Home DevOps Git Show — The Commit That Looked Innocent but Contained a Backdoor
Beginner 3 min · July 07, 2026
Git Show: Inspect Commits, Tags, and Files in Detail

Git Show — The Commit That Looked Innocent but Contained a Backdoor

A security audit scanned commit messages but didn't inspect the actual diff.

N
Naren Founder & Principal Engineer

20+ years shipping production infrastructure and CI/CD at scale. Lessons pulled from things that broke in production.

Follow
Production
production tested
July 07, 2026
last updated
214
articles · all by Naren
Before you start⏱ 15 min
  • Basic programming fundamentals (variables, functions, control flow)
  • No prior devops experience needed — we start from first principles
 ● Production Incident
Quick Answer

git show shows a commit's full diff. git show --stat shows only the file summary. git show : shows the file contents at that commit. git show shows the tag's message and object.

✦ Definition~90s read
What is Git Show?

git show displays information about any Git object — commit, tag, tree, or blob. It shows the full diff of a commit, the contents of a tag, or a file at a specific revision.

Git show is like a magnifying glass for any single point in your repository's history.
Plain-English First

Git show is like a magnifying glass for any single point in your repository's history. A commit message says 'Fix login bug' — git show reveals what actually changed. A tag says 'v1.0.0' — git show reveals what commit it points to and who signed it. It's the command you use when someone says 'check this commit' and you need to verify what's really inside.

⚙ Browser compatibility
Latest versions — ✓ supported
ChromeFirefoxSafariEdge

Commit messages can lie — not intentionally, but they can be misleading, incomplete, or vague. git show is the tool that looks past the message and reveals the actual changes. It's essential for code review, security audits, and debugging. A commit message might say 'Fix formatting' while git show reveals a logic change buried in the diff. This guide covers how to use git show to inspect every object type in Git, and the security audit where a commit message hid a malicious backdoor.

Inspecting Commits, Tags, and Files with git show

git show <sha> shows the commit author, date, message, and the full diff (like git log -p -1). git show --stat <sha> shows a summary of changed files with line counts. git show --name-only <sha> lists only changed file paths.

git show <tag> shows the tag object: tagger name, date, message, and what commit/tree it points to. For annotated tags with GPG signatures, it shows the signature verification.

git show <sha>:<file> outputs the full file contents as it existed at that commit. This is like git cat-file -p <sha>:<path> but more intuitive. You can redirect it: git show HEAD~3:src/config.json > old-config.json.

01_show_inspect.shBASH
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
# Show full commit details and diff
git show a1b2c3d

# Show only stat summary
git show --stat a1b2c3d

# Show only file names
git show --name-only a1b2c3d

# Show file contents at a specific commit
git show a1b2c3d:src/app.py

# Save file from a previous commit
git show HEAD~5:config.json > old-config.json

# Show tag details
git show v1.0.0

# Show the commit a tag points to
git show v1.0.0^{commit}

# Show a tree object (directory listing at a commit)
git show a1b2c3d:src/
Output
commit a1b2c3d
Author: Alice <alice@example.com>
Date: Mon Mar 15 14:30:00 2024 +0000
Fix linting errors in auth module
diff --git a/auth.py b/auth.py
index f1f2a3b..c4d5e6f 100644
--- a/auth.py
+++ b/auth.py
@@ -10,6 +10,11 @@ def login(request):
+@app.route('/api/internal/access')
+def internal_access():
+ if request.headers.get('X-Internal-Token') == 'hardcoded-secret':
+ return jsonify({'access': 'granted'})
+
return jsonify({'error': 'unauthorized'}), 401
1 file changed, 5 insertions, 0 deletions
app.py | 5 +++++
1 file changed, 5 insertions(+)
Use `^{commit}` and `^{tree}` to Navigate Git Objects
git show v1.0.0^{commit} shows the commit an annotated tag points to (not the tag object itself). git show v1.0.0^{tree} shows the top-level tree. git show HEAD:./ shows files in the current directory at HEAD. These suffixes work with any ref, not just tags.
Production Insight
In CI, run git show -S 'TODO|FIXME|HACK|XXX|DEBUG|hardcoded|bypass' HEAD to flag suspicious patterns in commits. For security-critical repositories, run git show --diff-filter=A --name-only HEAD to list newly added files in every PR commit. Block any PR that adds new API endpoints without explicit security review. Use git show HEAD:requirements.txt to verify dependency changes at a glance.
Key Takeaway
git show <sha> reveals the full diff behind any commit. git show <sha>:<path> reads file contents from history. git show <tag> inspects tag objects and signatures. Never trust commit messages — always git show the actual changes.
● Production incidentPOST-MORTEMseverity: high

