{"id":15036852,"url":"https://github.com/owasp/wrongsecrets","last_synced_at":"2025-05-14T10:06:31.021Z","repository":{"id":37852704,"uuid":"288646913","full_name":"OWASP/wrongsecrets","owner":"OWASP","description":"Vulnerable app with examples showing how to not use secrets","archived":false,"fork":false,"pushed_at":"2025-04-10T06:52:41.000Z","size":109515,"stargazers_count":1296,"open_issues_count":34,"forks_count":430,"subscribers_count":18,"default_branch":"master","last_synced_at":"2025-04-10T07:43:26.626Z","etag":null,"topics":["aws","azure","ctf","devsecops","docker","gcp","hashicorp-vault","java","keepass","kubernetes","owasp","secrets","secrets-management","security","terraform-aws","terraform-azure","terraform-gcp","vault","vulnerable-web-app"],"latest_commit_sha":null,"homepage":"https://owasp.org/www-project-wrongsecrets/","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"agpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/OWASP.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"custom":["https://owasp.org/donate/?reponame=www-project-wrongsecrets\u0026title=OWASP+wrongsecrets","https://www.icrc.org/en/donate/ukraine"],"github":"OWASP"}},"created_at":"2020-08-19T05:59:51.000Z","updated_at":"2025-04-10T06:51:33.000Z","dependencies_parsed_at":"2023-10-11T06:48:23.737Z","dependency_job_id":"54b0cd79-938a-45e2-9c8d-c816fbbfe190","html_url":"https://github.com/OWASP/wrongsecrets","commit_stats":null,"previous_names":["commjoen/wrongsecrets"],"tags_count":93,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OWASP%2Fwrongsecrets","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OWASP%2Fwrongsecrets/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OWASP%2Fwrongsecrets/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OWASP%2Fwrongsecrets/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/OWASP","download_url":"https://codeload.github.com/OWASP/wrongsecrets/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248564656,"owners_count":21125408,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","azure","ctf","devsecops","docker","gcp","hashicorp-vault","java","keepass","kubernetes","owasp","secrets","secrets-management","security","terraform-aws","terraform-azure","terraform-gcp","vault","vulnerable-web-app"],"created_at":"2024-09-24T20:32:31.487Z","updated_at":"2025-05-14T10:06:31.007Z","avatar_url":"https://github.com/OWASP.png","language":"Java","readme":"\u003c!-- CRE Link: [223-780](https://www.opencre.org/cre/223-780?register=true\u0026type=tool\u0026tool_type=training\u0026tags=secrets,training\u0026description=With%20this%20app%2C%20we%20have%20packed%20various%20ways%20of%20how%20to%20not%20store%20your%20secrets.%20These%20can%20help%20you%20to%20realize%20whether%20your%20secret%20management%20is%20ok.%20The%20challenge%20is%20to%20find%20all%20the%20different%20secrets%20by%20means%20of%20various%20tools%20and%20techniques.%20Can%20you%20solve%20all%20the%2015%20challenges%3F) --\u003e\n\n# OWASP WrongSecrets\n\n[![Tweet](https://img.shields.io/twitter/url/http/shields.io.svg?style=social)](https://twitter.com/intent/tweet?text=Want%20to%20dive%20into%20secrets%20management%20and%20do%20some%20hunting?%20try%20this\u0026url=https://github.com/OWASP/wrongsecrets\u0026hashtags=secretsmanagement,secrets,hunting,p0wnableapp,OWASP,WrongSecrets) [\u003cimg src=\"https://img.shields.io/badge/-MASTODON-%232B90D9?style=for-the-badge\u0026logo=mastodon\u0026logoColor=white\" width=84\u003e](https://tootpick.org/#text=Want%20to%20dive%20into%20secrets%20management%20and%20do%20some%20hunting?%20try%20this%0A%0Ahttps://github.com/OWASP/wrongsecrets%20%23secretsmanagement,%20%23secrets,%20%23hunting,%20%23p0wnableapp,%20%23OWASP,%20%23WrongSecrets) [\u003cimg src=\"https://img.shields.io/badge/LinkedIn-0077B5?style=for-the-badge\u0026logo=linkedin\u0026logoColor=white\" width=80\u003e](https://www.linkedin.com/shareArticle/?url=https://www.github.com/OWASP/wrongsecrets\u0026title=OWASP%20WrongSecrets)\n\n[![Java checkstyle and testing](https://github.com/OWASP/wrongsecrets/actions/workflows/main.yml/badge.svg)](https://github.com/OWASP/wrongsecrets/actions/workflows/main.yml) [![Pre-commit](https://github.com/OWASP/wrongsecrets/actions/workflows/pre-commit.yml/badge.svg)](https://github.com/OWASP/wrongsecrets/actions/workflows/pre-commit.yml) [![Terraform FMT](https://github.com/OWASP/wrongsecrets/actions/workflows/terraform.yml/badge.svg)](https://github.com/OWASP/wrongsecrets/actions/workflows/terraform.yml) [![CodeQL](https://github.com/OWASP/wrongsecrets/actions/workflows/codeql-analysis.yml/badge.svg)](https://github.com/OWASP/wrongsecrets/actions/workflows/codeql-analysis.yml) [![Dead Link Checker](https://github.com/OWASP/wrongsecrets/actions/workflows/link_checker.yml/badge.svg)](https://github.com/OWASP/wrongsecrets/actions/workflows/link_checker.yml)[![Javadoc and Swaggerdoc generator](https://github.com/OWASP/wrongsecrets/actions/workflows/java_swagger_doc.yml/badge.svg)](https://github.com/OWASP/wrongsecrets/actions/workflows/java_swagger_doc.yml) [![Test Heroku with cypress](https://github.com/OWASP/wrongsecrets/actions/workflows/heroku_tests.yml/badge.svg)](https://github.com/OWASP/wrongsecrets/actions/workflows/heroku_tests.yml)\n\n[![Test minikube script (k8s)](https://github.com/OWASP/wrongsecrets/actions/workflows/minikube-k8s-test.yml/badge.svg)](https://github.com/OWASP/wrongsecrets/actions/workflows/minikube-k8s-test.yml) [![Test minikube script (k8s\u0026vault)](https://github.com/OWASP/wrongsecrets/actions/workflows/minikube-vault-test.yml/badge.svg)](https://github.com/OWASP/wrongsecrets/actions/workflows/minikube-vault-test.yml) [![Docker