Skip to content
Latchkey

git-secrets AWS credentials detected on scan-history in CI

git-secrets --scan-history walks every commit, not just the current diff, so it catches an AWS key that was committed and later removed. The key remains in history and is still exploitable.

What this error means

A CI job running git secrets --scan-history fails on an AKIA-prefixed key in an old commit, even though the current tree is clean.

git-secrets
f3a91c2:config/old.env:2:AWS_ACCESS_KEY_ID=AKIA...redacted...
[ERROR] Matched one or more prohibited patterns

Common causes

A key committed in the past is still in history

Deleting the file in a later commit does not remove the secret from history; --scan-history still finds it in the earlier commit.

The current-diff hook never saw the old commit

The pre-commit hook only checks new changes, so a key added before the hook existed slips through until a history scan runs.

How to fix it

Rotate the key and purge it from history

  1. Revoke the AWS access key at the provider immediately.
  2. Rewrite history to remove the secret from the old commit, then force-push per your process.
  3. Re-run git secrets --scan-history to confirm it is gone.
Terminal
git secrets --scan-history

Add a history scan to CI

Register the AWS patterns and scan history in CI so old keys are surfaced, not only new diffs.

.github/workflows/ci.yml
- run: |
    git secrets --register-aws
    git secrets --scan-history

How to prevent it

  • Treat any key found in history as compromised and rotate it.
  • Run a history scan periodically, not just diff checks.
  • Use full history (fetch-depth: 0) so scan-history has every commit.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →