Never hardcode sensitive data. Use environment variables to load credentials into your application at runtime. Libraries like dotenv (for Node.js or Python) allow you to store secrets locally in a .env file that stays out of your Git history. 3. Implement Pre-Commit Hooks
Malicious actors do not manually browse GitHub looking for secrets. Instead, they use automated threat intelligence tools and public search queries known as or GitHub Dorks .
: Enable GitHub Secret Scanning on your repositories. It automatically scans pushes for known token formats from various cloud and SaaS providers.
Files named password.txt or passwords.txt are often committed to public repositories by mistake. password.txt github
# Search current repo git log --all --full-history -- "*password.txt"
If the repository is public, it is searchable. Automated scanners crawl GitHub constantly looking for hardcoded secrets, often within minutes of a push.
provides Secret Scanning for public repositories, and Push Protection that blocks users from pushing known secret formats (like AWS keys or GitHub PATs) in real-time. 4. Use Pre-commit Hooks Never hardcode sensitive data
It’s a classic developer mistake. You’re working late, you need to authenticate a script, and for "just a second," you save your credentials in a file named password.txt . You finish your code, run git add . , git commit , and git push .
Use tools like Doppler, AWS Secrets Manager, or GitHub Secrets.
Use git filter-repo or the BFG Repo-Cleaner to scrub the file from every commit in your history. : Enable GitHub Secret Scanning on your repositories
Many beginners follow tutorials that say, "Create a secrets.txt file for now" or "Store your keys in password.txt for this example." They do exactly that, then push the entire tutorial project to GitHub to showcase their portfolio. They never realize the tutorial’s warning was serious.
Once a file is pushed, changing the repository from public to private or simply deleting the file in a subsequent commit does erase the danger. Git retains the entire commit history, meaning the credentials remain accessible in past commits unless the history is completely purged. How Attackers Find Excluded Credentials