Git Show — The Commit That Looked Innocent but Contained a Backdoor
A security audit scanned commit messages but didn't inspect the actual diff.
20+ years shipping production infrastructure and CI/CD at scale. Lessons pulled from things that broke in production.
- ✓Basic programming fundamentals (variables, functions, control flow)
- ✓No prior devops experience needed — we start from first principles
git show shows a commit's full diff. git show --stat shows only the file summary. git show shows the file contents at that commit. git show shows the tag's message and object.
Git show is like a magnifying glass for any single point in your repository's history. A commit message says 'Fix login bug' — git show reveals what actually changed. A tag says 'v1.0.0' — git show reveals what commit it points to and who signed it. It's the command you use when someone says 'check this commit' and you need to verify what's really inside.
| Chrome | Firefox | Safari | Edge |
|---|---|---|---|
| ✓ | ✓ | ✓ | ✓ |
Commit messages can lie — not intentionally, but they can be misleading, incomplete, or vague. git show is the tool that looks past the message and reveals the actual changes. It's essential for code review, security audits, and debugging. A commit message might say 'Fix formatting' while git show reveals a logic change buried in the diff. This guide covers how to use git show to inspect every object type in Git, and the security audit where a commit message hid a malicious backdoor.
Inspecting Commits, Tags, and Files with git show
git show <sha> shows the commit author, date, message, and the full diff (like git log -p -1). git show --stat <sha> shows a summary of changed files with line counts. git show --name-only <sha> lists only changed file paths.
git show <tag> shows the tag object: tagger name, date, message, and what commit/tree it points to. For annotated tags with GPG signatures, it shows the signature verification.
git show <sha>:<file> outputs the full file contents as it existed at that commit. This is like git cat-file -p <sha>:<path> but more intuitive. You can redirect it: git show HEAD~3:src/config.json > old-config.json.
git show v1.0.0^{commit} shows the commit an annotated tag points to (not the tag object itself). git show v1.0.0^{tree} shows the top-level tree. git show HEAD:./ shows files in the current directory at HEAD. These suffixes work with any ref, not just tags.git show -S 'TODO|FIXME|HACK|XXX|DEBUG|hardcoded|bypass' HEAD to flag suspicious patterns in commits. For security-critical repositories, run git show --diff-filter=A --name-only HEAD to list newly added files in every PR commit. Block any PR that adds new API endpoints without explicit security review. Use git show HEAD:requirements.txt to verify dependency changes at a glance.git show <sha> reveals the full diff behind any commit. git show <sha>:<path> reads file contents from history. git show <tag> inspects tag objects and signatures. Never trust commit messages — always git show the actual changes.The Commit Message Said 'Fix Linting' — The Diff Added a Backdoor
/api/internal/access that authenticated with a hardcoded token. 4. The diff was 15 lines — 10 lines of genuine linting fixes (whitespace, imports) and 5 lines of hidden backdoor code in the same file. 5. The backdoor was disguised by placing it near the linting changes, making it look like part of the fix. 6. The commit was merged and deployed. 7. Three months later, a security audit using git log -S 'hardcoded' --all found the backdoor.git show -S 'internal|backdoor|bypass' --all. 3. Changed code review policy: every commit message that says 'linting', 'formatting', 'style', or 'cleanup' must be expanded in the diff view before approval. 4. Added CI check: git diff --diff-filter=A --name-only HEAD^ lists new files in every PR; unexpected new endpoints or routes trigger a flag. 5. Implemented signed commits with GPG (article 200) to verify the contributor's identity. 6. Ran a team-wide training on code review best practices.- Never trust a commit message at face value.
- 'Fix linting', 'Refactor', 'Cleanup' are common disguises for hidden changes.
- Always expand and review the full diff.
- Use
git showto inspect the actual changes behind every commit message. - Security-sensitive changes should be in separate, clearly-labeled commits.
git show <sha> — shows commit details and full diffgit show --stat <sha> — files changed, insertions, deletionsgit show <sha>:path/to/file — cat a file from any point in historygit show <tag-name> — shows tagger, date, message, and signed commitgit show -S 'password' <sha> — highlight matches in the diffKey takeaways
git show <sha> shows full commit diffgit show --stat <sha> for a summary of changed filesgit show <sha>:<file> reads file contents from any point in historygit show <tag> inspects annotated tag objects and signatures^{commit} and ^{tree} to navigate between Git object typesgit show -S for suspicious patterns like 'TODO', 'FIXME', 'hardcoded'20+ years shipping production infrastructure and CI/CD at scale. Lessons pulled from things that broke in production.
That's Git. Mark it forged?
3 min read · try the examples if you haven't