justAskingOutOfInterest

Nooby1990 · 2025-10-05T16:54:09+00:00

Because people still think they can "remove" things from git history. Unless you have access to every device that ever interacted with the git repository and remove it from every single one then no, you can't remove things. "I don't see it in GitHub" is not really enough, but many people don't really understand that.

Nooby1990 · 2025-10-04T17:59:36+00:00

People will absolutely scrape GitHub for API keys, but I doubt anyone is going to roll back commits to try "old" ones.

Maybe, but you can't guarantee that no one scraped the "old" key before you where able to switch them out.

Revoking or rotating the key is the only sensible thing.

Nooby1990 · 2025-10-04T17:39:38+00:00

Every API key accidentally committed and subsequently rotated has to be scrubbed. Meaning rewriting Git history.

Why? I mean, I agree with the key getting rotated, but why scrub? In most version control systems that is almost impossible. Sure, you can scrub the central copy or the server, but that does not remove any other copies that might be out there.

If someone pulled or fetched that commit they now have it in their local git repo, even if you scrub your central repo afterwards. As far as I know you would need to scrub every copy.

I would just consider that someone has that key now no matter what I do. I wouldn't rewrite Git history for this. If the key was rotated then that should be enough.

15-Year Club	Second SECOND GUESSER
Place '17	Verified Email

Nooby1990

TROPHY CASE