in your provider (AWS, Stripe, etc.) and generate a new one.
2. Scrub History (BFG Repo-Cleaner)
If you must clean the repo (e.g., to remove a file with 100 secrets), use BFG.
bfg --delete-files .env
git reflog expire --expire=now --all
git gc --prune=now --aggressive3. Use Pre-Commit Hooks
Prevent the mistake from happening again. Use `pre-commit` to scan your changes before you commit.
The Proper Workflow: EnvShareApp
Never hardcode. Never commit `.env` files. Instead, share necessary secrets via ephemeral links.
safe-workflow.md
- Developer A creates secret on EnvShareApp.
- Developer A sends link to Developer B (Slack/Email).
- Developer B opens link, copies to local `.env`.
- Link auto-destructs. No trace left in chat logs.