0

We committed some password into our bitbucket repository this is against our organisation security policy, so I have used the BFG Repo Cleaner to replace all the passwords with the word Removed by creating a mirror locally then

 bfg --replace-text passwords.txt  my-repo.git

it does the job as described on their website, the password does get removed!

the surprise is that it

  • replace the passwords in the file
  • deletes the old commits
  • then make some new commits rather than rewrite the history based on the old commits....

so the problem is the password still can be viewed from the old bitbucket url which points to the old commits

my question is how can I removed the deleted commits from bitbucket or perhaps from git history? which in turn stops the URL points to the deleted/old commits showing the password we intended to remove?

Junchen Liu
  • 5,435
  • 10
  • 51
  • 62

1 Answers1

0

the solution is to do a "git push --force" that will trigger the bitbucket's auto gc

however the gc might fail, bitbucket is working on the improvement, if that happens you have to run the command on the repo manually as admin 

git reflog expire --expire="1 hour" --all
git reflog expire --expire-unreachable="1 hour" --all
git prune --expire="1 hour" -v
git gc --aggressive --prune="1 hour"

note: the force push makes the remote exactly the same as your local branch or master, thus making sure no other developers working on it during you change your local working tree.

Junchen Liu
  • 5,435
  • 10
  • 51
  • 62