What Happens When You Accidentally Commit a .env File to GitHub

You just ran git push and immediately realised your .env file was in the commit. Here is exactly what happens next — and what you need to do in the next 10 minutes.

What happens in the seconds after you push

If your repository is public, automated bots are scanning GitHub's public event stream in real time. Researchers have documented these bots finding and exploiting AWS keys within 40 seconds of a public push. The bots are not manually operated — they are automated pipelines that spin up EC2 instances, send spam, mine crypto, or exfiltrate data immediately.

If your repository is private, the risk is lower but not zero: repo access can be granted through OAuth tokens, collaborator accounts, or GitHub App installations you may have forgotten about.

Assume the key is compromised the moment it hit the push.

Step 1: Rotate every exposed secret — now

Before you do anything with git, go to each service and rotate the credentials. This is more important than cleaning the history. Cleaning history is about preventing future exposure; rotation stops the active breach.

• ⚡AWS: IAM → Users → Security Credentials → delete access key, create new
• ⚡Stripe: Dashboard → Developers → API Keys → Roll key
• ⚡OpenAI: platform.openai.com → API Keys → delete, create new
• ⚡Twilio: Console → Account Info → Auth Token → Rotate
• ⚡GitHub Personal Access Tokens: Settings → Developer settings → Tokens → delete
• ⚡Database credentials: change password directly in your DB admin panel

Step 2: Remove the file from git history

Simply deleting the file in a new commit does not remove it from git history. Anyone with repository access can still check out the old commit and read the secrets.

The recommended tool is git-filter-repo (the official successor to BFG Repo Cleaner):

# Install
pip install git-filter-repo

# Remove .env from every commit in history
git filter-repo --path .env --invert-paths

# Force-push the rewritten history
git push origin --force --all
git push origin --force --tags

If you can't use git filter-repo, BFG Repo Cleaner is an alternative:

java -jar bfg.jar --delete-files .env myrepo.git
cd myrepo.git && git reflog expire --expire=now --all && git gc --prune=now --aggressive
git push origin --force --all

Important: All collaborators must re-clone after you force-push the rewritten history. Any stale local clone still contains the old commits.

Step 3: If the repo was public — contact GitHub support

Even after you force-push, GitHub caches refs. Submit a cached data removal request at support.github.com → “Remove sensitive data”. GitHub will purge the cached objects from their CDN.

GitHub also has an automated secret scanning service that may have already flagged your push and notified the service provider (e.g., AWS, Stripe) — check your email for notifications from those providers.

Step 4: Check your cloud logs for unauthorized activity

If keys were exposed for more than a few minutes, check for unauthorized usage before assuming everything is fine:

• 🔍AWS CloudTrail: look for API calls from unfamiliar IPs in the last hour
• 🔍Stripe: Dashboard → Logs → filter by timestamp, look for unexpected charges
• 🔍GitHub: Settings → Security log → look for unexpected OAuth grants or API calls
• 🔍Your hosting provider: check for new instances, unusual outbound traffic

How to prevent this from happening again

The best prevention is layered — any one of these would have stopped the incident:

The 10-minute checklist

• 1Rotate every exposed credential at the source service
• 2Run git filter-repo to remove .env from full history
• 3Force-push rewritten history to GitHub
• 4Tell all collaborators to re-clone
• 5Submit cached data removal to GitHub support (if repo was public)
• 6Check CloudTrail / service logs for unauthorized activity
• 7Add .env* to .gitignore if not already present
• 8Install a pre-commit hook to catch future incidents

Use the .env Deep Sanitizer to create a safe .env.example for sharing with your team — it redacts secrets in your browser, no uploads needed.