Welcome to the OWASP WrongSecrets game! The game is packed with real life examples of how to not store secrets in your software. Each of these examples is captured in a challenge, which you need to solve using various tools and techniques. Solving these challenges will help you recognize common mistakes & can help you to reflect on your own secrets management strategy.
Can you solve all the 67 challenges?
Try some of them on our Heroku demo environment.
Want to play the other challenges? Read the instructions on how to set them up below.
New to WrongSecrets? Start here:
bash
docker run -p 8080:8080 -p 8090:8090 jeroenwillemsen/wrongsecrets:latest-no-vault
Then open http://localhost:8080bash
docker run -p 8080:8080 -p 8090:8090 ghcr.io/owasp/wrongsecrets/wrongsecrets-master:latest-master
⚠️ Note: This is a development version and may be unstableWhat you'll learn: - Common secrets management mistakes - How to identify exposed credentials - Best practices for securing secrets - Tools and techniques for secret detection
How it works: This repository contains intentionally vulnerable code and configuration files with real and fake secrets hidden throughout the codebase. You'll examine source code, configuration files, Docker containers, and cloud deployments to discover these secrets. Each challenge teaches you different ways secrets can be accidentally exposed in real-world applications.

For basic usage: - A web browser - Docker (for local setup) - Install here
For advanced setups: - Kubernetes/Minikube - Install here - Cloud account (AWS/GCP/Azure) for cloud challenges - Command line familiarity
Need support? Contact us via OWASP Slack for which you sign up here , file a PR, file an issue , or use discussions. Please note that this is an OWASP volunteer based project, so it might take a little while before we respond.
Copyright (c) 2020-2025 Jeroen Willemsen and WrongSecrets contributors.
Not sure which setup is right for you? Here's a quick guide:
| I want to... | Recommended Setup | Challenges Available |
|---|---|---|
| Try it quickly online | Container running on Heroku | Basic challenges (0-4, 8, 12-32, 34-43, 49-52, 54-66) |
| Run locally with Docker | Basic Docker | Same as above, but on your machine |
| Learn Kubernetes secrets | K8s/Minikube Setup | Kubernetes challenges (0-6, 8, 12-43, 48-66) |
| Practice with cloud secrets | Cloud Challenges | All challenges (0-66) |
| Run a workshop/CTF | CTF Setup | Customizable challenge sets |
| Contribute to the project | Development Setup | All challenges + development tools |
Can be used for challenges 0-4, 8, 12-32, 34-43, 49-52, 54-66
For the basic docker exercises you currently require:
You can install it by doing:
docker run -p 8080:8080 -p 8090:8090 jeroenwillemsen/wrongsecrets:latest-no-vault
🚀 Want to try the bleeding-edge version?
If you want to see what's coming in the next release, you can use our automatically-built master container:
docker run -p 8080:8080 -p 8090:8090 ghcr.io/owasp/wrongsecrets/wrongsecrets-master:latest-master
⚠️ Warning: This is a development version built from the latest master branch and may contain experimental features or instabilities.
📝 Note on Ports: - Port 8080: Main application (challenges 0-66) - Port 8090: MCP server (required for Challenge 60)
📝 Note on Challenge 62 (Google Drive MCP): Challenge 62 requires a Google Service Account to be configured for full functionality. See docs/CHALLENGE62_GOOGLE_DRIVE_SETUP.md for setup instructions. Without configuration, the challenge will show a placeholder message.
Now you can try to find the secrets by means of solving the challenge offered at the links below
all the links for docker challenges (click triangle to open the block).
$ claude mcp add wrongsecrets \
-- python -m otcore.mcp_server <graph>