How can I prevent secrets from being exposed in a public repository?

[arlothehacker]

Select Topic Area

Question

Body

Hi everyone,

I’m working on a public repository and I want to make sure that no sensitive information (like API keys, tokens, or credentials) gets pushed accidentally.

I’m aware of .gitignore, but I’d like to understand what additional GitHub security features I should enable to prevent secret leaks.

Specifically:

Is GitHub Secret Scanning automatically enabled for public repositories?

How can I scan my existing commits for exposed secrets?

What are the best practices to securely manage environment variables in GitHub Actions?

I’ve searched for similar discussions but didn’t find a clear step-by-step explanation.

Any guidance or recommended workflow would be appreciated. Thanks!

[vishalxdevv]

Hi,

Great question — protecting secrets in a public repository is extremely important.

1️⃣ Is Secret Scanning automatically enabled?

Yes.
For public repositories, GitHub automatically enables Secret Scanning. It scans commits for known secret patterns (like API keys from AWS, Google, etc.).

For private repositories, Secret Scanning depends on your plan (GitHub Advanced Security required).

You can check it here:
Repository → Settings → Security & analysis

2️⃣ How to scan existing commits for exposed secrets?

GitHub automatically scans the entire commit history of public repositories.

If you want additional scanning:

Use tools like:

gitleaks

trufflehog

Run them locally to scan your full git history.

If a secret is already exposed:

Revoke/rotate the secret immediately.

Remove it from history using tools like git filter-repo or BFG Repo Cleaner.

Force push the cleaned history.

Important: Deleting the file is not enough. The secret still exists in git history unless rewritten.

3️⃣ Best practices for managing secrets in GitHub Actions

Do NOT store secrets in:

.env files committed to repo

Hardcoded values in workflows

Instead:

Go to:
Repository → Settings → Secrets and variables → Actions

Add your secrets there.

Access them in workflow like this:

env:
API_KEY: ${{ secrets.API_KEY }}
🔐 Additional Best Practices

Always use .gitignore for local config files.

Use environment-based secrets (Dev, Staging, Production).

Enable Dependabot alerts.

Enable branch protection rules.

Regularly rotate API keys.

[OracleBrain]

How can I prevent secrets from being exposed in a public repository?
The best way to prevent secrets (API keys, DB passwords, tokens, private keys) from leaking is to never commit them in the first place, and to add layers of protection so mistakes are caught early.
✅ 1) Never hardcode secrets in code
Don’t put secrets directly in:
source files (.js, .env, .json, etc.)
config files
build scripts
README examples
Instead use environment variables or a secrets manager.
✅ 2) Use .env files locally and ignore them
Create a local .env file for development, but never commit it:
.gitignore
.env
.env.*
*.pem
.key
.p12
secrets.
config/local.
Also commit an example file instead:
.env.example
API_URL=
JWT_SECRET=
DB_URL=
✅ 3) Store secrets in GitHub Secrets (not the repo)
For CI/CD and deployments:
Use GitHub Actions Secrets (Repository / Environment / Organization secrets)
Reference them in workflows via ${{ secrets.MY_SECRET }}
This keeps secrets out of code and out of git history.
✅ 4) Add secret scanning + push protection
Enable GitHub’s:
Secret scanning
Push protection (blocks commits containing known secret patterns)
This is one of the most effective safety nets for teams.
✅ 5) Use pre-commit hooks to block secrets before they get committed
Add tools like:
gitleaks
trufflehog
detect-secrets
This catches mistakes on your machine before they reach GitHub.
✅ 6) Keep production secrets in a proper secrets manager
For real apps (especially enterprise), use:
AWS Secrets Manager / Parameter Store
GCP Secret Manager
Azure Key Vault
HashiCorp Vault
Doppler / 1Password Secrets Automation
This avoids storing sensitive values in repos and reduces operational risk.
✅ 7) If a secret is leaked: rotate immediately (don’t just delete the file)
If a secret ever gets committed:
Revoke/rotate it immediately
Remove it from history (not just from latest commit) using tools like:
git filter-repo (recommended)
Invalidate sessions/tokens if relevant
Add scanning to prevent repeat incidents
Deleting a secret from a file does not remove it from git history.