Complete Guide to Git Repository Cleanup and Optimization

Table of Contents#

Introduction#

Over time, Git repositories can accumulate unnecessary files, large binaries, sensitive data, and messy commit histories. This guide provides comprehensive techniques for cleaning up repositories, removing sensitive information, and optimizing repository performance.

BFG Repo-Cleaner Method#

BFG Repo-Cleaner is a faster, simpler alternative to git-filter-branch for cleansing bad data from Git repository history.

Installation#

1
# Download BFG
2
wget https://repo1.maven.org/maven2/com/madgag/bfg/1.14.0/bfg-1.14.0.jar
3

4
# Or using Homebrew on macOS
5
brew install bfg
6

7
# Or using package manager on Linux
8
sudo apt-get install bfg  # Debian/Ubuntu
9
sudo yum install bfg       # RHEL/CentOS

Removing Files by Name#

1
# Clone a fresh copy of your repo using --mirror
2
git clone --mirror git://example.com/my-repo.git
3

4
# Remove all files named 'id_rsa' or 'id_dsa'
5
java -jar bfg.jar --delete-files id_{dsa,rsa} my-repo.git
6

7
# Remove all files with .log extension
8
java -jar bfg.jar --delete-files '*.log' my-repo.git
9

10
# Clean up the reflog and garbage collect
11
cd my-repo.git
12
git reflog expire --expire=now --all && git gc --prune=now --aggressive
13

14
# Push the cleaned repository
15
git push

Removing Large Files#

1
# Remove all blobs bigger than 100M
2
java -jar bfg.jar --strip-blobs-bigger-than 100M my-repo.git
3

4
# Remove the 20 largest files
5
java -jar bfg.jar --strip-biggest-blobs 20 my-repo.git
6

7
# Clean up
8
cd my-repo.git
9
git reflog expire --expire=now --all && git gc --prune=now --aggressive
10
git push

Removing Sensitive Data#

1
# Create a file with sensitive strings to remove
2
echo 'PASSWORD=secretpass123' >> passwords.txt
3
echo 'API_KEY=abcd1234efgh5678' >> passwords.txt
4
echo 'AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY' >> passwords.txt
5

6
# Replace sensitive strings with ***REMOVED***
7
java -jar bfg.jar --replace-text passwords.txt my-repo.git
8

9
# Clean up
10
cd my-repo.git
11
git reflog expire --expire=now --all && git gc --prune=now --aggressive
12
git push --force

git filter-branch Method#

While slower than BFG, git filter-branch is built into Git and offers more flexibility.

Removing a File from All History#

1
# Remove a file from all commits
2
git filter-branch --force --index-filter \
3
  'git rm --cached --ignore-unmatch path/to/sensitive-file' \
4
  --prune-empty --tag-name-filter cat -- --all
5

6
# Remove the original refs backed up by filter-branch
7
git for-each-ref --format="delete %(refname)" refs/original | git update-ref --stdin
8

9
# Expire all reflog entries
10
git reflog expire --expire=now --all
11

12
# Garbage collect
13
git gc --prune=now --aggressive
14

15
# Force push to remote
16
git push origin --force --all
17
git push origin --force --tags

Removing a Directory#

1
# Remove an entire directory from history
2
git filter-branch --force --index-filter \
3
  'git rm -r --cached --ignore-unmatch path/to/directory' \
4
  --prune-empty --tag-name-filter cat -- --all
5

6
# Clean up
7
git for-each-ref --format="delete %(refname)" refs/original | git update-ref --stdin
8
git reflog expire --expire=now --all
9
git gc --prune=now --aggressive

Changing Author Information#

1
#!/bin/sh
2
# Script to change author information
3

4
git filter-branch --env-filter '
5
OLD_EMAIL="wrong@example.com"
6
CORRECT_NAME="Correct Name"
7
CORRECT_EMAIL="correct@example.com"
8

9
if [ "$GIT_COMMITTER_EMAIL" = "$OLD_EMAIL" ]
10
then
11
    export GIT_COMMITTER_NAME="$CORRECT_NAME"
12
    export GIT_COMMITTER_EMAIL="$CORRECT_EMAIL"
13
fi
14
if [ "$GIT_AUTHOR_EMAIL" = "$OLD_EMAIL" ]
15
then
16
    export GIT_AUTHOR_NAME="$CORRECT_NAME"
17
    export GIT_AUTHOR_EMAIL="$CORRECT_EMAIL"
18
fi
19
' --tag-name-filter cat -- --branches --tags

git filter-repo Method (Recommended)#

git filter-repo is the officially recommended tool by the Git project for repository filtering.

