Security researcher Sharon Brizinov, in collaboration with Truffle Security, has conducted a sweeping investigation of GitHub’s “oops commits”, force-pushed or deleted commits that remain archived, and uncovered thousands of secrets left behind, including high-value tokens and admin-level credentials. The team also released an open-source tool to help others scan their own repositories for such hidden leakages.
GitHub retains every public commit, even those developers attempt to erase through force pushes, as “zero-commit” PushEvents in its archive. By scanning all of these dangling commits since 2020 using data from GitHub Archive, Brizinov discovered secrets that led to approximately $25,000 in bug bounty rewards, particularly exposing GitHub PATs and AWS credentials that could have led to wide-ranging supply-chain attacks.
To empower the community, Truffle Security and Brizinov co-developed the Force Push Scanner, an open-source tool that identifies and scans orphaned commits within your GitHub organization or user account. It mines the GH Archive dataset using BigQuery and applies TruffleHog scanning to uncover hidden secrets and vulnerabilities.
The findings were staggering: a large volume of active secrets, such as MongoDB credentials and API tokens, were found in .env and common config files. One particularly alarming case involved a GitHub Personal Access Token with admin permissions over the Istio repositories, posing a massive potential for a supply-chain compromise, though the token was swiftly revoked following responsible disclosure.
Community reaction highlights the broader implications: developers and security professionals noted that commits intended to be removed are often still accessible. One user commented, “There isn’t a proven way to delete a commit once it leaves your machine… you have to assume it’s permanently exposed”, underscoring the dangers of making assumptions about deletion.
This research challenges the notion that force-pushed Git history is private. Any secret committed, even unknowingly, should be deemed compromised and immediately revoked. Truffle Security’s Force Push Scanner adds instrumentation to detect lingering vulnerabilities from prior commits before they cause widespread damage.
To prevent secret leaks, developers should prioritize using secret management tools and environment variables instead of hardcoding credentials. Storing secrets in secure platforms like HashiCorp Vault, AWS Secrets Manager, or Azure Key Vault ensures sensitive data never enters the codebase while providing centralized control over access. Alongside this, enforcing secret scanning at multiple stages, both locally with pre-commit hooks and in CI/CD pipelines, is critical. Tools like TruffleHog, Gitleaks, or Detect Secrets can detect exposed credentials early, and regular historical scans help uncover secrets hidden in older commits.
When a secret is exposed, it should always be treated as compromised. Immediate revocation and rotation of credentials, ideally through automated processes or dynamic secret systems, minimizes the risk window. This should be paired with strict access controls guided by the principle of least privilege, ensuring developers and services only access the credentials they truly need. Additionally, enabling GitHub’s push protection can prevent secrets from being committed in the first place, and history-cleaning tools like git filter-repo can be used cautiously when policy allows.
Beyond tools and automation, creating a strong security culture is essential. Teams should be trained to recognize the risks of committing secrets and adopt safe handling practices, such as secure storage, regular scanning, and key rotation. By combining technical safeguards with cultural change, teams can significantly reduce the risk of secret exposure and make secure coding practices a default part of their workflows.
