How to Remove Sensitive Data from Git History with Rebase and Filter-Repo

Git is powerful, but it remembers everything you commit. If you ever push passwords, API keys, tokens, or personal data into a public or shared repo, they don’t just live in the latest commit. They live in every commit. Forever. Unless you rewrite history.

This is where git rebase comes in. Used with the right tools, it lets you rewrite past commits, edit messages, and remove files—effectively erasing sensitive data from the commit tree. But it’s not just about running one command. Masking sensitive data requires precision, understanding, and discipline to avoid leaving traces in remote branches or forks.

Start with identifying the exact commit where the sensitive data was introduced. Use git log or git blame to track it down. Then, run an interactive rebase to surgically remove or change the file, the config, or the secret. Commands like git rebase -i HEAD~N give you the control to edit history commit by commit. After making the edits, force-push to overwrite remote history—but understand that anyone who cloned the repo before your fix may still have the original sensitive data.

For deeper cleanup, git filter-repo is faster and safer than old tools like git filter-branch. It can strip secrets across the entire repo in seconds, rewriting every commit. Combine that with patterns to catch not just one exposed secret but all occurrences.

Of course, rebase is not enough on its own. Teams need to enforce pre-commit hooks, automated scans, and masked output in CI/CD to stop secrets from ever reaching Git in the first place. Secrets detection and masking should happen before, during, and after commits.

You can waste hours setting up custom scripts and policies, or you can see it done right in minutes. Hoop.dev gives you secure, auditable, and automated secret masking without breaking your Git flow. Try it and watch your sensitive data disappear from history before it costs you.