Scanning Git History for Secrets
A secret that was committed and later deleted still lives in the repository's history. Scan the full commit history with --history.
Scanning Git History for Secrets
A secret that was committed and later deleted still lives in the repository's
history, so it's still compromised. A normal scan only sees the working tree;
--history walks the full commit history, scans the content each commit introduced,
and catches secrets that no longer exist in the current tree — reporting who
introduced each one and when:
xgrep --history --category secrets .
xgrep --history --category secrets --since 2024-01-01 . # bound the walk for speedIt reads only the local .git object store (no network) and de-duplicates each
secret to the earliest commit that introduced it. See the
CLI reference for
--since, --max-commits, and the commit-provenance fields in JSON/SARIF.
History scanning combines with decoding to find encoded secrets anywhere in the past, and runs well as a scheduled CI job to audit a repository's entire history:
xgrep --history --decode --category secrets . # encoded secrets, across all history
xgrep --history --category secrets --sarif -o secrets.sarif . # for CI uploadOverview
Secret scanning that finds hardcoded credentials — API keys, tokens, and private keys — across your source code and full git history, with 270+ detectors for 150+ providers. On by default.
Decoding & validation
Find secrets hidden one encoding layer deep with --decode, and confirm which credentials are actually live with --validate.