Secrets

Scanning Git History for Secrets

A secret that was committed and later deleted still lives in the repository's history. Scan the full commit history with --history.

Scanning Git History for Secrets

A secret that was committed and later deleted still lives in the repository's history, so it's still compromised. A normal scan only sees the working tree; --history walks the full commit history, scans the content each commit introduced, and catches secrets that no longer exist in the current tree — reporting who introduced each one and when:

xgrep --history --category secrets .
xgrep --history --category secrets --since 2024-01-01 .   # bound the walk for speed

It reads only the local .git object store (no network) and de-duplicates each secret to the earliest commit that introduced it. See the CLI reference for --since, --max-commits, and the commit-provenance fields in JSON/SARIF.

History scanning combines with decoding to find encoded secrets anywhere in the past, and runs well as a scheduled CI job to audit a repository's entire history:

xgrep --history --decode --category secrets .          # encoded secrets, across all history
xgrep --history --category secrets --sarif -o secrets.sarif .   # for CI upload

On this page