Git Advanced: Managing Secrets in Git

Join the AI Workshop to learn more about AI and how it can be applied to web development. Next cohort February 1st, 2026

The AI-first Web Development BOOTCAMP cohort starts February 24th, 2026. 10 weeks of intensive training and hands-on projects.

Accidentally committing secrets (passwords, API keys, SSH keys) to a public repository is a serious security issue. Bots continuously scan GitHub, GitLab, and BitBucket for exposed credentials.

The Problem

Once you commit a secret:

  • It’s in your Git history forever (even if you delete it in the next commit)
  • Bots can find it within minutes
  • Your credentials are compromised

You can’t just “rollback” the commit—the secret remains in the repository history.

Prevention: The Best Strategy

Use .env Files

Never put secrets directly in source code. Instead:

  1. Store secrets in a .env file in your project root
  2. Add .env to your .gitignore
  3. Use a library like dotenv to load them
# .gitignore
.env

Use git-secrets

git-secrets is a tool that prevents you from committing secrets.

Install on macOS:

brew install git-secrets

Set up in your repository:

git secrets --install

This installs a pre-commit hook that checks for secrets before each commit.

For AWS credentials, add their patterns:

git secrets --register-aws

Scan your repository for existing issues:

git secrets --scan

If nothing prints, you’re clean. Otherwise, you’ll see details about what was found.

What to Do If You Committed a Secret

Act immediately:

  1. Invalidate the credential - Change passwords, rotate API keys, revoke SSH keys
  2. Assume it’s compromised - Even if you “fix” it quickly, assume someone saw it

The security of your users and your reputation is at stake.

Other Tools and Practices

Git Hooks

Set up pre-commit hooks to check for common secret patterns before allowing commits.

Environment Variables

Use environment variables on your deployment platform instead of files:

  • Netlify, Vercel, and similar platforms have environment variable settings
  • Docker has secrets management
  • Cloud providers have secrets managers (AWS Secrets Manager, etc.)

Secret Scanning Services

GitHub has built-in secret scanning that alerts you when it detects exposed credentials from common providers.

Summary

DoDon’t
Use .env filesCommit credentials directly in code
Add .env to .gitignoreTrust that private repos are safe
Use git-secretsAssume you’ll notice before pushing
Rotate compromised credentials immediatelyTry to just delete the commit

Prevention is always better than cleanup. Set up proper workflows and tooling from the start.

Lessons in this unit:

0: Introduction
1: Working with Remotes
2: Squashing Commits
3: Rebase vs Merge
4: Git Bisect for Debugging
5: Git Worktrees
6: Git Submodules
7: Understanding Detached HEAD
8: ▶︎ Managing Secrets in Git
9: Git Workflows and Best Practices
10: How to push to 2 repositories at the same time and keep them in sync
11: How to update a Git branch from another branch
12: Git, detached HEAD
13: Trigger deploys on Netlify with submodules
14: A Git Cheat Sheet
15: Git, squashing vs not squashing
16: An incomplete list of great Git tutorials
17: Git, what if you forgot to add a file to a commit?
18: Git workflow to manage work on multiple branches
19: How to setup the Git SSH keys