12.8 million
new secrets leaked on GitHub in 2025 — GitGuardian detected one new secret exposed every 2.5 seconds
< 30 seconds
time for automated secret scanners to detect a newly pushed secret in a public GitHub repository
27%
of leaked secrets remain valid and unremediated 5 days after exposure — organizations that do not detect their own exposures
90 days
Git history persists: removing a file from HEAD does not remove it from history — a secret committed 90 days ago is still in git log

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

A developer commits an AWS access key, a Stripe secret key, or a database connection string to a GitHub repository and pushes. Within 30 seconds, automated bots operated by security researchers, bug bounty hunters, and threat actors have scanned that commit and extracted the secret. If the repository is public, the key is effectively compromised at the moment of the push — not when you discover it, not when you delete the file, not when you close the PR.

This playbook covers the actions to take in the 60 minutes after discovering a secret committed to a repository. The sequence matters: revoke first, audit second, clean third. Doing these in the wrong order — cleaning history before revoking the key — leaves an active secret exposed while you spend time on housekeeping.

0-10 minutes: Revoke the secret immediately

The first action is revocation, not cleanup. A revoked secret that remains in git history is harmless. An active secret with a clean git history is still an active exposure.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

10-25 minutes: Audit for unauthorized usage

After revocation, determine whether the secret was used by anyone other than your own systems during the exposure window.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

25-45 minutes: Remove the secret from git history

Removing a secret from git history requires rewriting history — deleting the file from HEAD does not remove it from previous commits that anyone has already cloned or that GitHub's history retains.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

45-60 minutes: Root cause and prevention

Identify how the secret ended up committed and implement the control that prevents recurrence.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

The bottom line

The 60-minute playbook: revoke in the first 10 minutes, audit for unauthorized use in the next 15, clean history in the following 20, and close the root cause gap in the remaining 15. In that order, every time. The psychological instinct to hide the evidence by cleaning history first is backwards — the secret is already compromised if the repository was public; history cleanup is maintenance, not security. Revoke first.

Frequently asked questions

Is it safe to just delete the commit and force push?

No. Deleting the file and force-pushing to main does not remove the secret from git history — the commit containing the secret still exists in the history and can be accessed via git log. You must use git filter-repo or BFG Repo Cleaner to rewrite history and remove the commit entirely, then force-push all branches and tags. Even after that, GitHub may cache the old content — request a cache purge for sensitive secrets.

How quickly do automated scanners harvest secrets from GitHub?

GitGuardian research documents detection within seconds to 30 minutes depending on the scanner. The GitHub firehose API gives real-time access to all public commits, and multiple services — both security-focused (GitGuardian, truffleHog) and malicious scanners — monitor it continuously. Assume a secret pushed to a public repository is harvested within minutes.

Do I need to revoke if the repository is private?

Private repositories have a smaller exposure window but are not zero-risk. Any user with repository access could have seen the commit. GitHub's own staff can technically access private repository content. Third-party GitHub Apps with repository access may have cached the commit contents. The safest posture is to treat any committed secret — regardless of repository visibility — as potentially compromised and rotate it.

Sources & references

  1. GitGuardian 2026 State of Secrets Sprawl Report
  2. GitHub Secret Scanning Documentation
  3. AWS Guidance: What to do if you accidentally expose an access key

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Related Questions: Answer Hub

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.