Created
April 3, 2025 13:16
-
-
Save DanEdens/7571a82278c241d7efd3cc242c091b74 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function git_purge_secrets() { | |
| # Ensure `git-secrets` and `git-filter-repo` are installed | |
| if ! command -v git-secrets &>/dev/null || ! command -v git-filter-repo &>/dev/null; then | |
| echo "Missing dependencies: install git-secrets and git-filter-repo first!" | |
| return 1 | |
| fi | |
| echo "Scanning for secrets in Git history..." | |
| local found_secrets | |
| found_secrets=$(git secrets --scan-history 2>&1 | grep -E 'file://|[a-f0-9]{40}' | awk '{print $NF}' | sort -u) | |
| if [[ -z "$found_secrets" ]]; then | |
| echo "No secrets found. You're clean!" | |
| return 0 | |
| fi | |
| echo "Found potential secrets in history:" | |
| echo "$found_secrets" | |
| # Confirm before proceeding | |
| read -p "Do you want to purge these from Git history? (y/N): " confirm | |
| if [[ ! "$confirm" =~ ^[Yy]$ ]]; then | |
| echo "Aborting..." | |
| return 1 | |
| fi | |
| # Purge secrets from history | |
| for file in $found_secrets; do | |
| echo "Removing $file from history..." | |
| git filter-repo --path "$file" --invert-paths --force | |
| done | |
| echo "Forcing push to remote (DANGER: This rewrites history!)" | |
| read -p "Are you absolutely sure? This will alter remote history. (y/N): " final_confirm | |
| if [[ ! "$final_confirm" =~ ^[Yy]$ ]]; then | |
| echo "Skipping remote push." | |
| return 1 | |
| fi | |
| git push origin --force --all | |
| git push origin --force --tags | |
| echo "Secrets purged. Remember to notify collaborators to re-clone!" | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment