Challenge 38

Welcome to challenge Challenge 38. You need to guess the secret that is hidden in Java, Docker, Kubernetes, Vault, AWS or GCP.

Git Notes

Git commit messages can be a constant pain point.

It is fine to use a short message, unintelligible garble or a simple mash of the keyboard in a git message until you have the unfortunate task of reviewing. At this point these scruffy messages can be a nightmare.

Git notes are here to solve this, it has been around for a long while but often gets overlooked. Add extra metadata about the commit without affecting the commit message itself.

Like all Git, once information is committed, it is very very hard to remove all reference of it. What could possible go wrong?

Answer to solution :

Unlike other Git challenges this cannot be solved by the plethora of tools that will automatically search for secrets leaked in Git repos.

Try solving the challenge by manually combing the Git metadata.

  1. Clone the repository - git clone

  2. Navigate to the directory - cd wrongsecrets

  3. Fetch the notes - git fetch origin 'refs/notes/*:refs/notes/*'

  4. List all notes in the repo - git notes

  5. Using the note reference that is displayed, show the note - git notes show [ref] (2 references will show for each note, the second one is the note reference)

Why should you be careful with Git notes?

  1. Like all Git repo’s, once a secret is leaked it here it is very tough/impossible to remove from all history.

  2. Git Notes appears to be a rarely used feature of Git, therefore a lot of the secret scanners do not check them. This means it can be missed in CI.*

Concern 2 is currently being researched by the team at WrongSecrets, we are sampling the biggest open source projects to understand if Git notes is used. If it is used we may try to contribute to secret scanners to accommodate this, if it is not used we may recommend simply not using this feature of Git to ensure no issues arise. Keep an eye out on the WrongSecrets Slack for the progression of this project.