container test](https://github.com/OWASP/wrongsecrets/actions/workflows/container_test.yml/badge.svg)](https://github.com/OWASP/wrongsecrets/actions/workflows/container_test.yml)[![Test container on podman](https://github.com/OWASP/wrongsecrets/actions/workflows/container-alts-test.yml/badge.svg)](https://github.com/OWASP/wrongsecrets/actions/workflows/container-alts-test.yml)\n[![DAST with ZAP](https://github.com/OWASP/wrongsecrets/actions/workflows/dast-zap-test.yml/badge.svg)](https://github.com/OWASP/wrongsecrets/actions/workflows/dast-zap-test.yml)\n\n[![OWASP Production Project](https://img.shields.io/badge/OWASP-production%20project-48A646.svg)](https://owasp.org/projects/)\n[![OpenSSF Best Practices](https://bestpractices.coreinfrastructure.org/projects/7024/badge)](https://bestpractices.coreinfrastructure.org/projects/7024)\n[![Discussions](https://img.shields.io/github/discussions/OWASP/wrongsecrets)](https://github.com/OWASP/wrongsecrets/discussions)\n[![Docker pulls](https://img.shields.io/docker/pulls/jeroenwillemsen/wrongsecrets.svg)](https://hub.docker.com/r/jeroenwillemsen/wrongsecrets)\n\nWelcome to the OWASP WrongSecrets game! The game is packed with real life examples of how to _not_ store secrets in your software. Each of these examples is captured in a challenge, which you need to solve using various tools and techniques. Solving these challenges will help you recognize common mistakes \u0026 can help you to reflect on your own secrets management strategy.\n\nCan you solve all the 55 challenges?\n\nTry some of them on [our Heroku demo environment](https://wrongsecrets.herokuapp.com/).\n\nWant to play the other challenges? Read the instructions on how to set them up below.\n\n![screenshotOfChallenge1](/images/screenshot.png)\n\n\u003ca href=\"https://github.com/vshymanskyy/StandWithUkraine/blob/main/README.md\"\u003e\u003cimg src=\"https://raw.githubusercontent.com/vshymanskyy/StandWithUkraine/main/banner2-no-action.svg\" /\u003e\u003c/a\u003e\n\n## Table of contents\n\n-   [Support](#support)\n-   [Basic docker exercises](#basic-docker-exercises)\n    -   [Running these on Heroku](#running-these-on-heroku)\n    -   [Running these on Render.io](#running-these-on-renderio)\n    -   [Running these on Railway](#running-these-on-railway)\n-   [Basic K8s exercise](#basic-k8s-exercise)\n    -   [Minikube based](#minikube-based)\n    -   [k8s based](#k8s-based)\n    -   [Vault exercises with minikube](#vault-exercises-with-minikube)\n-   [Cloud Challenges](#cloud-challenges)\n    -   [Running WrongSecrets in AWS](#running-wrongsecrets-in-aws)\n    -   [Running WrongSecrets in GCP](#running-wrongsecrets-in-gcp)\n    -   [Running WrongSecrets in Azure](#running-wrongsecrets-in-azure)\n    -   [Running Challenge15 in your own cloud only](#running-challenge15-in-your-own-cloud-only)\n-   [Do you want to play without guidance?](#do-you-want-to-play-without-guidance-or-spoils)\n-   [Special thanks \u0026 Contributors](#special-thanks--contributors)\n-   [Sponsorships](#sponsorships)\n-   [Help Wanted](#help-wanted)\n-   [Use OWASP WrongSecrets as a secret detection benchmark](#use-owasp-wrongsecrets-as-a-secret-detection-benchmark)\n-   [CTF](#ctf)\n    -   [CTFD Support](#ctfd-support)\n    -   [FBCTF Support](#fbctf-support-experimental)\n-   [Notes on development](#notes-on-development)\n    -   [Dependency management](#dependency-management)\n    -   [Get the project started in IntelliJ IDEA](#get-the-project-started-in-intellij-idea)\n    -   [Automatic reload during development](#automatic-reload-during-development)\n    -   [How to add a Challenge](#how-to-add-a-challenge)\n    -   [Local testing](#local-testing)\n    -   [Local Automated testing](#Local-automated-testing)\n-   [Want to play, but are not allowed to install the tools?](#want-to-play-but-are-not-allowed-to-install-the-tools)\n-   [Want to disable challenges in your own release?](#want-to-disable-challenges-in-your-own-release)\n-   [Further reading on secrets management](#further-reading-on-secrets-management)\n\n## Support\n\nNeed support? Contact us\nvia [OWASP Slack](https://owasp.slack.com/archives/C02KQ7D9XHR) for which you sign up [here](https://owasp.org/slack/invite)\n, file a [PR](https://github.com/OWASP/wrongsecrets/pulls), file\nan [issue](https://github.com/OWASP/wrongsecrets/issues) , or\nuse [discussions](https://github.com/OWASP/wrongsecrets/discussions). Please note that this is an OWASP volunteer\nbased project, so it might take a little while before we respond.\n\nCopyright (c) 2020-2025 Jeroen Willemsen and WrongSecrets contributors.\n\n## Basic docker exercises\n\n_Can be used for challenges 1-4, 8, 12-32, 34, 35-43, 49-52, 54-55_\n\nFor the basic docker exercises you currently require:\n\n-   Docker [Install from here](https://docs.docker.com/get-docker/)\n-   Some Browser that can render HTML\n\nYou can install it by doing:\n\n```bash\ndocker run -p 8080:8080 jeroenwillemsen/wrongsecrets:latest-no-vault\n```\nNow you can try to find the secrets by means of solving the challenge offered at the links below\n\u003cdetails\u003e\n    \u003csummary\u003eall the links for docker challenges (click triangle to open the block).