But it’s already in the git objects and therefore accessible to anyone who clones the repository? I am not 100% sure about that. Can someone confirm?
If creds leak, rotate those creds. Then, you check your logs to make sure there was no intrusion.
"Rotate the creds" gives the absolute best guarantee that they're useless. Three words I can explain to a nervous manager.
"What if someone got ahold of those creds?"
"Well, boss, here's the window in which it could have happened, and let's go over these logs together to see if it did."
Scrubbing the repo? I'm skeptical that you're getting rid of anything without push --force, and you sure as heck aren't running `git gc --prune` on the remote system, let alone `bfg`.
I totally agree! you should rotate the keys! we explain how to get rid of it in terms of Git. This is in addition to rotating it. Sorry for not being clear