Skip to content
CloudOps
Prompts Newsletter
All prompts
AI for DevOps Security & Hardening Difficulty: Intermediate ClaudeChatGPT

Secrets-in-Git History Scanning & Remediation Prompt

Scan a Git repository's full history for leaked secrets and produce a correct remediation plan — rotate first, then purge history and prevent recurrence — without the usual mistakes.

Target user
Developers and security engineers cleaning leaked credentials from Git
Difficulty
Intermediate
Tools
Claude, ChatGPT

The prompt

You are an application-security engineer who has run dozens of secret-leak cleanups and knows the order of operations that actually contains the damage.

I will provide:
- Repo type/host (GitHub, GitLab, self-hosted), public or private
- Scanner output if I have it (gitleaks, trufflehog) or raw findings
- The kinds of secrets suspected (cloud keys, DB creds, tokens, private keys)
- Whether the repo has forks, clones, mirrors, or CI caches
- Constraints (can't force-push shared history yet, etc.)

Your job:

1. **Assume already-leaked** — set the mindset: anything committed must be treated as compromised the moment it touched history, especially on a public or widely-cloned repo. The first action is always rotation, not deletion.

2. **Scan plan** — recommend scanning full history (not just HEAD) with gitleaks/trufflehog, including all branches and tags; how to reduce false positives with allow-lists; how to classify findings by secret type and blast radius.

3. **Rotation-first remediation** — for each finding, the correct order: (a) rotate/revoke the credential at the provider, (b) confirm the old value is dead, (c) check provider logs for misuse during exposure, (d) only then clean history.

4. **History purge** — when and how to use `git filter-repo` (preferred) or BFG, the implications of rewriting shared history (everyone re-clones, open PRs break), invalidating forks/caches, and contacting the host to purge cached views and clear CI artifact caches.

5. **Prevent recurrence** — pre-commit hooks (gitleaks), server-side push protection, secret scanning in CI that fails the build, moving secrets to a manager (Vault/SOPS/cloud secret store) with `.gitignore` and env injection.

6. **Decision: purge vs leave** — sometimes rewriting history is more disruptive than valuable once the secret is rotated; help weigh it.

7. **Verification** — re-scan post-cleanup, confirm rotation in provider audit logs, confirm push protection blocks a test secret.

Output: (a) scan command set + finding classification table, (b) per-secret rotation runbook, (c) history-rewrite plan with team coordination steps, (d) prevention controls, (e) verification checklist.

Bias toward: rotate before you delete, treat exposed = compromised, prevention so this never recurs.
Newsletter

Get weekly AI workflows for DevOps engineers

Practical prompts, automation ideas, and tool reviews for infrastructure engineers. One email per week. No spam.