\n    \u003c/summary\u003e\n\n-   [localhost:8080/challenge/challenge-1](http://localhost:8080/challenge/challenge-1)\n-   [localhost:8080/challenge/challenge-2](http://localhost:8080/challenge/challenge-2)\n-   [localhost:8080/challenge/challenge-3](http://localhost:8080/challenge/challenge-3)\n-   [localhost:8080/challenge/challenge-4](http://localhost:8080/challenge/challenge-4)\n-   [localhost:8080/challenge/challenge-8](http://localhost:8080/challenge/challenge-8)\n-   [localhost:8080/challenge/challenge-12](http://localhost:8080/challenge/challenge-12)\n-   [localhost:8080/challenge/challenge-13](http://localhost:8080/challenge/challenge-13)\n-   [localhost:8080/challenge/challenge-14](http://localhost:8080/challenge/challenge-14)\n-   [localhost:8080/challenge/challenge-15](http://localhost:8080/challenge/challenge-15)\n-   [localhost:8080/challenge/challenge-16](http://localhost:8080/challenge/challenge-16)\n-   [localhost:8080/challenge/challenge-17](http://localhost:8080/challenge/challenge-17)\n-   [localhost:8080/challenge/challenge-18](http://localhost:8080/challenge/challenge-18)\n-   [localhost:8080/challenge/challenge-19](http://localhost:8080/challenge/challenge-19)\n-   [localhost:8080/challenge/challenge-20](http://localhost:8080/challenge/challenge-20)\n-   [localhost:8080/challenge/challenge-21](http://localhost:8080/challenge/challenge-21)\n-   [localhost:8080/challenge/challenge-22](http://localhost:8080/challenge/challenge-22)\n-   [localhost:8080/challenge/challenge-23](http://localhost:8080/challenge/challenge-23)\n-   [localhost:8080/challenge/challenge-24](http://localhost:8080/challenge/challenge-24)\n-   [localhost:8080/challenge/challenge-25](http://localhost:8080/challenge/challenge-25)\n-   [localhost:8080/challenge/challenge-26](http://localhost:8080/challenge/challenge-26)\n-   [localhost:8080/challenge/challenge-27](http://localhost:8080/challenge/challenge-27)\n-   [localhost:8080/challenge/challenge-28](http://localhost:8080/challenge/challenge-28)\n-   [localhost:8080/challenge/challenge-29](http://localhost:8080/challenge/challenge-29)\n-   [localhost:8080/challenge/challenge-30](http://localhost:8080/challenge/challenge-30)\n-   [localhost:8080/challenge/challenge-31](http://localhost:8080/challenge/challenge-31)\n-   [localhost:8080/challenge/challenge-32](http://localhost:8080/challenge/challenge-32)\n-   [localhost:8080/challenge/challenge-34](http://localhost:8080/challenge/challenge-34)\n-   [localhost:8080/challenge/challenge-35](http://localhost:8080/challenge/challenge-35)\n-   [localhost:8080/challenge/challenge-36](http://localhost:8080/challenge/challenge-36)\n-   [localhost:8080/challenge/challenge-37](http://localhost:8080/challenge/challenge-37)\n-   [localhost:8080/challenge/challenge-38](http://localhost:8080/challenge/challenge-38)\n-   [localhost:8080/challenge/challenge-39](http://localhost:8080/challenge/challenge-39)\n-   [localhost:8080/challenge/challenge-40](http://localhost:8080/challenge/challenge-40)\n-   [localhost:8080/challenge/challenge-41](http://localhost:8080/challenge/challenge-41)\n-   [localhost:8080/challenge/challenge-42](http://localhost:8080/challenge/challenge-42)\n-   [localhost:8080/challenge/challenge-43](http://localhost:8080/challenge/challenge-43)\n-   [localhost:8080/challenge/challenge-49](http://localhost:8080/challenge/challenge-49)\n-   [localhost:8080/challenge/challenge-50](http://localhost:8080/challenge/challenge-50)\n-   [localhost:8080/challenge/challenge-51](http://localhost:8080/challenge/challenge-51)\n-   [localhost:8080/challenge/challenge-52](http://localhost:8080/challenge/challenge-52)\n-   [localhost:8080/challenge/challenge-54](http://localhost:8080/challenge/challenge-54)\n-   [localhost:8080/challenge/challenge-55](http://localhost:8080/challenge/challenge-55)\n\n\u003c/details\u003e\n\nNote that these challenges are still very basic, and so are their explanations. Feel free to file a PR to make them look\nbetter ;-).\n\n### Running these on Heroku\n\nYou can test them out at [https://wrongsecrets.herokuapp.com/](https://wrongsecrets.herokuapp.com/) as well! The folks at Heroku have given us an awesome open source support package, which allows us to run the app for free there, where it is almost always up. Still, please do not fuzz and/or try to bring it down: you would be spoiling it for others that want to testdrive it.\nUse [this link](https://wrongsecrets.herokuapp.com/) to use our hosted version of the app. If you want to host it on Heroku yourself (e.g., for running a training), you can do so by clicking [this link](https://heroku.com/deploy?template=https://github.com/OWASP/wrongsecrets/tree/master). Please be aware that this will incur costs for which this project and/or its maintainers cannot be held responsible.\n\n### Running these on Render.io\n*status: experimental*\n\nYou can test them out at [https://wrongsecrets.onrender.com/](https://wrongsecrets.onrender.com/). Please understand that we run on a free-tier instance, we cannot give any guarantees. Please do not fuzz and/or try to bring it down: you would be spoiling it for others that want to testdrive it.\nWant to deploy yourself with Render? Click the button below:\n\n[![Deploy to Render](https://render.com/images/deploy-to-render-button.svg)](https://render.com/deploy?repo=https://github.com/OWASP/wrongsecrets)\n\n\n### Running these on Railway\n*status: maintained by [alphasec.io](https://github.com/alphasecio)*\n\nIf you want to host WrongSecrets on Railway, you can do so by deploying [this one-click template](https://railway.app/new/template/7pnwRj). Railway does not offer an always-free plan anymore, but the free trial is good enough to test-drive this before you decide to upgrade. If you need a step-by-step companion guide, see [this blog post](https://alphasec.io/test-your-secret-management-skills-with-owasp-wrongsecrets/).