Secrets in Git: the API key you deleted is still there
"We deleted it two years ago"
A real audit scenario: an AWS key committed in a .env file in 2023, "deleted" three days later by a remove secrets commit. In 2026, it's still valid, still present in the Git history, and available to anyone who clones the repository.
Git is designed to forget nothing. A git rm creates a new commit *on top* — the file remains in every previous commit, recoverable with a single command.
How attackers find your keys
On public repositories: within minutes
Bots continuously scan public GitHub and GitLab commits for key patterns (AWS, Stripe, OpenAI, Supabase, npm tokens…). The delay between pushing a public AWS key and its first malicious use is measured in minutes. GitHub's secret scanning auto-revokes some of them, but covers neither every format nor every provider.
On private repositories: via secondary access
"Our repo is private" only protects you as long as it stays that way. Leaks happen through: a compromised developer laptop, an over-permissive CI/CD token, a contractor whose access was never revoked, a repo re-published as public years later. The full history leaves with the clone.
The 2026 case: AI-generated projects
Applications built with code-generation tools are over-represented in our findings: hardcoded keys "just for testing" suggested by the assistant, then committed along with everything else. If you vibe-coded your MVP, your repository history deserves an inspection.
What to do, in the right order
The classic mistake is starting by rewriting history. No:
git filter-repo — good hygiene, but useless for security if the key isn't revoked, and insufficient anyway: forks, local clones and CI caches keep the old version.Checklist
gitleaks git .), not just HEAD.env* in the .gitignore of your project templatesOur First Review includes a search for exposed secrets tied to your product — repositories, JavaScript bundles, public histories. 48h to know what's out there.
Related articles
Three adjacent analyses to keep exploring the same attack surface.
Fixing vulnerabilities: step-by-step remediation guide for developers
How to implement fixes after a security audit. RLS code, authentication, API — concrete examples.
Zero Trust for a small SaaS team: where to start
Zero Trust isn't reserved for large enterprises. Here's how a team of 5 to 30 can apply Zero Trust principles without heavy infrastructure.
Nexus Repository and CVE-2026-0600: why proxy configuration becomes an attack surface
CVE-2026-0600 affects Nexus Repository 3 through SSRF in proxy repository configuration. Here is why this is critical for supply-chain teams.
Sources
Related services
If this topic maps to a real risk in your stack, these are the most relevant CleanIssue audits.