MCPcopy Index your code
hub / github.com/OWASP/wrongsecrets

github.com/OWASP/wrongsecrets @1.13.5

Chat with this repo
repository ↗ · DeepWiki ↗ · release 1.13.5 ↗ · + Follow
1,025 symbols 2,817 edges 267 files 204 documented · 20%
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

OWASP WrongSecrets

Tweet

Java checkstyle and testing Pre-commit Terraform FMT CodeQL Dead Link Checker Javadoc and Swaggerdoc generator Test Heroku with cypress

Test minikube script (k8s) Test minikube script (k8s&vault) Docker container test Test container on podman DAST with ZAP PR Preview and Visual Diff Build Preview Visual Diff

OWASP Production Project OpenSSF Best Practices Discussions Docker pulls

Welcome to the OWASP WrongSecrets game! The game is packed with real life examples of how to not store secrets in your software. Each of these examples is captured in a challenge, which you need to solve using various tools and techniques. Solving these challenges will help you recognize common mistakes & can help you to reflect on your own secrets management strategy.

Can you solve all the 67 challenges?

Try some of them on our Heroku demo environment.

Want to play the other challenges? Read the instructions on how to set them up below.

🚀 Quick Start

New to WrongSecrets? Start here:

  1. Try Online First: Visit our Heroku demo to get familiar with the challenges
  2. Run Locally: Use Docker for the full experience with all challenges: bash docker run -p 8080:8080 -p 8090:8090 jeroenwillemsen/wrongsecrets:latest-no-vault Then open http://localhost:8080
  3. Want to see what's ahead? Try our bleeding-edge master container with the latest features: bash docker run -p 8080:8080 -p 8090:8090 ghcr.io/owasp/wrongsecrets/wrongsecrets-master:latest-master ⚠️ Note: This is a development version and may be unstable
  4. Advanced Setup: For cloud challenges and Kubernetes exercises, see the detailed instructions below

What you'll learn: - Common secrets management mistakes - How to identify exposed credentials - Best practices for securing secrets - Tools and techniques for secret detection

How it works: This repository contains intentionally vulnerable code and configuration files with real and fake secrets hidden throughout the codebase. You'll examine source code, configuration files, Docker containers, and cloud deployments to discover these secrets. Each challenge teaches you different ways secrets can be accidentally exposed in real-world applications.

screenshotOfChallenge1

📋 Prerequisites

For basic usage: - A web browser - Docker (for local setup) - Install here

For advanced setups: - Kubernetes/Minikube - Install here - Cloud account (AWS/GCP/Azure) for cloud challenges - Command line familiarity

Table of contents

🎯 Getting Started

🐳 Deployment Options

☁️ Cloud Challenges

🎮 Advanced Usage

👨‍💻 Development & Contribution

📚 Resources & Community

Support

Need support? Contact us via OWASP Slack for which you sign up here , file a PR, file an issue , or use discussions. Please note that this is an OWASP volunteer based project, so it might take a little while before we respond.

Copyright (c) 2020-2025 Jeroen Willemsen and WrongSecrets contributors.

🛤️ Choose Your Path

Not sure which setup is right for you? Here's a quick guide:

I want to... Recommended Setup Challenges Available
Try it quickly online Container running on Heroku Basic challenges (0-4, 8, 12-32, 34-43, 49-52, 54-66)
Run locally with Docker Basic Docker Same as above, but on your machine
Learn Kubernetes secrets K8s/Minikube Setup Kubernetes challenges (0-6, 8, 12-43, 48-66)
Practice with cloud secrets Cloud Challenges All challenges (0-66)
Run a workshop/CTF CTF Setup Customizable challenge sets
Contribute to the project Development Setup All challenges + development tools

Basic docker exercises

Can be used for challenges 0-4, 8, 12-32, 34-43, 49-52, 54-66

For the basic docker exercises you currently require:

You can install it by doing:

docker run -p 8080:8080 -p 8090:8090 jeroenwillemsen/wrongsecrets:latest-no-vault

🚀 Want to try the bleeding-edge version?