\n\n[![Deploy on Railway](https://railway.app/button.svg)](https://railway.app/new/template/7pnwRj)\n\n## Basic K8s exercise\n\n_Can be used for challenges 1-6, 8, 12-43, 48-55_\n\n### Minikube based\n\nMake sure you have the following installed:\n\n-   Docker [Install from here](https://docs.docker.com/get-docker/)\n-   Minikube [Install from here](https://minikube.sigs.k8s.io/docs/start/)\n\nThe K8S setup currently is based on using Minikube for local fun. You can use the commands below from the root of the project:\n\n```bash\n    minikube start\n    kubectl apply -f k8s/secrets-config.yml\n    kubectl apply -f k8s/secrets-secret.yml\n    kubectl apply -f k8s/challenge33.yml\n    kubectl apply -f k8s/challenge53/secret-challenge53.yml\n    echo \"Setting up the bitnami sealed secret controler\"\n    kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.27.0/controller.yaml\n    kubectl apply -f k8s/sealed-secret-controller.yaml\n    kubectl apply -f k8s/main.key\n    kubectl delete pod -n kube-system -l name=sealed-secrets-controller\n    kubectl create -f k8s/sealed-challenge48.json\n    echo \"finishing up the sealed secret controler part\"\n    wait 10 #or check whether secret48 is there\n    kubectl apply -f k8s/secret-challenge-deployment.yml\n    while [[ $(kubectl get pods -l app=secret-challenge -o 'jsonpath={..status.conditions[?(@.type==\"Ready\")].status}') != \"True\" ]]; do echo \"waiting for secret-challenge\" \u0026\u0026 sleep 2; done\n    kubectl expose deployment secret-challenge --type=LoadBalancer --port=8080\n    minikube service secret-challenge\n```\n\nAlternatively you can do :\n\n```bash\n    ./k8s-vault-minikube-start.sh\n```\n\nnow you can use the provided IP address and port to further play with the K8s variant (instead of localhost).\n\n-   [localhost:8080/challenge/challenge-5](http://localhost:8080/challenge/challenge-5)\n-   [localhost:8080/challenge/challenge-6](http://localhost:8080/challenge/challenge-6)\n-   [localhost:8080/challenge/challenge-33](http://localhost:8080/challenge/challenge-33)\n-   [localhost:8080/challenge/challenge-48](http://localhost:8080/challenge/challenge-48)\n-   [localhost:8080/challenge/challenge-48](http://localhost:8080/challenge/challenge-53)\n\n### k8s based\n\nWant to run vanilla on your own k8s? Use the commands below:\n\n```bash\n    kubectl apply -f k8s/secrets-config.yml\n    kubectl apply -f k8s/secrets-secret.yml\n    echo \"Setting up the bitnami sealed secret controler\"\n    kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.27.0/controller.yaml\n    kubectl apply -f k8s/sealed-secret-controller.yaml\n    kubectl apply -f k8s/main.key\n    kubectl delete pod -n kube-system -l name=sealed-secrets-controller\n    kubectl create -f k8s/sealed-challenge48.json\n    echo \"finishing up the sealed secret controler part\"\n    wait 10 #or check whether secret48 is there\n    kubectl apply -f k8s/challenge33.yml\n    kubectl apply -f k8s/secret-challenge-deployment.yml\n    while [[ $(kubectl get pods -l app=secret-challenge -o 'jsonpath={..status.conditions[?(@.type==\"Ready\")].status}') != \"True\" ]]; do echo \"waiting for secret-challenge\" \u0026\u0026 sleep 2; done\n    kubectl port-forward \\\n        $(kubectl get pod -l app=secret-challenge -o jsonpath=\"{.items[0].metadata.name}\") \\\n        8080:8080\n```\n\nnow you can use the provided IP address and port to further play with the K8s variant (instead of localhost).\n\n-   [localhost:8080/challenge/challenge-5](http://localhost:8080/challenge/challenge-5)\n-   [localhost:8080/challenge/challenge-6](http://localhost:8080/challenge/challenge-6)\n-   [localhost:8080/challenge/challenge-33](http://localhost:8080/challenge/challenge-33)\n-   [localhost:8080/challenge/challenge-48](http://localhost:8080/challenge/challenge-48)\n\n## Vault exercises with minikube\n\n_Can be used for challenges 1-8, 12-55_\nMake sure you have the following installed:\n\n-   minikube with docker (or comment out line 8 and work at your own k8s setup),\n-   docker,\n-   helm [Install from here](https://helm.sh/docs/intro/install/),\n-   kubectl [Install from here](https://kubernetes.io/docs/tasks/tools/),\n-   jq [Install from here](https://stedolan.github.io/jq/download/),\n-   vault [Install from here](https://www.vaultproject.io/downloads),\n-   grep, Cat, and Sed\n\nRun `./k8s-vault-minikube-start.sh`, when the script is done, then the challenges will wait for you at \u003chttp://localhost:8080\u003e . This will allow you to run challenges 1-8, 12-48.\n\nWhen you stopped the `k8s-vault-minikube-start.sh` script and want to resume the port forward run: `k8s-vault-minikube-resume.sh`.\nThis is because if you run the start script again it will replace the secret in the vault and not update the secret-challenge application with the new secret.\n\n## Cloud Challenges\n\n_Can be used for challenges 1-55_\n\n**READ THIS**: Given that the exercises below contain IAM privilege escalation exercises,\nnever run this on an account which is related to your production environment or can influence your account-over-arching\nresources.\n\n### Running WrongSecrets in AWS\n\nFollow the steps in [the README in the AWS subfolder](aws/README.md).\n\n### Running WrongSecrets in GCP\n\nFollow the steps in [the README in the GCP subfolder](gcp/README.md).\n\n### Running WrongSecrets in Azure\n\nFollow the steps in [the README in the Azure subfolder](azure/README.md).\n\n### Running Challenge15 in your own cloud only\n\nWhen you want to include your own Canarytokens for your cloud-deployment, do the following:\n\n1. Fork the project.\n2. Make sure you use the [GCP ingress](/gcp/k8s-vault-gcp-ingress-start.sh) or [AWS ingress](aws/k8s-aws-alb-script.sh) scripts to generate an ingress for your project.\n3. Go to [canarytokens.org](https://canarytokens.org/generate) and select `AWS Keys`, in the webHook URL field add `\u003cyour-domain-created-at-step1\u003e/canaries/tokencallback`.\n4. Encrypt the received credentials so that [Challenge15](/src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge15.java) can decrypt them again.\n5. Commit the unencrypted and encrypted materials to Git and then commit again without the decrypted materials.\n6. Adapt the hints of Challenge 15 in your fork to point to your fork.\n7. Create a container and push it to your registry\n8. Override the K8s definition files for either [AWS](/aws/k8s/secret-challenge-vault-deployment.yml) or [GCP](/gcp/k8s/secret-challenge-vault-deployment.yml.tpl).\n\n## Do you want to play without guidance or spoils?\n\nEach challenge has a `Show hints` button and a `What's wrong?` button. These buttons help to simplify the challenges and give explanation to the reader. Though, the explanations can spoil the fun if you want to do this as a hacking exercise.\nTherefore, you can manipulate them by overriding the following settings in your env:\n\n-   `hints_enabled=false` will turn off the `Show hints` button.\n-   `reason_enabled=false` will turn of the `What's wrong?` explanation button.\n-   `spoiling_enabled=false` will turn off the `/spoil/challenge-x` endpoint (where `x` is the short-name of the challenge).\n\n## Enabling Swaggerdocs and UI\n\nYou can enable Swagger documentation and the Swagger UI by overriding the `SPRINGDOC_UI` and `SPRINGDOC_DOC` when running the Docker container.\n\n## Special thanks \u0026 Contributors\n\nLeaders:\n\n- [Ben de Haan @bendehaan](https://www.github.com/bendehaan)\n- [Jeroen Willemsen @commjoen](https://www.github.com/commjoen)\n\nTop contributors:\n\n- [Jannik Hollenbach @J12934](https://www.github.com/J12934)\n- [Puneeth Y @puneeth072003](https://www.github.com/puneeth072003)\n- [Joss Sparkes @RemakingEden](https://www.github.com/RemakingEden)\n\nContributors:\n\n- [Nanne Baars @nbaars](https://www.github.com/nbaars)\n- [Marcin Nowak @drnow4u](https://www.github.com/drnow4u)\n- [Rodolfo Neves @roddas](https://www.github.com/roddas)\n- [Osama Magdy @osamamagdy](https://www.github.com/osamamagdy)\n- [Pastekitoo @Pastekitoo](https://www.github.com/Pastekitoo)\n- [Shubham Patel @Shubham-Patel07](https://www.github.com/Shubham-Patel07)\n- [za @za](https://www.github.com/za)\n- [Divyanshu Dev @Novice-expert](https://www.github.com/Novice-expert)\n- [Tibor Hercz @tiborhercz](https://www.github.com/tiborhercz)\n- [Chris Elbring Jr. @neatzsche](https://www.github.com/neatzsche)\n- [Adarsh A @adarsh-a-tw](https://www.github.com/adarsh-a-tw)\n- [Diamond Rivero @diamant3](https://www.github.com/diamant3)\n- [Norbert Wolniak @nwolniak](https://www.github.com/nwolniak)\n- [Filip Chyla @fchyla](https://www.github.com/fchyla)\n- [Dmitry Litosh @Dlitosh](https://www.github.com/Dlitosh)\n- [Vineeth Jagadeesh @djvinnie](https://www.github.com/djvinnie)\n- [Mahaputra Ilham Awal @mahaputrailhamawal](https://www.github.com/mahaputrailhamawal)\n- [Turjo Chowdhury @turjoc120](https://www.github.com/turjoc120)\n- [SndR @SndR85](https://www.github.com/SndR85)\n- [Josh Grossman @tghosth](https://www.github.com/tghosth)\n- [alphasec @alphasecio](https://www.github.com/alphasecio)\n- [CaduRoriz @CaduRoriz](https://www.github.com/CaduRoriz)\n- [Madhu Akula @madhuakula](https://www.github.com/madhuakula)\n- [Mike Woudenberg @mikewoudenberg](https://www.github.com/mikewoudenberg)\n- [Spyros @northdpole](https://www.github.com/northdpole)\n- [RubenAtBinx @RubenAtBinx](https://www.github.com/RubenAtBinx)\n- [Alex Bender @alex-bender](https://www.github.com/alex-bender)\n- [Danny Lloyd @dannylloyd](https://www.github.com/dannylloyd)\n- [Nicolas Humblot @nhumblot](https://www.github.com/nhumblot)\n- [Rick M @kingthorin](https://www.github.com/kingthorin)\n- [Shlomo Zalman Heigh @szh](https://www.github.com/szh)\n- [Fern @f3rn0s](https://www.github.com/f3rn0s)\n- [Jeff Tong @Wind010](https://www.github.com/Wind010)\n\nTesters:\n\n- [Dave van Stein @davevs](https://www.github.com/davevs)\n- [Marcin Nowak @drnow4u](https://www.github.com/drnow4u)\n- [Marc Chang Sing Pang @mchangsp](https://www.github.com/mchangsp)\n- [Vineeth Jagadeesh @djvinnie](https://www.github.com/djvinnie)\n\nSpecial thanks:\n\n- [Madhu Akula @madhuakula @madhuakula](https://www.github.com/madhuakula)\n- [Nanne Baars @nbaars @nbaars](https://www.github.com/nbaars)\n- [Björn Kimminich @bkimminich](https://www.github.com/bkimminich)\n- [Dan Gora @devsecops](https://www.github.com/devsecops)\n- [Xiaolu Dai @saragluna](https://www.github.com/saragluna)\n- [Jonathan Giles @jonathanGiles](https://www.github.com/jonathanGiles)\n\n\n### Sponsorships\n\nWe would like to thank the following parties for helping us out:\n\n[![gitguardian_logo.png](images/gitguardian_logo.jpeg)](https://blog.gitguardian.com/gitguardian-is-proud-sponsor-of-owasp/)\n\n[GitGuardian](https://www.gitguardian.com/) for their sponsorship which allows us to pay the bills for our cloud-accounts.\n\n[![jetbrains_logo.png](images/jetbrains_logo.png)](https://www.jetbrains.com/)\n\n[Jetbrains](https://www.jetbrains.com/) for licensing an instance of Intellij IDEA Ultimate edition to the project leads. We could not have been this fast with the development without it!\n\n[![1password_logo.png](images/1password_logo.png)](https://github.com/1Password/1password-teams-open-source/pull/552)\n\n[1Password](https://1password.com/) for granting us an open source license to 1Password for the secret detection testbed.