The Commit Message Said 'Fix Linting' — The Diff Added a Backdoor

Symptom
A developer submitted a commit with the message 'Fix linting errors'. Code review approved it because the message suggested a safe, mechanical change. Three months later, a security audit discovered that the commit had added a hidden API endpoint that bypassed authentication. The commit message was deliberately misleading.
Assumption
The reviewer assumed a 'Fix linting' commit was safe and approved it without viewing the diff. The commit message was designed to avoid scrutiny.
Root cause
1. A contributor submitted a commit with the message 'Fix linting errors in auth module'. 2. The reviewer had 20 PRs to review and fast-approved the 'linting' PR. 3. The actual change: added a new route /api/internal/access that authenticated with a hardcoded token. 4. The diff was 15 lines — 10 lines of genuine linting fixes (whitespace, imports) and 5 lines of hidden backdoor code in the same file. 5. The backdoor was disguised by placing it near the linting changes, making it look like part of the fix. 6. The commit was merged and deployed. 7. Three months later, a security audit using git log -S 'hardcoded' --all found the backdoor.
Fix
1. Immediately: removed the backdoor route and rotated all auth tokens. 2. Audited all merged commits from the same contributor for similar patterns using git show -S 'internal|backdoor|bypass' --all. 3. Changed code review policy: every commit message that says 'linting', 'formatting', 'style', or 'cleanup' must be expanded in the diff view before approval. 4. Added CI check: git diff --diff-filter=A --name-only HEAD^ lists new files in every PR; unexpected new endpoints or routes trigger a flag. 5. Implemented signed commits with GPG (article 200) to verify the contributor's identity. 6. Ran a team-wide training on code review best practices.
Key lesson
  • Never trust a commit message at face value.
  • 'Fix linting', 'Refactor', 'Cleanup' are common disguises for hidden changes.
  • Always expand and review the full diff.
  • Use git show to inspect the actual changes behind every commit message.
  • Security-sensitive changes should be in separate, clearly-labeled commits.
Production debug guideUse this when production is on fire5 entries
Symptom · 01
See the full diff of a specific commit
Fix
Run git show <sha> — shows commit details and full diff
Symptom · 02
See only the stat summary of a commit
Fix
Run git show --stat <sha> — files changed, insertions, deletions
Symptom · 03
View file contents at a specific commit
Fix
Run git show <sha>:path/to/file — cat a file from any point in history
Symptom · 04
Inspect a tag object
Fix
Run git show <tag-name> — shows tagger, date, message, and signed commit
Symptom · 05
See commits that reference a specific keyword in their diff
Fix
Run git show -S 'password' <sha> — highlight matches in the diff

Key takeaways

1
git show <sha> shows full commit diff
never trust commit messages alone
2
git show --stat <sha> for a summary of changed files
3
git show <sha>:<file> reads file contents from any point in history
4
git show <tag> inspects annotated tag objects and signatures
5
Use ^{commit} and ^{tree} to navigate between Git object types
6
CI should git show -S for suspicious patterns like 'TODO', 'FIXME', 'hardcoded'
N
Naren Founder & Principal Engineer

20+ years shipping production infrastructure and CI/CD at scale. Lessons pulled from things that broke in production.

Follow
Verified
production tested
July 07, 2026
last updated
214
articles · all by Naren
🔥

That's Git. Mark it forged?

3 min read · try the examples if you haven't

Previous
Git Remote: Manage Repository Connections Safely
46 / 47 · Git
Next
.gitignore: Prevent Secrets and Bloat From Entering Your Repo