Rootconf 2025 Annual Conference CfP

Description
At some point, every developer has force-pushed to tidy up commit history. Whether it’s removing secrets, cleaning up messy merges, or rebasing for clarity—it’s all in a day’s work. But what if those commits you “removed” never actually left?

This talk explores the world of dangling commits — Git objects that are no longer part of any branch or tag but still exist within the repository. This behavior is neither new nor inherently dangerous; in fact, it’s part of Git’s core design. But in today’s development landscape—where platforms like GitHub expose parts of Git internals through APIs and activity feeds—these lingering commits can become a stealthy and serious attack surface.

We’ll walk through how attackers can discover and extract dangling commits from GitHub repositories, often surfacing sensitive data long after developers thought it was deleted. Through demos, we’ll see just how easy it is to reconstruct these “ghost commits” and what kinds of exposure that can lead to—from leaked secrets to internal code and even full infrastructure paths. We’ll also share research and data points that quantify the real-world impact—showing just how frequently sensitive information is exposed through dangling commits. Additionally, we’ll also take a critical look at common strategies on how to remove a commits and understand where these fall short in shared, distributed, and cloud-hosted environment.

Most importantly, this session is a call to action for builders and maintainers. The goal isn’t just awareness — it’s to equip attendees with the knowledge to find, analyze, and mitigate these risks in their own workflows and organizations.

Takeaways

• Discover how dangling commits on GitHub can expose secrets and code, even after you’ve cleaned up your branches.
• Understand practical steps developers and teams can take to avoid leaking sensitive data through Git history and cleanup mistakes.

Which audience segment is your talk/session going to beneficial for?
This talk is aimed at developers, DevOps engineers, SREs, and security practitioners who use Git and GitHub as part of their daily workflow. If you work with version control, this session will help you identify and address a security blind spot.

About The Speaker
I’m Ashwin, and I spend my time breaking and securing things at RedHunt Labs—mostly in web and cloud environments, the software supply chain, and wherever code flows. I’ve shared my work through talks and trainings at events like BlackHat, Nullcon, and others. With experience on both the offensive and defensive sides of security, I focus on building practical defenses rooted in how real-world attackers think and operate.