\n\n\n[![AWS Open Source](images/aws-white_48x29.png)](https://aws.amazon.com/)\n\n[AWS](https://aws.amazon.com/) for granting us AWS Open Source credits which we use to test our project and the [Wrongsecrets CTF Party](https://github.com/OWASP/wrongsecrets-ctf-party) setup on AWS.\n\n## Help Wanted\n\nYou can help us by the following methods:\n\n-   Star us\n-   Share this app with others\n-   Of course, we can always use your help [to get more flavors](https://github.com/OWASP/wrongsecrets/issues/37) of \"wrongly\" configured secrets in to spread awareness! We would love to get some help with other cloud providers, like Alibaba or Tencent cloud for instance. Do you miss something else than a cloud provider? File an issue or create a PR! See [our guide on contributing for more details](CONTRIBUTING.md). Contributors will be listed in releases, in the \"Special thanks \u0026 Contributors\"-section, and the web-app.\n\n## Use OWASP WrongSecrets as a secret detection benchmark\n\nAs tons of secret detection tools are coming up for both Docker and Git, we are creating a Benchmark testbed for it.\nWant to know if your tool detects everything? We will keep track of the embedded secrets in [this issue](https://github.com/OWASP/wrongsecrets/issues/201) and have a [branch](https://github.com/OWASP/wrongsecrets/tree/experiment-bed) in which we put additional secrets for your tool to detect.\nThe branch will contain a Docker container generation script using which you can eventually test your container secret scanning.\n\n## CTF\n\nWe have 3 ways of playing CTFs:\n\n-   The quick \"let's play\"-approach based on our own Heroku domain [https://wrongsecrets-ctf.herokuapp.com](https://wrongsecrets-ctf.herokuapp.com), which we documented for you here.\n-   A more extended approach documented in [ctf-instructions.md](/ctf-instructions.md).\n-   A fully customizable CTF setup where every player gets its own virtual instance of WrongSecrets and a virtual instance of the wrongsecrets-desktop, so they all can play hassle-free. For this you have to use [the WrongSecrets CTF Party setup](https://github.com/OWASP/wrongsecrets-ctf-party).\n\n### CTFD Support\n\nWant to use CTFD to play a CTF based on the free Heroku wrongsecrets-ctf instance together with CTFD? You can!\n\nNOTE: CTFD support now works based on the [Juiceshop CTF CLI](https://github.com/juice-shop/juice-shop-ctf).\n\nNOTE-II: [https://wrongsecrets-ctf.herokuapp.com](https://wrongsecrets-ctf.herokuapp.com) (temporary down based on lack of oss credits) is based on Heroku and has limited capacity.\n\nInitial creation of the zip file for CTFD requires you to visit [https://wrongsecrets-ctf.herokuapp.com/api/Challenges](https://wrongsecrets-ctf.herokuapp.com/api/Challenges) once before executing the steps below.\n\nFollow the following steps:\n\n```shell\n    npm install -g juice-shop-ctf-cli@10.0.1\n    juice-shop-ctf #choose ctfd and https://wrongsecrets-ctf.herokuapp.com as domain. No trailing slash! The key is 'TRwzkRJnHOTckssAeyJbysWgP!Qc2T', feel free to enable hints. We do not support snippets or links/urls to code or hints.\n    docker run -p 8001:8000 -it ctfd/ctfd:3.7.4\n```\n\nNow visit the CTFD instance at [http://localhost:8001](http://localhost:8001) and setup your CTF.\nThen use the administrative backup function to import the zipfile you created with the juice-shop-ctf command.\nGame on using [https://wrongsecrets-ctf.herokuapp.com](https://wrongsecrets-ctf.herokuapp.com)!\nWant to setup your own? You can! Watch out for people finding your key though, so secure it properly: make sure the running container with the actual ctf-key is not exposed to the audience, similar to our heroku container.\n\n## FBCTF Support (Experimental!)\n\nNOTE: FBCTF support is experimental.\n\nFollow the same step as with CTFD, only now choose fbctfd and as a url for the countrymapping choose `https://raw.githubusercontent.com/OWASP/wrongsecrets/79a982558016c8ce70948a8106f9a2ee5b5b9eea/config/fbctf.yml`.\nThen follow [https://github.com/facebookarchive/fbctf/wiki/Quick-Setup-Guide](https://github.com/facebookarchive/fbctf/wiki/Quick-Setup-Guide) to run the FBCTF.\n\n## Notes on development\n\nFor development on local machine use the `local` profile `./mvnw spring-boot:run -Dspring-boot.run.profiles=local,without-vault`\n\nIf you want to test against vault without K8s: start vault locally with\n\n```shell\n export SPRING_CLOUD_VAULT_URI='http://127.0.0.1:8200'\n export VAULT_API_ADDR='http://127.0.0.1:8200'\n vault server -dev\n```\n\nand in your next terminal, do (with the token from the previous commands):\n\n```shell\nexport SPRING_CLOUD_VAULT_URI='http://127.0.0.1:8200'\nexport SPRING_CLOUD_VAULT_TOKEN='\u003cTOKENHERE\u003e'\nvault token create -id=\"00000000-0000-0000-0000-000000000000\" -policy=\"root\"\nvault kv put secret/secret-challenge vaultpassword.password=\"$(openssl rand -base64 16)\"\nvault kv put secret/injected vaultinjected.value=\"$(openssl rand -base64 16)\"\nvault kv put secret/codified challenge47secret.value=\"debugvalue\"\n```\n\nNow use the `local-vault` profile to do your development.\n\n```shell\n./mvnw spring-boot:run -Dspring-boot.run.profiles=local,local-vault\n```\n\nIf you want to dev without a Vault instance, use additionally the `without-vault` profile to do your development:\n\n```shell\n./mvnw spring-boot:run -Dspring-boot.run.profiles=local,without-vault\n```\n\nWant to push a container? See `.github/scripts/docker-create-and-push.sh` for a script that generates and pushes all containers. Do not forget to rebuild the app before composing the container.\n\nWant to check why something in vault is not working in kubernetes? Do `kubectl exec vault-0 -n vault -- vault audit enable file file_path=stdout`.\n\n### Dependency management\n\nWe have CycloneDX and OWASP Dependency-check integrated to check dependencies for vulnerabilities.\nYou can use the OWASP Dependency-checker by calling `mvn dependency-check:aggregate` and `mvn cyclonedx:makeBom` to use CycloneDX to create an SBOM.\n\n### Get the project started in IntelliJ IDEA\n\nRequirements: make sure you have the following tools installed: [Docker](https://www.docker.com/products/docker-desktop/), [Java22 JDK](https://jdk.java.net/22/), [NodeJS 20](https://nodejs.org/en/download/current) and [IntelliJ IDEA](https://www.jetbrains.com/idea/download).\n\n1. Fork and clone the project as described in the [documentation](https://github.com/OWASP/wrongsecrets/blob/master/CONTRIBUTING.md).\n2. Import the project in IntelliJ (e.g. import as mvn project / local sources)\n3. Go to the project settings and make sure it uses Java22 (And that the JDK can be found)\n4. Go to the IDE settings\u003eLanguage \u0026 Frameworks \u003e Lombok and make sure Lombok processing is enabled\n5. Open the Maven Tab in your IDEA and run \"Reload All Maven Projects\" to make the system sync and download everything. Next, in that same tab use the \"install\" option as part of the OWASP WrongSecrets Lifecycle to genereate the asciidoc and such.\n6. Now run the `main` method in `org.owasp.wrongsecrets.WrongSecretsApplication.java`. This should fail with a stack trace.\n7. Now go to the run configuration of the app and make sure you have the active profile `without-vault`. This is done by setting the VM options arguments to `--server.port=8080 --spring.profiles.active=local,without-vault`. Set `K8S_ENV=docker` as environment argument.\n8. Repeat step 6: run the app again, you should have a properly running application which is visitable in your browser at http://localhost:8080.\n\n**Pictorial Guide** on how to get the project started in IntelliJ IDEA is available at [_Contributing.md_](https://github.com/OWASP/wrongsecrets/blob/master/CONTRIBUTING.md#how-to-get-started-with-the-project-in-intellij-idea).\n\nFeel free to edit and propose changes via pull requests. Be sure to follow our guidance in the [documentation](https://github.com/OWASP/wrongsecrets/blob/master/CONTRIBUTING.md) to get your work accepted.\n\nPlease note that we officially only support Linux and MacOS for development. If you want to develop using a Windows machine, use WSL2 or a virtual machine running Linux. We did include Windows detection \u0026 a bunch of `exe` files for a first experiment, but are looking for active maintainers of them. Want to make sure it runs on Windows? Create PRs ;-).\n\nIf, after reading this section, you still have no clue on the application code: Have a look [at some tutorials on Spring boot from Baeldung](https://www.baeldung.com/spring-boot).\n\n### Automatic reload during development\n\nTo make changes made load faster we added `spring-dev-tools` to the Maven project.\nTo enable this in IntelliJ automatically, make sure:\n\n-   Under Compiler -\u003e Automatically build project is enabled, and\n-   Under Advanced settings -\u003e Allow auto-make to start even if developed application is currently running.\n\nYou can also manually invoke: Build -\u003e Recompile the file you just changed, this will also force reloading of the application.\n\n### How to add a Challenge\n\nFollow the steps below on adding a challenge:\n\n1. First make sure that you have an [Issue](https://github.com/OWASP/wrongsecrets/issues) reported for which a challenge is really wanted.\n2. Add the new challenge in the `org.owasp.wrongsecrets.challenges` folder. Make sure you add an explanation in `src/main/resources/explanations` and refer to it from your new Challenge class.\n3. Add unit, integration and UI tests as appropriate to show that your challenge is working.\n4. Do not forget to configure the challenge in `src/main/resources/wrong-secrets-configuration.yaml`\n5. Review the [CONTRIBUTING guide](CONTRIBUTING.md) for setting up your contributing environment and writing good commit messages.\n\nFor more details please refer [_Contributing.md_](https://github.com/OWASP/wrongsecrets/blob/master/CONTRIBUTING.md#how-to-add-a-challenge).\n\nIf you want to move existing cloud challenges to another cloud: extend Challenge classes in the `org.owasp.wrongsecrets.challenges.cloud` package and make sure you add the required Terraform in a folder with the separate cloud identified. Make sure that the environment is added to `org.owasp.wrongsecrets.RuntimeEnvironment`.\nCollaborate with the others at the project to get your container running so you can test at the cloud account.\n\n### Local testing\n\nIf you have made some changes to the codebase or added a new challenge and would like to see exactly how the container will look after merge for testing, we have a script that makes this very easy. Follow the steps below:\n\n1. Ensure you have bash installed and open.\n2. Navigate to .github/scripts.\n3. Run the docker-create script `bash docker-create.sh`.\n   - Note: Do you want to run this on your minikube? then first run `eval $(minikube docker-env)`.\n4. Follow any instructions given, you made need to install/change packages.\n5. Run the newly created container:\n  - to running locally: `docker run -p 8080:8080 jeroenwillemsen/wrongsecrets:local-test-no-vault`\n  - to run it on your minikube: use the container `jeroenwillemsen/wrongsecrets:local-test-k8s-vault` in your deployment definition.\n  - to run it with Vault on your minikube: use the container `jeroenwillemsen/wrongsecrets:local-test-local-vault` in your deployment definition.