I pushed my .env file to GitHub. How do I fix it?

Updated
Short answer

Assume every key in that file is already compromised — bots scan GitHub for new commits in under 30 seconds. Rotate every single key right now, then delete the file from git history. Removing the file from the repo is not enough; the keys are in the commit log.

Speed matters here. Bots scan public GitHub for new commits in seconds. If your repo is public and the commit is more than 60 seconds old, treat every key as already stolen.

**Step 1: rotate every key in the file, right now.** Don't delete first. Rotate first. Supabase service-role, OpenAI, Stripe secret, Anthropic, Resend, SendGrid, AWS, any of them. Every platform has a 'revoke and regenerate' button in its dashboard.

**Step 2: remove from git history.** Simply deleting the file with `git rm` leaves the file in your commit history — still readable. Use `git filter-repo` or BFG Repo-Cleaner to rewrite history, then force-push. Or if the repo is young, nuke the repo, create a new one, push clean.

**Step 3: make it impossible to repeat.** Add `.env*` to `.gitignore`. Install git-secrets or gitleaks locally. On GitHub, enable push-protection for secrets.

Securie's free scan (launching this year) will walk your entire commit history looking for keys you may have missed — not just the ones in the latest commit. Get on the list and we'll run it on your repo in week 1. Many founders push the fix, miss an older commit, and stay compromised for months.

People also ask

How do I check if my API key leaked on GitHub?
Scan your full git history (not just HEAD) for patterns matching your vendor's key format — OpenAI (sk-), Stripe (sk_liv
How do I rotate an OpenAI API key after it leaks?
Go to platform.openai.com/api-keys, delete the leaked key, create a new one with minimum permissions, and update every e
What happens if my Stripe key leaks?
An attacker with your Stripe secret key can issue refunds to their own cards, pull customer metadata, and create fraudul