Challenge 38

Welcome to challenge 38. You need to guess the secret that is hidden in Java, Docker, Kubernetes, Vault, AWS or GCP.

Git Notes

Git commit messages can be a constant pain point.

It is fine to use a short message, unintelligible garble or a simple mash of the keyboard in a git message until you have the unfortunate task of reviewing. At this point these scruffy messages can be a nightmare.

Git notes are here to solve this, it has been around for a long while but often gets overlooked. Add extra metadata about the commit without affecting the commit message itself.

Like all Git, once information is committed, it is very very hard to remove all reference of it. What could possible go wrong?

Answer to solution :

Why should you be careful with Git notes?

  1. Like all Git repo’s, once a secret is leaked it here it is very tough/impossible to remove from all history.

  2. Git Notes appears to be a rarely used feature of Git, therefore a lot of the secret scanners do not check them. This means it can be missed in CI.*

Concern 2 is currently being researched by the team at WrongSecrets, we are sampling the biggest open source projects to understand if Git notes is used. If it is used we may try to contribute to secret scanners to accommodate this, if it is not used we may recommend simply not using this feature of Git to ensure no issues arise. Keep an eye out on the WrongSecrets Slack for the progression of this project.