\n\n### Local Automated testing\n\nWe currently have 2 different test-suites, both fired with `./mvnw test`.\n- A normal junit test suite of unit and integration tests, located at the [`test/java` folder](src/test/java) with output stored at the default target directory.\n- A cypress test suite, integrated by means of a junit test, located at [`test/e2e` folder](src/test/e2e) with output stored at [`target/test-classes/e2e/cypress/reports/`](target/test-classes/e2e/cypress/reports/). See the [cypress readme](src/test/e2e/cypress/README.md) for more details.\n\nNote: You can do a full roundtrip of cleaning, building, and testing with `./mvnw clean install`.\n\n## Want to play, but are not allowed to install the tools?\n\nIf you want to play the challenges, but cannot install tools like keepass, Radare, etc. But are allowed to run Docker containers, try the following:\n\n```shell\ndocker run -p 3000:3000 -v /var/run/docker.sock:/var/run/docker.sock jeroenwillemsen/wrongsecrets-desktop:latest\n```\n\nor use something more configurable:\n\n```shell\ndocker run -d \\\n  --name=webtop \\\n  --security-opt seccomp=unconfined \\\n  -e PUID=1000 \\\n  -e PGID=1000 \\\n  -e TZ=Europe/London \\\n  -e SUBFOLDER=/ \\\n  -e KEYBOARD=en-us-qwerty \\\n  -p 3000:3000 \\\n  -v /var/run/docker.sock:/var/run/docker.sock \\\n  --shm-size=\"2gb\" \\\n  --restart unless-stopped \\\n  jeroenwillemsen/wrongsecrets-desktop:latest\n```\n\nAnd then at [http://localhost:3000](http://localhost:3000).\n\nNote: be careful with trying to deploy the `jeroenwillemsen/wrongsecrets-desktop` container to Heroku ;-).\n\n## Docker on macOS with M1 and Colima (Experimental!)\n\nNOTE: We do not officially support Colima, as we can tell that Github runners have loads of issues with it.\n\nIf you cannot switch to Docker Desktop/Podman and you want to use Colima with Apple Silicon M1\nto run Docker image `jeroenwillemsen/wrongsecrets` you try one of:\n\n- switch off Colima (`colima stop`)\n- change Docker context (`docker --context desktop-linux run -p 8080:8080 jeroenwillemsen/wrongsecrets:latest-no-vault`)\n- run Colima with 1 CPU (`colima start -m 8 -c 1 --arch x86_64`)\n\n## Want to disable challenges in your own release?\n\nIf you want to run WrongSecrets but without certain challenges you don't want to present to others: please read this section.\n\n*_NOTE_* Please note that we do not deliver any support to your fork when you follow the process below. Please understand that license and copyright of the original application remain intact for your Fork.\n\nRequirements:\n- Have the JDK of Java 22 installed;\n- Have an account at a registry to which you can push your variant of the WrongSecrets container;\n\nHere are the steps you have to follow to create your own release of WrongSecrets with certain challenges disabled:\n1. Fork the repository.\n2. In `src/main/resources/wrong-secrets-configuration.yaml` remove the reference to the challenge you no longer want to have in your fork.\n3. In the root of the project run `./mvnw clean install`\n4. Now build the Docker image for your target of choice:\n\n```sh\n   docker buildx create --name mybuilder\n   docker buildx use mybuilder\n   docker buildx build --platform linux/amd64,linux/arm64 -t \u003cregistry/container-name\u003e:\u003cyourtag\u003e-no-vault --build-arg \"argBasedPassword='this is on your command line'\" --build-arg \"PORT=8081\" --build-arg \"argBasedVersion=\u003cyourtag\u003e\" --build-arg \"spring_profile=without-vault\" --push\n   docker buildx build --platform linux/amd64,linux/arm64 -t \u003cregistry/container-name\u003e:\u003cyourtag\u003e-kubernetes-vault--build-arg \"argBasedPassword='this is on your command line'\" --build-arg \"PORT=8081\" --build-arg \"argBasedVersion=\u003cyourtag\u003e\" --build-arg \"spring_profile=kubernetes-vault\" --push\n```\n\n\n## Further reading on secrets management\n\nWant to learn more? Checkout the sources below:\n\n-   [Blog: 10 Pointers on Secrets Management](https://dev.to/commjoen/secure-deployment-10-pointers-on-secrets-management-187j)\n-   [OWASP SAMM on Secret Management](https://owaspsamm.org/model/implementation/secure-deployment/stream-b/)\n-   [The secret detection topic at Github](https://github.com/topics/secrets-detection)\n-   [OWASP Secretsmanagement Cheatsheet](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Secrets_Management_Cheat_Sheet.md)\n-   [OpenCRE on secrets management](https://www.opencre.org/cre/223-780?register=true\u0026type=tool\u0026tool_type=training\u0026tags=secrets,training\u0026description=With%20this%20app%2C%20we%20have%20packed%20various%20ways%20of%20how%20to%20not%20store%20your%20secrets.%20These%20can%20help%20you%20to%20realize%20whether%20your%20secret%20management%20is%20ok.%20The%20challenge%20is%20to%20find%20all%20the%20different%20secrets%20by%20means%20of%20various%20tools%20and%20techniques.%20Can%20you%20solve%20all%20the%2014%20challenges%3F\u0026trk=flagship-messaging-web\u0026messageThreadUrn=urn:li:messagingThread:2-YmRkNjRkZTMtNjRlYS00OWNiLWI2YmUtMDYwNzY3ZjI1MDcyXzAxMg==\u0026lipi=urn:li:page:d_flagship3_feed;J58Sgd80TdanpKWFMH6z+w==)\n","funding_links":["https://owasp.org/donate/?reponame=www-project-wrongsecrets\u0026title=OWASP+wrongsecrets","https://www.icrc.org/en/donate/ukraine","https://github.com/sponsors/OWASP"],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fowasp%2Fwrongsecrets","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fowasp%2Fwrongsecrets","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fowasp%2Fwrongsecrets/lists"}