How to Scan Git History for Leaked Secrets
Why Do Secrets Persist in Git History After Deletion?
Secrets persist in git history because git stores every version of every file in the commit log. Deleting a secret from the current codebase removes it from the working tree but leaves it accessible in the repository's commit history, where anyone with clone access can retrieve it using git log or git show.
Git is a content-addressable storage system. Every commit records a complete snapshot of the repository state. A file containing an API key in commit abc1234 retains that key in the commit object permanently, even if subsequent commits remove the key from the file.
Force-pushing with history rewriting (git filter-branch or git filter-repo) can remove secrets from history, but every existing clone and fork still contains the original commits. The only reliable remediation is key rotation: revoking the exposed credential and generating a new one.
How Does Vibe Owl Scan Git History for Secrets?
Vibe Owl scans git history by running git log -p across the last 80 commits (configurable 10–500), parsing diff hunks to extract exact file paths and line numbers, and applying secret detection rules against added lines in each commit diff.
The Vibe Owl: Scan Git History for Secrets command retrieves commit diffs and scans added lines (lines starting with +) against five secret detectors: OpenAI API keys, GitHub tokens, AWS access key IDs, private key blocks, and generic secret assignments. Code-risk and malware rules are not applied to history scans.
Each finding includes the commit SHA, file path, line number, detector rule, and confidence score. Findings are deduplicated across commits — a key that appears in multiple commits is reported once. Results are cached (v2 cache format) and automatically invalidated when new commits are added to the repository.
How Do You Configure the Scan Depth and Range?
The scan depth defaults to 80 commits and is configurable from 10 to 500 through vibeOwl.advanced.gitHistoryCommitDepth. Custom revision ranges like main..HEAD are supported through vibeOwl.advanced.gitHistoryRange for targeted scanning of specific branches.
Scanning the last 80 commits covers approximately 2–4 weeks of active development in most repositories. Increasing the depth to 200–500 commits is recommended for initial onboarding scans when joining an existing project or auditing a repository for the first time.
Custom revision ranges enable targeted scanning. Setting the range to main..HEAD scans only commits on the current branch that have not been merged to main. Setting it to HEAD~20..HEAD scans the last 20 commits regardless of branch boundaries. The maximum findings per scan is capped at 120.
What Should You Do When Git History Contains Leaked Secrets?
Leaked secrets found in git history require immediate key rotation: revoke the exposed credential in the provider dashboard, generate a replacement, update all systems referencing the old key, and verify no unauthorized access occurred. History rewriting alone is insufficient because clones and forks retain the original commits.
The Vibe Owl: Open Key Rotation Playbooks command provides step-by-step guides for OpenAI, GitHub, and AWS keys. API key rotation best practices cover the provider-specific revocation process, new key generation, system update procedures, post-rotation verification, and access log auditing.
After rotating credentials, run Vibe Owl: Run Post-Rotation Rescan to chain workspace scanning, git history scanning, and staged diff preview. The rescan verifies the old key no longer appears in current files and confirms that no new instances have been introduced. Preventing future API key leaks requires establishing git hooks and preflight checks as permanent workflow steps.
How Does Git History Scanning Fit into the Preflight Check?
Git history scanning feeds into the preflight check as one of five independent modules. The preflight check aggregates code safety, staged diff risk, git history findings, dependency risk, and env hygiene into a single PASS/FAIL gate. History findings of high or critical severity cause the preflight to fail.
The preflight check runs all five modules with a single command. A developer preparing to push code runs Vibe Owl: Run Preflight Check and receives a consolidated result. If git history contains leaked secrets that have not been rotated, the preflight fails with a clear explanation of which commits contain which secrets.
Preventing secrets from reaching git combines live scanning (detection at creation), git hooks (detection at commit), and history scanning (detection of past leaks) into a complete defense system. Each layer covers a different phase of the development lifecycle.
How Does Vibe Owl Compare to CLI Tools for Git History Scanning?
Vibe Owl provides git history scanning inside VS Code and Cursor with inline results, caching, and integration with the preflight workflow. CLI tools like TruffleHog and Gitleaks require terminal execution, produce standalone output, and do not integrate with editor diagnostics or git hook workflows.
TruffleHog scans git repositories from the command line with broad pattern coverage but requires manual result interpretation. Gitleaks runs as a pre-commit hook or CI step but does not provide editor-integrated results. Both tools operate independently from the development workflow.
Vibe Owl's history scanning is one component of a unified VS Code security extension that covers the full security surface: live scanning, code-risk heuristics, dependency auditing, env safety, host health, and malware detection. The integrated approach ensures that history scan results inform the preflight gate and the workspace health score without requiring developers to context-switch between tools.
