Git Secret Cleaning

What to do if you find any secrets inside your repo with gitleaks

1. Install BFG:

   brew install bfg
   

2. Do a mirror clone:

   git clone --mirror git@ssh.dev.azure.com:v3/simplifi-ed/Terraform%20CI-CD/Terraform%20CI-CD clean_secret
   

3. Identify the secret

   gitleaks detect --source . -v
   
   Finding:     "client_id": "m61dc06a0-93c0-4545-a17a-cdffee3e084c"
   Secret:      "m61dc06a0-93c0-4545-a17a-cdffee3e084c"
   RuleID:      generic-api-key
   Entropy:     3.773684
   File:        terraform_helm/terraform.tfstate
   Line:        100
   Commit:      31da5c8172521288d2faa636a43da950ae312c48
   Author:      Youba
   Email:       youba@itchallenge.fr
   Date:        2023-01-08T14:59:50Z
   Fingerprint: 31da5c8172521288d2faa636a43da950ae312c48:terraform_helm/terraform.tfstate:generic-api-key:100
   

4. We can read two informations from the gitleaks output :

   • The secret is in this file => terraform_helm/terraform.tfstate
   • The commit id is 31da5c8172521288d2faa636a43da950ae312c48

5. Destroy !

   So we can destroy it properly:

   bfg --delete-files .terraform_helm/terraform.tfstate --no-blob-protection  clean_secret
   # then:
   
   cd clean_secret
   git reflog expire --expire=now --all && git gc --prune=now --aggressive
   git push # optional, use --force
   

6. Make sure all the team is aware of the change. Don't push the commit back.