How to search your git history for accidentally committed SharePoint app ClientId/ClientSecret

Nowadays I prefer to store production credentials as settings in Azure Websites and only commit development Id/Secret combos. But that was not always the case. Seeing how often we tend to forget the bad decisions we made it's good to do a little security check now and again.

Here is a snippet (that works on windows) to do a case insensitive search through every commit in your solution for this dreaded combo. It works by outputting the matching row and the row above it, which is usually the clientId. Since this is generated by the VS tooling we can be fairly certain that the combo wil be the same for most projects.

FOR /F %x IN ('"git rev-list --all"') DO @git --no-pager grep -i -B 1 "clientsecret\" value=\"[^\"]" %x

Here is some sample output from the PnP project.

Now you could extend this to check for your actual production secret as well by modifying the regex like this:

FOR /F %x IN ('"git rev-list --all"') DO @git --no-pager grep -i -B 1 "clientsecret\" value=\"4A9ilV+zqol7bdvzUEOVfOYl+fHOmubVr2+8ZtLx3WY=\"" %x

Hope that helps.