How to handle secrets pushed into public GitHub repositories

Prevent secrets from being pushed into public

For a lot of common API tokens there is support for automatic detection of keys in commits. Make sure push protection for users (enabled by default) is enabled for your public repository to prevent from leaking secrets into public.

If someone tries to push a local commit containing a secret into the remote repository hosted on GitHub this will be blocked. Resolve the blocked push.

Handle secret leakage into public repos

In case a pushed secret does not match one of the supported secrets it will leak into public.

If a secret leaked into a public GitHub repository you can remove it from the repository (including the whole git history of course).

Invalidate the secret and update the system the secret is used for with a new secret.

--

--