从所有Git提交中删除敏感信息 [英] Removing sensitive info from all Git commits
问题描述
使用BFG < h2>
BFG Repo-Cleaner是一种快速,简单的替代
git filter-branch
的替代方案,用于移除不需要的数据。例如,要删除含有敏感数据的
文件并保持最新的提交不变),请运行:
bfg - -delete-files您的文件与敏感数据
替换密码中列出的所有文本。 txt无论在存储库历史记录中找到
,运行:
bfg --replace-text passwords.txt
请参阅BFG Repo-Cleaner的完整使用说明文档以及下载
说明。
如果您要将此回购站推送到集中位置,请确保所有开发人员知道您正在执行的操作。否则,你会得到一些非常不满的人,这些人的存储库非常破碎并且失去了提交。您还需要强制推送到远程,因为您正在重写历史记录。对于每个人来说,这个过程通常是一个巨大的麻烦,这就是为什么我询问IP地址是否足够敏感以保证响应。
在安全方面,如果这些提交有已被公开,您应立即假定提交中信息的机密性受到损害。您应该立即采取适当的安全措施以减轻此时的风险。
Say I have sensitive info, such as a corporate IP address in a Git commit, in fact perhaps 100s of commits. Is there a way to remove/replace that token from all commits using a Git command?
Github suggests the easiest way is using a program called BFG repo cleaner.
Using the BFG
The BFG Repo-Cleaner is a faster, simpler alternative to
git filter-branchfor removing unwanted data. For example, to remove your file with sensitive data and leave your latest commit untouched), run:bfg --delete-files YOUR-FILE-WITH-SENSITIVE-DATATo replace all text listed in passwords.txt wherever it can be found in your repository's history, run:
bfg --replace-text passwords.txtSee the BFG Repo-Cleaner's documentation for full usage and download instructions.
If you're pushing this repo to a centralised location, ensure all the developers know what you are doing beforehand. Otherwise, you'll get some very upset people with very broken repositories and lost commits. You will also need to force a push to remote because you are rewriting history. This process is generally a huge hassle for everyone which is why I asked whether an IP address is sensitive enough to warrant this response.
On the security side, if these commits have already been made public, you should immediately assume that the confidentiality of information in the commits are compromised. You should immediately take appropriate security measures to mitigate any risks at this point.
这篇关于从所有Git提交中删除敏感信息的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
