Stupid title, right? You probably think it is obvious to not commit sensitive data to public repositories. Well, it is obvious—sort of.
If I would ask you to commit your SSH key, your database username and password or any other sensitive data, you would not do it under any circumstance. However, while you are reading this, at least one person is doing it right now.
There are almost 1 million results for
add password on GithHub, see it yourself.
And if you did commit sensitive data to a public repository, the chances are that your first thought would be to remove the sensitive data and commit it ASAP. That is exactly the point where you (would) make a mistake. 🙂
Most users remove their sensitive data in a commit with a message like
removed password or
removed api key. These kind of commits are the first things I—and others—are searching for when trying to find a vulnerability in a (public) repository. You get 350,000+ results if you search for
removed password on GithHub, try it yourself.
What to do if you commit sensitive data to a public repository on GitHub?
- First things first: change your password. For example, if you committed you email password, change it. I would not be surprised—and neither should you—if there are bots out there which non-stop search for commits with
removed passwordand save the content of the commit. Nevertheless, there are people searching for it.
- Read the following guide from GitHub and do what is says: Removing sensitive data from a repository
Note: even if you commit sensitive personal data to a private repository, without the intention to do so, follow the above guide from GitHub. You never know if your private repository goes public in the future. Remember that the git history will be there for ever.
Bottom line: Do not commit sensitive data to public repositories.