Skip to main content

Sensitive information in source code - Git history


Sensitive information such as usernames, service credentials or access tokens can be found in the git history.


Obtain sensitive information to compromise more resources or services.


  • Remove the sensitive information from the Git history.
  • Change the compromised access credentials.


Authenticated user from Internet with access to the source code.

Expected Remediation Time

⌚ 120 minutes.


Default score using CVSS 3.1. It may change depending on the context of the vulnerability.


  • Attack vector: N
  • Attack complexity: L
  • Privileges required: L
  • User interaction: N
  • Scope: U
  • Confidentiality: L
  • Integrity: N
  • Availability: N


  • Exploit code madurity: P
  • Remediation level: U
  • Report confidence: C


  • Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:U/RC:C
  • Score:
    • Base: 4.3
    • Temporal: 4.1
  • Severity:
    • Base: Medium
    • Temporal: Medium

Code Examples

Compliant code

If there is sensitive information in the git history, the repo could be cleared with $ rm -rf .git Resetting the git history without the sensitive commit information

Non compliant code

A file found in the git history has sensitive information like API Keys

commit ~HASH (HEAD -> master, origin/master, origin/HEAD)
Author: user
Date: Tue Jun 28 12:57:38 2022 -0500
commit message

diff --git mypath
index 6894a51802..99d0f0a22f 100644
--- a/integrates/front/src/components/Button/index.tsx
+++ b/integrates/front/src/components/Button/index.tsx
@@ -6,41 +6,41 @@ public void (*args) {
interface IVariant {
- userAdmin: "Myuser";
- password: "exposedPassword";
+ password: {mykeysecret};


free trial

Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.