Sensitive data such as passwords should be in .env files and, if possible, not end up in Git repositories. But it has probably happened to each of us at least once by mistake: Quickly published a nice Google Maps JS API script on GitHub Gists (as "public") without accidentally disguising our own private Maps API key.
Fortunately, the attentive Google Cloud Platform Trust & Safety team has recently started tapping your fingers with automated e-mails that not only scour github.com for public API keys on a large scale:
we have detected a publicly accessible Google API key associated with the following Google Cloud Platform project:
Then it is time to act at the latest. Fortunately, even Git is forgivable. The following bash script uses the great BFG repo cleaner (no, this does not mean the weapon from DOOM) and removes the API key in line 5 of the Git repository in line 6:
PS: The API key in line 5 is a joke.