When it comes to make code or config publicy available as open source one has always to make sure that the repo doesn’t contain any sensitve information.

To remove stuff like passwords from various files in all commits i use bfg.

First I clone a single branch from a local repo which should be adjusted for public. Although I use a seperate branch I also use a seperate git directory because
Passwords will be cleaned from all refs/branches, not just the current.

git clone --single-branch --branch main file://$(pwd)/repo/ repo-public-bfg/ 

Then I search for passwords which are not comments:

git grep -Eih (pass|password|auth) | grep -v "^[\s]*;"

Then all the passwords are written to a file eg. passwords.txt. It can contain simple strings, one per line which will be replaced by ***REMOVED*** or you can define a search/replace combination using ==> as delimiter. Also regexes are possible for matching. See also this example.


Once everything is ready bfg does the actual work and git can do some cleanup:

bfg --replace-text ../passwords.txt . --no-blob-protection --filter-content-excluding "*.jpg"
git reflog expire --expire=now --all && git gc --prune=now --aggressive

--no-blob-protection removes the passwords from all commits even the current one.
With --filter-content-excluding you can exclude files that shouldn’t be altered.

Afterwards all the passwords listed in password.txt will be redacted in all commits! To track what has changed and prevent dataloss the passwords are all available as a staged commit. You can view them with git diff --staged or drop them with git stash; git stash drop