git secret filter

A very short post to share a solution I've developed yesterday to augment the classic git secret filter. While writing this, I've noticed that it's actually hard to find tutorials about it (got this one) instead of history rewriting tools to remove said secrets already committed by mistake.

So, the "classic" filter (as found in your global gitconfig file):

[filter "secret"]
    clean = sed -e 's/Henry/Edward/g' -e 's/Jekyll/Hyde/g'

with the accompanying gitattributes line * filter=secret to have "Henry Jekyll" redacted with "Edward Hyde" in every concerned file during staging.

First change to make here is to turn this filter case insensitive to prevent embarrassing mistakes. You can use the s command's i flag, an extension available everywhere except OpenBSD, switch to perl or massacre your regexp like this:

[filter "secret"]
    clean = sed -e 's/[Hh][Ee][Nn][Rr][Yy]/Edward/g' \
                -e 's/[Jj][Ee][Kk][Yy][Ll][Ll]/Hyde/g'

I've had this solution globally enabled for years now but yesterday, while updating my dotfiles repository, I needed a way to hide arbitrary file sections. No problem, I realized, sed is very good at that:

# !GIT SECRET START!
[filter "secret"]
    clean = sed -e '/!GIT SECRET START\\!/,/!GIT SECRET END\\!/d' \
                -e 's/Hadrien/Anon/gi' \
                -e 's/Lacour/Ymous/gi'
# !GIT SECRET END!

As you probably understood, everything between lines containing those markers (including the marked lines themselves) is removed. Fun fact: the backslashes do nothing except prevent the filter from matching itself.