git log --all --full-history -- "*password.txt*" GitHub’s regular search will find password.txt in the current branch. But what if you deleted it in a later commit? The file may still exist in the Git history. Use:
steps: - name: Use secret env: MY_PASSWORD: $ secrets.DB_PASSWORD run: echo "Password is set" Install a pre-commit hook that scans for high-risk patterns: password.txt github
git filter-branch --force --index-filter \ "git rm --cached --ignore-unmatch password.txt" \ --prune-empty --tag-name-filter cat -- --all git log --all --full-history -- "*password
# .pre-commit-config.yaml repos: - repo: https://github.com/Yelp/detect-secrets rev: v1.5.0 hooks: - id: detect-secrets args: ['--baseline', '.secrets.baseline'] Now git commit will block any attempt to add a file containing potential secrets. In 2022, GitHub introduced secret scanning and push protection for public repositories. If you try to push a commit containing a known secret pattern (like AWS keys), GitHub can block the push. Use: steps: - name: Use secret env: MY_PASSWORD: $ secrets