For security reasons, delete the entire record of a Pull Request, or at least a portion of its history

Question

We had a developer submit a PR that had a plain text password in it. The reviewer asked it to be removed and loaded in another way so it didn't make its way into the repo. It has since been fixed. However, the history of the PR still shows the original commit with the password. Is there any way to remove a portion of the history of the PR (or if necessary the entire PR) so that other users cannot view that password?

If there isn't a supported answer, we happen to be using AzDev 2019 server, which I believe should enable us to remove it somehow...

Note in this case we can just change the password, so this isn't a deal-breaker, but it would be nice to know how to do this for future occurrences where changing a password is more difficult.

Answer 1

I have encountered a similar problem and one solution could be to remove the repository in Azure which would remove the history as well. So fixing the issues locally then creating a new remote repo for the branch would be a way to go.

Answer 2

It's not able to delete a Pull Request at the moment in Azure DevOps Sever.

We already have a user voice in Develop Community feature request site. Kindly vote up and track the status.

Allow deletion of pull requests

https://developercommunityapi.westus.cloudapp.azure.com/idea/365572/allow-deletion-of-pull-requests.html

If you hadn't commit the pull request, we give an option to abandon the pull request which leaves them hanging around.

This should be a team process policy to avoid users commit plain-text password. Changing the password, that's the safest option.

Answer 3

I see your point but the rule of thumb is - if password was exposed you should revoke it asap.

You can also try this:

To replace all text listed in passwords.txt wherever it can be found in your repository's history, run:

$ bfg --replace-text passwords.txt

I was looking at REST API for Pull requests, but there is nothing about removing it.