If you want to see what's coming in the next release, you can use our automatically-built master container:

docker run -p 8080:8080 -p 8090:8090 ghcr.io/owasp/wrongsecrets/wrongsecrets-master:latest-master

⚠️ Warning: This is a development version built from the latest master branch and may contain experimental features or instabilities.

📝 Note on Ports: - Port 8080: Main application (challenges 0-66) - Port 8090: MCP server (required for Challenge 60)

📝 Note on Challenge 62 (Google Drive MCP): Challenge 62 requires a Google Service Account to be configured for full functionality. See docs/CHALLENGE62_GOOGLE_DRIVE_SETUP.md for setup instructions. Without configuration, the challenge will show a placeholder message.

Now you can try to find the secrets by means of solving the challenge offered at the links below

all the links for docker challenges (click triangle to open the block).

Extension points exported contracts — how you extend this code

Challenge (Interface)
General Abstract Challenge class containing all the necessary members for a challenge. [32 implementers]
src/main/java/org/owasp/wrongsecrets/challenges/Challenge.java
TemplateGenerator (Interface)
Template generator used for Asciidoc to HTML conversion. [4 implementers]
src/main/java/org/owasp/wrongsecrets/asciidoc/TemplateGenerator.java
MuslDetector (Interface)
Musl detector interface which can have multiple implementations. [3 implementers]
src/main/java/org/owasp/wrongsecrets/challenges/docker/binaryexecution/MuslDetector.java
ScoreCard (Interface)
Interface of a scorecard where a player's progress is stored into. [2 implementers]
src/main/java/org/owasp/wrongsecrets/ScoreCard.java
CanaryCounter (Interface)
Used for counting the number of canary-token based callbacks. @see org.owasp.wrongsecrets.StatsController for the track [2 …
src/main/java/org/owasp/wrongsecrets/canaries/CanaryCounter.java

Core symbols most depended-on inside this repo

answerCorrect
called by 101
src/main/java/org/owasp/wrongsecrets/challenges/Challenge.java
spoiler
called by 99
src/main/java/org/owasp/wrongsecrets/challenges/Challenge.java
equals
called by 65
src/main/java/org/owasp/wrongsecrets/definitions/Environment.java
decode
called by 54
src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge29.java
handleMcpRequest
called by 18
src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge62McpController.java
Multiply
called by 16
src/main/resources/executables/decrypt/lib/aes.c
challenges
called by 15
src/main/java/org/owasp/wrongsecrets/definitions/ChallengeConfig.java
xtime
called by 14
src/main/resources/executables/decrypt/lib/aes.c

Shape

Method 706
Class 245
Function 64
Interface 5
Struct 3
Enum 2

Languages

Java92%
Go4%
C3%
TypeScript2%
C++1%

Modules by API surface

src/main/java/org/owasp/wrongsecrets/challenges/ChallengeUI.java23 symbols
src/main/resources/executables/decrypt/lib/aes.c22 symbols
src/main/java/org/owasp/wrongsecrets/challenges/docker/binaryexecution/BinaryExecutionHelper.java20 symbols
src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge62McpController.java19 symbols
scripts/sort_contibutors/main.go19 symbols
src/main/java/org/owasp/wrongsecrets/challenges/ChallengesController.java15 symbols
src/test/java/org/owasp/wrongsecrets/challenges/docker/Challenge62McpControllerTest.java13 symbols
src/test/java/org/owasp/wrongsecrets/challenges/docker/BinaryExecutionHelperTest.java13 symbols
src/test/java/org/owasp/wrongsecrets/challenges/docker/Challenge60McpControllerTest.java12 symbols
src/main/java/org/owasp/wrongsecrets/Challenges.java12 symbols
src/test/java/org/owasp/wrongsecrets/challenges/docker/SlackNotificationServiceTest.java11 symbols
src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge60McpController.java10 symbols

Datastores touched

userdbDatabase · 1 repos

For agents

$ claude mcp add wrongsecrets \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact