I got a GitHub secret-scanning alert. How bad is it?

GitHub's secret-scanning alert is simultaneously good news ('they caught it for you') and very bad news ('everyone else probably caught it too, including bots').

**The timeline you're racing:** - Second 0-30: you push the commit. GitHub and a dozen scanner bots find the secret. - Second 30-60: bots start trying the key against the issuer (OpenAI, Supabase, Stripe, etc.). - Minute 1-5: GitHub emails you the alert. - Minute 5-60: attacker-bots start using the key for real on your account.

So by the time you read the alert email, attackers may already be using the key. Your job is to cut it off before they can do much.

**Rotation order — do this within minutes:** 1. Go to the service that issued the secret (e.g., OpenAI dashboard) 2. Revoke the exposed key 3. Generate a new one 4. Update it in your production env vars (Vercel / Netlify / direct) 5. Redeploy if the platform doesn't hot-reload env vars 6. Check usage / billing on the issuer for the time between leak and revoke

**After rotation, clean git history:** - `git filter-repo --invert-paths --path <file-that-had-secret>` + force-push. OR - If you can, rebase the commit out entirely. - Even deleted files stay in git history; the secret is recoverable until you rewrite history.

**Acknowledge on GitHub last.** GitHub has a UI to mark the alert as 'revoked' or 'false positive'. Only mark as revoked after you've actually rotated — not before.

Securie's free scan (launching this year) will walk your entire git history for any secrets GitHub's scanner missed. Join the list for a week-1 run. GitHub catches well-known key formats; it misses custom formats and non-prefixed tokens — a full scan finds what GitHub doesn't.

People also ask