Removing a .env file from Git history

I'm sure this happens to everyone sometimes. You accidentally pushed a file with secrets or a password that shouldn't have gotten into the Git history.

In the following example, I "accidentally" pushed my .env file to Git simply because I forgot to add it to me .gitignore file.

Note: If you accidentally pushed secret keys to a repo, you should always revoke them and generate fresh keys!

Removing the file right away

The best thing to do now is to remove the file right away and add it to your .gitignore file.

In my case, I added the following to the .gitignore.

# Secret file
.env

Let's try and push that to see what happens.

Yep, the .gitignore file doesn't untracked already committed changes. So how can we fix this now?

Removing a file from Git only

You can remove a file from Git by running the following command.

git rm -r --cached .env

If we then push this change, you will see that the file is gone in GitHub.

However, this didn't completely solve our issue. If we look at our Git history, we can still find the file and expose the secrets!

Completely remove a file from Git history

To remove the file altogether, we can use the following command.

git filter-branch --index-filter "git rm -rf --cached --ignore-unmatch .env" HEAD

You will get some warnings about this messing up your history as this goes through your whole history and 100% removes its occurrence.

To push this, you have to run the following command.

git push --force

If we look at our history, we can still see the commits that include this .env file, but the content is empty.

Few, thanks for having our back Git!

You can find the repo it tried this in on GitHub.

Thank you for reading, and let's connect!

Thank you for reading my blog. Feel free to subscribe to my email newsletter and connect on Facebook or Twitter