Secret scanning detected leaks — what’s the correct remediation workflow?

[minhthuy05]

🏷️ Discussion Type

Question

Body

I recently had GitHub secret scanning detect a leaked credential in my repository. I revoked the secret immediately, but I’m not fully confident that I handled everything correctly.

What is the recommended remediation workflow after a secret leak?

Is revoking and rotating the credential enough, or should I also rewrite Git history to remove it completely?
Are there best practices to ensure the secret is fully removed from forks and caches?
How can I prevent similar leaks in the future (e.g., pre-commit hooks, GitHub features)?

I’d appreciate any guidance or real-world best practices. Thanks!

[sangtn13]

Hi there,

🚨 SECRET LEAK RESPONSE CHECKLIST

🔴 1. Immediate Response

• Revoke the exposed secret immediately (API key, token, password)
• Rotate the secret (generate a new one)
• Check logs / usage to detect any abuse (API calls, billing spikes, etc.)

---

🧹 2. Clean Repository History

Option 1 (Recommended - git filter-repo)

git filter-repo --path <file-containing-secret> --invert-paths

Option 2 (BFG Repo-Cleaner)

bfg --delete-files <file>

Push cleaned history

git push --force

• Ensure the secret is removed from all commits
• Force push the cleaned repository

---

⚠️ 3. Handle Exposure Outside Repo

• Check and handle forks (contact maintainers if needed)
• Assume anyone who cloned before cleanup may still have the secret
• Do not rely on deletion alone — always rotate credentials

---

🛡️ 4. Prevent Future Leaks

GitHub Security Features

• Enable Secret Scanning
• Enable Push Protection

Local Protection

• Install pre-commit hooks (e.g., gitleaks, detect-secrets)
• Add sensitive files to .gitignore (e.g., .env)

Best Practices

• Never hardcode secrets in source code
• Use environment variables
• Use secret managers (AWS Secrets Manager, Vault, etc.)

---

🧠 Key Principles

• Revoke = stop immediate damage
• Clean history = reduce exposure
• Prevention = avoid future incidents

⚠️ Always assume leaked secrets are fully compromised, even if exposure was brief.

Hope this helps!

[minhthuy05]

Thank you so much for the detailed and clear explanation! 🙏

This checklist really helped me understand the proper workflow after a secret leak, especially the importance of cleaning Git history and not just revoking the credential.

I also appreciate the prevention tips — I’ll definitely start using pre-commit hooks and enable push protection to avoid this in the future.

Thanks again for your help! 🚀