How to hide sensitive files from GitHub?

 
Step 1: Initialize your local Git repository
 

First, ensure you have Git installed on your machine. Open your terminal or command prompt and navigate to your project directory. If your project isn’t under version control yet, initialize it:

git init

This command creates a hidden .git folder that Git uses to track changes.

 
Step 2: Create or update your .gitignore file
 

A .gitignore file tells Git which files or directories to ignore. In your project root, create (or open) .gitignore:

touch .gitignore

Edit .gitignore and add patterns for files you want to hide. For example, to ignore environment files and logs:

# Environment variables
.env

# Log files
logs/
\*.log

# Build artifacts
dist/
build/

 
Step 3: Verify .gitignore patterns
 

Make sure your patterns match the actual file paths. You can test whether Git will ignore a file using:

git check-ignore -v path/to/your/file

If the file appears in the output, it’s correctly ignored. Otherwise, adjust your .gitignore entries.

 
Step 4: Remove already-tracked sensitive files from Git history
 

If you’ve already committed sensitive files, Git will continue tracking them despite your .gitignore. To untrack them without deleting locally:

git rm --cached path/to/sensitive.file
git commit -m "Remove sensitive file from tracking"

Use wildcards if you need to untrack multiple files:

git rm --cached \*.key
git commit -m "Stop tracking all .key files"

 
Step 5: Rewrite Git history for thorough removal (optional)
 

To scrub sensitive data from previous commits, use the BFG Repo-Cleaner or git filter-branch. Example with BFG:

# Download BFG jar, then:
java -jar bfg.jar --delete-files YOUR_SECRET_FILE
git reflog expire --expire=now --all && git gc --prune=now --aggressive
git push --force

Always backup your repo before rewriting history. Force-push only if you understand implications.

 
Step 6: Commit your changes and push to GitHub
 

After updating .gitignore and removing tracked files, commit and push:

git add .gitignore
git commit -m "Add .gitignore and remove sensitive files from tracking"
git push origin main

Replace main with your branch name if different.

 
Step 7: Use GitHub Secrets for sensitive environment variables
 

Instead of committing .env or API keys, store them securely in GitHub:

• Go to your repository on GitHub.
• Click Settings > Secrets and variables > Actions.
• Click New repository secret, give it a name (e.g., API\_KEY) and paste the value.

In your GitHub Actions workflow, access it using:

env:
  API_KEY: ${{ secrets.API_KEY }}

 
Step 8: Encrypt files with git-crypt (advanced)
 

If you need to keep encrypted files in the repo, git-crypt can transparently encrypt/decrypt based on GPG keys:

# Install git-crypt
brew install git-crypt      # macOS
sudo apt-get install git-crypt  # Ubuntu

# Initialize and grant access
git-crypt init
git-crypt add-gpg-user --trusted USER\_ID

Then add patterns to .gitattributes:

secrets/\*.key filter=git-crypt diff=git-crypt

 
Step 9: Regularly audit your repository
 

• Run git status to verify no sensitive files are staged.
• Use tools like truffleHog or git-secrets to scan for passwords or keys:

# Install git-secrets
brew install git-secrets

# Set up in your repo
git secrets --install
git secrets --register-aws
git secrets --scan

 
Step 10: Educate your team and automate checks
 

• Document your .gitignore conventions in your project README.
• Add pre-commit hooks (e.g., husky or pre-commit) to prevent committing secrets.
• Integrate CI checks to fail builds when secrets are detected.