Installation#

1
# Using pip
2
pip install git-filter-repo
3

4
# Or download directly
5
wget https://raw.githubusercontent.com/newren/git-filter-repo/main/git-filter-repo
6
chmod +x git-filter-repo
7
sudo mv git-filter-repo /usr/local/bin/

Basic Usage#

1
# Remove a file
2
git filter-repo --path sensitive-file.txt --invert-paths
3

4
# Remove a directory
5
git filter-repo --path secret-directory/ --invert-paths
6

7
# Remove multiple paths
8
git filter-repo --path file1.txt --path dir1/ --path dir2/ --invert-paths
9

10
# Keep only specific paths
11
git filter-repo --path src/ --path docs/

Advanced Filtering#

1
# Remove files by pattern
2
git filter-repo --filename-callback '
3
  if filename.endswith(b".log"):
4
    return None
5
  return filename
6
'
7

8
# Remove large files
9
git filter-repo --strip-blobs-bigger-than 10M
10

11
# Replace text in all files
12
echo 'PASSWORD==>***REMOVED***' > expressions.txt
13
echo 'regex:password\s*=\s*["'\'']*[^"'\'']+["'\'']*==>password = "***REMOVED***"' >> expressions.txt
14
git filter-repo --replace-text expressions.txt

Finding Large Files in Git History#

Script to Find Large Objects#

1
#!/bin/bash
2
# find-large-files.sh - Find the largest objects in Git history
3

4
# Set the number of largest files to show
5
NUM_FILES=20
6

7
# Find large objects
8
git rev-list --objects --all |
9
  git cat-file --batch-check='%(objecttype) %(objectname) %(objectsize) %(rest)' |
10
  sed -n 's/^blob //p' |
11
  sort --numeric-sort --key=2 |
12
  tail -n $NUM_FILES |
13
  cut -c 1-12,41- |
14
  $(command -v gnumfmt || echo numfmt) --field=2 --to=iec-i --suffix=B --padding=7 --round=nearest

Using git-sizer#

1
# Install git-sizer
2
wget https://github.com/github/git-sizer/releases/download/v1.5.0/git-sizer-1.5.0-linux-amd64.zip
3
unzip git-sizer-1.5.0-linux-amd64.zip
4
sudo mv git-sizer /usr/local/bin/
5

6
# Analyze repository
7
git-sizer --verbose
8

9
# Output in JSON format
10
git-sizer --json > git-sizer-report.json

Cleaning Git History#

Squashing Commits#

1
# Interactive rebase to squash last N commits
2
git rebase -i HEAD~N
3

4
# In the editor, change 'pick' to 'squash' or 's' for commits to squash
5
# Example:
6
# pick abc1234 First commit
7
# squash def5678 Second commit
8
# squash ghi9012 Third commit
9

10
# For squashing all commits into one
11
git rebase -i --root

Cleaning Up Merge Commits#

1
# Rebase to remove merge commits
2
git rebase -i --rebase-merges HEAD~20
3

4
# Or to completely linearize history
5
git rebase -i HEAD~20

Removing Empty Commits#

1
# Remove commits that don't change anything
2
git filter-branch --prune-empty --tag-name-filter cat -- --all
3

4
# Using git filter-repo (better)
5
git filter-repo --prune-empty always

Repository Maintenance#

Garbage Collection#

1
# Run garbage collection
2
git gc
3

4
# Aggressive garbage collection (takes longer but more thorough)
5
git gc --aggressive --prune=now
6

7
# Verify repository integrity
8
git fsck --full
9

10
# Clean unnecessary files and optimize repository
11
git clean -fd
12
git remote prune origin
13
git repack -a -d --depth=250 --window=250

Pruning Objects#

1
# Prune all unreachable objects
2
git prune --expire=now
3

4
# Prune reflog entries older than 30 days
5
git reflog expire --expire=30.days --all
6

7
# Prune remote-tracking branches
8
git remote prune origin
9

10
# Remove stale branches
11
git for-each-ref --format '%(refname:short)' refs/heads | grep -v master | xargs git branch -D

