This guide explains how to use BFG Repo-Cleaner to rewrite your Git repository's history to remove sensitive data (like passwords, API keys, or IP addresses) and unwanted files. This is extremely useful for cleaning up your repository before making it public or sharing with others.
- Backup your repository before running BFG. History rewriting is destructive.
- Coordinate with collaborators. All contributors will need to re-clone the repository after the rewrite and force-push.
- Use on a fresh clone or bare repo for best results.
a. Create a replacements file:
echo 'SECRET_STRING==>REMOVED' > replacements.txtb. Run BFG with --replace-text:
java -jar bfg-1.14.0.jar --replace-text replacements.txt .gitc. Clean up:
git reflog expire --expire=now --all && git gc --prune=now --aggressivea. Remove by filename (anywhere in repo):
java -jar bfg-1.14.0.jar --delete-files "secrets.txt" .gitb. Remove by path/pattern:
java -jar bfg-1.14.0.jar --delete-files "path/to/file.txt" .git
java -jar bfg-1.14.0.jar --delete-files "*.pem" .gitAfter running BFG, the files may still exist in the latest commit. Remove them manually:
rm path/to/your/file.txt
# or use git rm
git rm --cached path/to/your/file.txt
git commit -m "Remove sensitive files from current commit"git push --force origin mainAll collaborators must re-clone or reset their local history.
git log --all --full-history -- "yourfile.txt"
git log --all -S "SECRET_STRING"Both commands should return no results if the cleanup was successful.
Tip: For large or complex repositories, read the BFG manual and consider extra care with protected branches and remotes.