← All Tips/GITHUB
GITHUB

No Secrets in Git

Even private repos get leaked. Use environment variables for all API keys.

The Secret In Your Commit History

Git never forgets. Even if you delete a file, add it to .gitignore, or overwrite a line in your code — if that secret was ever committed, it exists in your git history. Anyone with access to the repository (now or in the future) can run git log and find it.

This isn't hypothetical. GitHub scans repositories for credentials continuously and notifies companies when their secrets are exposed. Millions of API keys are leaked via public repos every year.

How It Happens

  1. Developer adds STRIPE_SECRET_KEY=sk_live_xxx directly in code to "test quickly"
  2. They commit and push
  3. They realize the mistake, delete the line, commit again
  4. The secret is now gone from the current file but permanently in the git history
  5. The repo is later made public, sold, transferred, or compromised

The Correct Pattern: Environment Variables

API keys, database passwords, tokens — everything sensitive goes in environment variables. Never in code.

Local development:

# .env file (ALWAYS in .gitignore)
STRIPE_SECRET_KEY=sk_live_xxx
DATABASE_URL=postgres://user:pass@localhost/mydb

In code:

const stripe = new Stripe(process.env.STRIPE_SECRET_KEY);

In production:

Set environment variables through your hosting platform (Vercel, Railway, AWS Secrets Manager, etc.) — never in the codebase.

If You've Already Leaked a Secret

  1. Rotate it immediately — invalidate the old key and generate a new one. Assume the old one is compromised.
  2. Check your access logs — see if the exposed key was used by anyone other than you
  3. Remove from history using git filter-branch or BFG Repo Cleaner — but this doesn't help if the repo was already public or cloned
  4. Add a pre-commit hook to prevent future leaks (tools: git-secrets, trufflehog, gitleaks)

Scanning Your Repos

Run trufflehog or gitleaks against your repos periodically:

docker run --rm -v "$PWD:/repo" trufflesecurity/trufflehog git file:///repo

One scan, one hour, could find credentials you forgot existed.

Get your site properly hardened.

The Voice of Cash delivers professional security audits and hands-on implementation.

Speak to a Specialist →
← Previous
Check the Return-Path
Next →
Use Cloudflare Proxies