Repository Statistics#

1
#!/bin/bash
2
# repo-stats.sh - Display repository statistics
3

4
echo "Repository Size:"
5
du -sh .git
6

7
echo -e "\nObject Count:"
8
git count-objects -v
9

10
echo -e "\nLargest Files in Working Directory:"
11
find . -type f -not -path './.git/*' -exec du -h {} + | sort -rh | head -20
12

13
echo -e "\nBranch Count:"
14
git branch -a | wc -l
15

16
echo -e "\nCommit Count:"
17
git rev-list --all --count
18

19
echo -e "\nContributors:"
20
git shortlog -sn

Removing Sensitive Data Patterns#

Common Patterns to Remove#

1
# Create patterns file
2
cat > sensitive-patterns.txt << 'EOF'
3
# AWS Credentials
4
regex:AKIA[0-9A-Z]{16}==>[AWS_ACCESS_KEY_REMOVED]
5
regex:aws_secret_access_key\s*=\s*["']?[A-Za-z0-9/+=]{40}["']?==>aws_secret_access_key="[REMOVED]"
6

7
# API Keys
8
regex:api[_-]?key\s*[:=]\s*["']?[A-Za-z0-9]{32,}["']?==>api_key="[REMOVED]"
9
regex:token\s*[:=]\s*["']?[A-Za-z0-9]{32,}["']?==>token="[REMOVED]"
10

11
# Passwords
12
regex:password\s*[:=]\s*["']?[^"'\s]+["']?==>password="[REMOVED]"
13
regex:passwd\s*[:=]\s*["']?[^"'\s]+["']?==>passwd="[REMOVED]"
14

15
# Private Keys
16
regex:-----BEGIN [A-Z ]*PRIVATE KEY-----[\s\S]*?-----END [A-Z ]*PRIVATE KEY-----==>-----BEGIN PRIVATE KEY-----[REMOVED]-----END PRIVATE KEY-----
17

18
# Database URLs
19
regex:postgres://[^@]+@[^/]+/\w+==>postgres://[REMOVED]@[REMOVED]/[REMOVED]
20
regex:mysql://[^@]+@[^/]+/\w+==>mysql://[REMOVED]@[REMOVED]/[REMOVED]
21
regex:mongodb://[^@]+@[^/]+/\w+==>mongodb://[REMOVED]@[REMOVED]/[REMOVED]
22
EOF
23

24
# Apply patterns with git filter-repo
25
git filter-repo --replace-text sensitive-patterns.txt

Verification Script#

1
#!/bin/bash
2
# verify-sensitive-data.sh - Check for sensitive data in repository
3

4
echo "Checking for potential sensitive data..."
5

6
# Check for private keys
7
echo -e "\nSearching for private keys:"
8
git grep -E "BEGIN (RSA|DSA|EC|OPENSSH) PRIVATE KEY" || echo "No private keys found"
9

10
# Check for AWS credentials
11
echo -e "\nSearching for AWS credentials:"
12
git grep -E "AKIA[0-9A-Z]{16}" || echo "No AWS access keys found"
13

14
# Check for passwords
15
echo -e "\nSearching for passwords:"
16
git grep -iE "password\s*[:=]" | grep -v -E "(example|test|dummy|placeholder)" || echo "No passwords found"
17

18
# Check for API keys
19
echo -e "\nSearching for API keys:"
20
git grep -iE "(api[_-]?key|token)\s*[:=]" | grep -v -E "(example|test|dummy|placeholder)" || echo "No API keys found"
21

22
# Check for large files
23
echo -e "\nLarge files in current working tree:"
24
find . -type f -size +10M -not -path './.git/*' -exec ls -lh {} \;

Best Practices#

Pre-Cleanup Checklist#

1
#!/bin/bash
2
echo "Git Repository Cleanup Pre-Check"
3
echo "================================"
4

5
# Check if repository is clean
6
if [[ -n $(git status -s) ]]; then
7
    echo "❌ Working directory is not clean. Commit or stash changes first."
8
    exit 1
9
else
10
    echo "✅ Working directory is clean"
11
fi
12

13
# Check for backup
14
echo -e "\n⚠️  Have you backed up your repository? (y/n)"
15
read -r response
16
if [[ ! "$response" =~ ^([yY][eE][sS]|[yY])$ ]]; then
17
    echo "Please backup your repository first!"
18
    echo "Run: git clone --mirror $(git remote get-url origin) backup-$(date +%Y%m%d)"
19
    exit 1
20
fi
21

22
# List remotes
23
echo -e "\n📡 Remote repositories:"
24
git remote -v
25

26
# Show repository size
27
echo -e "\n📊 Repository size:"
28
du -sh .git
29

30
# Count objects
31
echo -e "\n🔢 Object count:"
32
git count-objects -v
33

34
echo -e "\n✅ Pre-cleanup check complete. Safe to proceed."

