git-secrets AWS credentials detected on scan-history in CI
git-secrets --scan-history walks every commit, not just the current diff, so it catches an AWS key that was committed and later removed. The key remains in history and is still exploitable.
What this error means
A CI job running git secrets --scan-history fails on an AKIA-prefixed key in an old commit, even though the current tree is clean.
f3a91c2:config/old.env:2:AWS_ACCESS_KEY_ID=AKIA...redacted...
[ERROR] Matched one or more prohibited patternsCommon causes
A key committed in the past is still in history
Deleting the file in a later commit does not remove the secret from history; --scan-history still finds it in the earlier commit.
The current-diff hook never saw the old commit
The pre-commit hook only checks new changes, so a key added before the hook existed slips through until a history scan runs.
How to fix it
Rotate the key and purge it from history
- Revoke the AWS access key at the provider immediately.
- Rewrite history to remove the secret from the old commit, then force-push per your process.
- Re-run
git secrets --scan-historyto confirm it is gone.
git secrets --scan-historyAdd a history scan to CI
Register the AWS patterns and scan history in CI so old keys are surfaced, not only new diffs.
- run: |
git secrets --register-aws
git secrets --scan-historyHow to prevent it
- Treat any key found in history as compromised and rotate it.
- Run a history scan periodically, not just diff checks.
- Use full history (
fetch-depth: 0) so scan-history has every commit.