How to remove content from GitHub

Github has a process for initiating takedown requests that can be used to remove data leaks of sensitive information.

Written by Greg Pollock

When sensitive data is exposed on Github, part of the response process is to attempt to remove that content.

If possible, the fastest and easiest way to remove the content is to contact the owner of the repo and ask them to delete the repo or make it private. If the user's email address is known, it will be included in the finding notes in Data Leaks.

If contacting the owner is not feasible, you can submit a takedown request to Github. Credentials and other information disclosed as data leaks may fall under their "Private Information Removal Policy," depending on the security risk posed by the content. You should read the documentation to understand the policy. Quoting from that documentation, it covers:

  • Access credentials, such as user names combined with passwords,

  • AWS tokens and other similar access credentials that grant access to a third party on your behalf.

  • Documentation (such as network diagrams or architecture) that poses a specific security risk for an organization.

  • Information related to, and posing a security risk to, you as an individual (such as social security numbers)

To submit a takedown request you will need to explain how the content falls under those guidelines. Github provides detailed instructions on what information needs to be in a takedown request here.

With that information, you will be able to fill out the takedown form here and submit your request. Github's documentation explains in detail the process through which they review and respond to these requests.

While less common than credential leaks, Github also removes content that violates the DMCA or their trademark policy. You can follow the documentation on those pages to submit takedown requests based on those policies.