.gitignore Templates#

1
# Common patterns to add to .gitignore before cleanup
2

3
# Sensitive files
4
*.pem
5
*.key
6
*.pfx
7
*.p12
8
.env
9
.env.*
10
config/secrets.yml
11
config/database.yml
12

13
# Large files
14
*.log
15
*.sql
16
*.dump
17
*.tar
18
*.tar.gz
19
*.zip
20
*.7z
21
*.rar
22

23
# OS generated files
24
.DS_Store
25
Thumbs.db
26
*.swp
27
*~
28

29
# IDE files
30
.idea/
31
.vscode/
32
*.iml
33
.project
34
.settings/
35

36
# Build artifacts
37
build/
38
dist/
39
*.egg-info/
40
__pycache__/
41
node_modules/
42
target/
43
*.class
44
*.jar

Post-Cleanup Steps#

1
#!/bin/bash
2
# post-cleanup.sh - Steps to perform after cleanup
3

4
echo "Post-Cleanup Tasks"
5
echo "=================="
6

7
# Update all branches
8
echo "\n1. Updating all branches..."
9
for branch in $(git branch -r | grep -v HEAD | sed 's/origin\///')
10
do
11
    echo "Updating branch: $branch"
12
    git checkout $branch
13
    git pull origin $branch
14
done
15

16
# Notify team members
17
echo -e "\n2. Team notification template:"
18
cat << EOF
19
Subject: Important: Git Repository Cleanup Completed
20

21
Team,
22

23
We have completed a cleanup of our Git repository. This cleanup included:
24
- Removing large files from history
25
- Removing sensitive data
26
- Optimizing repository size
27

28
ACTION REQUIRED:
29
1. Delete your local repository
30
2. Re-clone the repository: git clone [repository-url]
31
3. If you have local branches, you'll need to recreate them
32
4. Update any CI/CD pipelines that might be affected
33

34
The repository size has been reduced from X GB to Y GB.
35

36
Please complete these steps before continuing work.
37

38
Thank you for your cooperation.
39
EOF
40

41
# Verify cleanup
42
echo -e "\n3. Verification:"
43
echo "New repository size: $(du -sh .git | cut -f1)"
44
echo "Object count: $(git count-objects -v | grep 'count:' | cut -d' ' -f2)"
45

46
# Update documentation
47
echo -e "\n4. Update documentation:"
48
echo "- Update README with new clone instructions"
49
echo "- Document any changed procedures"
50
echo "- Update CI/CD configurations if needed"

Security Considerations#

Rotating Compromised Credentials#

After removing sensitive data from Git history:

Immediately rotate all exposed credentials
Audit access logs for any unauthorized usage
Update all systems using the compromised credentials
Implement secret scanning in CI/CD pipeline

Preventing Future Issues#

1
# Install pre-commit hooks
2
pip install pre-commit
3

4
# Create .pre-commit-config.yaml
5
cat > .pre-commit-config.yaml << 'EOF'
6
repos:
7
  - repo: https://github.com/Yelp/detect-secrets
8
    rev: v1.4.0
9
    hooks:
10
      - id: detect-secrets
11
        args: ['--baseline', '.secrets.baseline']
12
  - repo: https://github.com/pre-commit/pre-commit-hooks
13
    rev: v4.4.0
14
    hooks:
15
      - id: check-added-large-files
16
        args: ['--maxkb=1000']
17
      - id: check-merge-conflict
18
      - id: check-yaml
19
      - id: end-of-file-fixer
20
      - id: trailing-whitespace
21
EOF
22

23
# Install hooks
24
pre-commit install
25

26
# Create baseline for existing secrets (to ignore)
27
detect-secrets scan > .secrets.baseline

Conclusion#

Regular repository maintenance is crucial for keeping Git repositories fast, secure, and manageable. Key takeaways:

Always backup before performing destructive operations
Use BFG or git-filter-repo instead of filter-branch when possible
Rotate credentials immediately after removing them from history
Implement preventive measures like pre-commit hooks
Communicate with your team before and after cleanup
Document the process for future reference

Remember that rewriting history affects all collaborators, so coordinate carefully and ensure everyone is prepared for the changes.