Security pings you: "An AWS key for our org just showed up in a public repo scan." Now you need three things in this order:
- Which commit introduced it?
- Is it still in the working tree, or just in history?
- How do we remove it from history? (next lesson)
For step 1, pickaxe is the right tool — but you want diffs, all refs, and patches:
git log --all -p -S"AKIA1234EXAMPLE"
That gives you every commit where that literal token's count changed, with the diff inline. The oldest match is when it entered.
If you only have a shape (you don't know the exact value because it's already been rotated), use regex pickaxe:
git log --all -p -G"AKIA[0-9A-Z]{16}"
git log --all -p -G"-----BEGIN (RSA |OPENSSH )?PRIVATE KEY-----"
git log --all -p -G"ghp_[A-Za-z0-9]{36}" # GitHub PAT
Add --name-only first to get a quick file list, then -p once you've narrowed down.
Don't forget non-branch refs. Secrets often hide in:
- Stashes —
git stash list then git stash show -p stash@{N}.
- Tags —
--all covers refs/tags/.
- Remote-only branches — fetch them first, then
--all sees them.
- The reflog —
git reflog --all if a commit was deleted but not yet GC'd.
For broader sweeps when you don't have a specific pattern, tools like gitleaks, trufflehog, or git-secrets walk the whole history with a library of detectors. They're better than ad-hoc -G for "find any secret anywhere."
Once you've identified the introducing commit, rotate the secret immediately — assume it's compromised. History rewriting (next lesson) is for cleanup, not containment. The secret is already public the moment it was pushed.