| 📚 Navigation: 🏠 Home | 📖 Docs | 🔒 Security | 📋 Release | ✅ Pre-Release Check |
This guide describes immediate actions for accidental commits of secrets or API keys.
Determine what was leaked:
API Keys:
# Brave Search API
# https://brave.com/search/api → Revoke
# Serper API
# https://serper.dev/dashboard → Delete
# GitHub Tokens
# https://github.com/settings/tokens → Delete Token
Passwords:
# Change ALL affected passwords immediately
# End ALL sessions
⚠️ Important: Permanently changes Git history!
git clone --mirror https://github.com/arn-c0de/Crawllama.git crawllama-backup
bfg --replace-text passwords.txt crawllama.git
cd crawllama.git
git reflog expire --expire=now --all
git gc --prune=now --aggressive
git push --force
pip install git-filter-repo
echo "BRAVE_API_KEY=abc123xyz" > secrets.txt
git filter-repo --replace-text secrets.txt
git push --force
git reset --hard HEAD~1
git push --force
# or interactive rebase
git rebase -i HEAD~10
# "drop" affected commits
git push --force
# Generate new API keys
echo "BRAVE_API_KEY=new_key_here" >> .env
echo "SERPER_API_KEY=new_key_here" >> .env
# Ensure .env is ignored
echo ".env" >> .gitignore
git add .gitignore
git commit -m "chore: ensure .env is in .gitignore"
Create GitHub Security Advisory or private issue. Example notification:
🚨 CRITICAL: Secret Leak
A secret was accidentally committed.
**Affected:**
- API Key: Brave Search API
- Commit: abc123
- Exposed: 2025-01-25 10:30 UTC
**Actions Taken:**
✅ Secret revoked
✅ Git history cleaned
✅ New secret generated
**Required Actions:**
- Pull latest changes
- Update .env with new keys
- Verify no local copies of old keys
pip install pre-commit
cat > .pre-commit-config.yaml << EOF
repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.4.0
hooks:
- id: detect-private-key
- id: check-added-large-files
args: ['--maxkb=1000']
- repo: https://github.com/Yelp/detect-secrets
rev: v1.4.0
hooks:
- id: detect-secrets
args: ['--baseline', '.secrets.baseline']
EOF
pre-commit install
detect-secrets scan > .secrets.baseline
cat >> .gitignore << EOF
.env
*.key
*.pem
*.p12
*.pfx
secrets/
credentials/
*.backup
*.bak
*~
logs/*.log
EOF
# .github/workflows/secret-scan.yml
name: Secret Scan
on: [push, pull_request]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Run Gitleaks
uses: gitleaks/gitleaks-action@v2
env:
GITHUB_TOKEN: $
.env.examplecat > .env.example << EOF
BRAVE_API_KEY=your_brave_api_key_here
SERPER_API_KEY=your_serper_api_key_here
HTTP_PROXY=
HTTPS_PROXY=
DEBUG=false
EOF
git log -S "BRAVE_API_KEY" --all
grep -r "password" .
grep -r "BEGIN.*PRIVATE KEY" .
gitleaks detect --source . --verbose
gitleaks detect --source . --report-path gitleaks-report.json
| Role | Responsibility | Contact |
|---|---|---|
| Security Lead | Coordination | crawllama.support@protonmail.com |
| DevOps | History cleanup | crawllama.support@protonmail.com |
| API Owner | Key rotation | Service provider |
Contact immediately for leaks: 📧 crawllama.support@protonmail.com
# Incident Report: Secret Leak
**Date:** 2025-01-25
**Severity:** HIGH
**Status:** RESOLVED
## Summary
API Key accidentally committed.
## Timeline
10:30 - Commit with secret pushed
10:32 - Leak detected
10:35 - Secret revoked
10:45 - Git history cleaned
11:00 - New secret deployed
11:15 - All systems operational
## Root Cause
.env not checked in .gitignore
## Actions Taken
✅ Secret revoked
✅ Git history cleaned
✅ New secret generated
✅ Team notified
✅ Pre-commit hooks installed
## Prevention
- Pre-commit hooks mandatory
- Developer training
- .gitignore review
.env.example current| Tool | Purpose | Link |
|---|---|---|
| BFG Repo-Cleaner | Git history cleanup | GitHub |
| git-filter-repo | Advanced history rewrite | GitHub |
| Gitleaks | Secret detection | GitHub |
| detect-secrets | Pre-commit hook | GitHub |
| truffleHog | Secret scanner | GitHub |
For active leaks: Report Security Advisory