A company discovers that developers have been committing API keys and database credentials to a public GitHub repository. What should the analyst recommend as an IMMEDIATE mitigation?

Correct answer: Rotate all exposed credentials and remove the repository from GitHub

Option A is correct because credentials that have been publicly exposed must be treated as fully compromised; rotating them immediately invalidates the leaked secrets, and removing the repository eliminates the public exposure surface, which is the only safe immediate response. Option B is incorrect because waiting to observe unauthorized use before rotating is negligent, since attackers may have already copied the credentials and could exploit them at any time without generating detectable activity. Option C is incorrect because making the repository private does not revoke the already-exposed credentials, and anyone who viewed or cloned the repository before the change still has them. Option D is incorrect because requesting GitHub to remove commit history is a slow process with no guarantee of success, does not invalidate the credentials, and does not address copies made by third parties or automated scanners.