remove-secrets
Permanently purges sensitive files from the entire Git history.
Usage
git-wrangler remove-secrets [--repo <path>] [--yes] [--no-fetch] [--guided]The command prompts before any destructive history rewrite is performed. Use --yes to proceed noninteractively.
What it does
Discovers Git worktrees under the current directory, or targets exactly one worktree with --repo, scans history for common secret file patterns, and removes matches with git-filter-repo.
The rewrite uses --path-glob, --invert-paths, --partial, and --force. The remote origin URL is automatically restored after the rewrite.
By default, remove-secrets first runs git fetch --prune origin for each target repository before scanning. Any fetch failure stops the command before scan, preview, confirmation, or mutation. Use --no-fetch for offline or local-only runs; the command warns that local remote-tracking refs may miss remote-only commits.
Target patterns
The following patterns are scanned and removed if found in history:
| Pattern group | Examples |
|---|---|
| Environment and package credentials | .env, .env.*, .npmrc, .pypirc, .netrc, .git-credentials |
| Private keys and certificates | *.pem, *.key, *.p12, *.pfx, *.asc, *.gpg, *.crt, *.cer, *.cert |
| SSH keys | id_rsa, id_rsa.pub, id_ed25519, id_ed25519.pub, *_rsa, *_ed25519 |
| Secret stores | secrets.json, credentials.json, *secret*.json, *credential*.json, *.secret, config/credentials.yml.enc |
| Container and Kubernetes credentials | .docker/config.json, .kube/config, kubeconfig |
| Cloud credentials | .aws/credentials, .aws/config, .config/gcloud/*, application_default_credentials.json, azureProfile.json, accessTokens.json |
Prerequisites
git-filter-repomust be installed
Options
| Flag | Required | Description |
|---|---|---|
--repo <path> | Optional | Target exactly one repository instead of discovering recursively. |
--yes | Optional | Skip confirmation prompts. |
--no-fetch | Optional | Use local remote-tracking refs without fetching origin first. |
--guided | Optional | Interactively configure command options before execution. |
Example
git-wrangler remove-secrets --yes
# Scan using local remote-tracking refs without refreshing origin
git-wrangler remove-secrets --no-fetchNotes
Warning: This permanently rewrites Git history. You will need to force-push to update remotes, and collaborators must coordinate after the force push, often by re-cloning or resetting.
- The command scans history first and reports found files before prompting to remove them
- Generic
config.jsonfiles are not removed unless they match a credential-specific path such as.docker/config.json - Repositories with no matching patterns are skipped cleanly
- Remote
originis preserved and restored after the rewrite