API Key Committed to GitHub: The 60-Minute Emergency Response Playbook

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
A developer commits an AWS access key, a Stripe secret key, or a database connection string to a GitHub repository and pushes. Within 30 seconds, automated bots operated by security researchers, bug bounty hunters, and threat actors have scanned that commit and extracted the secret. If the repository is public, the key is effectively compromised at the moment of the push — not when you discover it, not when you delete the file, not when you close the PR.
This playbook covers the actions to take in the 60 minutes after discovering a secret committed to a repository. The sequence matters: revoke first, audit second, clean third. Doing these in the wrong order — cleaning history before revoking the key — leaves an active secret exposed while you spend time on housekeeping.
0-10 minutes: Revoke the secret immediately
The first action is revocation, not cleanup. A revoked secret that remains in git history is harmless. An active secret with a clean git history is still an active exposure.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
10-25 minutes: Audit for unauthorized usage
After revocation, determine whether the secret was used by anyone other than your own systems during the exposure window.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
25-45 minutes: Remove the secret from git history
Removing a secret from git history requires rewriting history — deleting the file from HEAD does not remove it from previous commits that anyone has already cloned or that GitHub's history retains.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
45-60 minutes: Root cause and prevention
Identify how the secret ended up committed and implement the control that prevents recurrence.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
The bottom line
The 60-minute playbook: revoke in the first 10 minutes, audit for unauthorized use in the next 15, clean history in the following 20, and close the root cause gap in the remaining 15. In that order, every time. The psychological instinct to hide the evidence by cleaning history first is backwards — the secret is already compromised if the repository was public; history cleanup is maintenance, not security. Revoke first.
Frequently asked questions
Is it safe to just delete the commit and force push?
No. Deleting the file and force-pushing to main does not remove the secret from git history — the commit containing the secret still exists in the history and can be accessed via git log. You must use git filter-repo or BFG Repo Cleaner to rewrite history and remove the commit entirely, then force-push all branches and tags. Even after that, GitHub may cache the old content — request a cache purge for sensitive secrets.
How quickly do automated scanners harvest secrets from GitHub?
GitGuardian research documents detection within seconds to 30 minutes depending on the scanner. The GitHub firehose API gives real-time access to all public commits, and multiple services — both security-focused (GitGuardian, truffleHog) and malicious scanners — monitor it continuously. Assume a secret pushed to a public repository is harvested within minutes.
Do I need to revoke if the repository is private?
Private repositories have a smaller exposure window but are not zero-risk. Any user with repository access could have seen the commit. GitHub's own staff can technically access private repository content. Third-party GitHub Apps with repository access may have cached the commit contents. The safest posture is to treat any committed secret — regardless of repository visibility — as potentially compromised and rotate it.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
