If you've used Puppet for anything non-trivial, you've almost certainly used it to configure something secret. Perhaps you've configured an application with a database password. Perhaps you've configured a local maintenance user account with a private SSH key. Something that might seem obvious in retrospect is that these secrets exist in the catalog--and by extension all reports and any other tooling that uses them. Anyone with access to the catalog or raw reports also has access to your secrets. All your secrets.
If you haven't heard of Shellshock, you should crawl out from under your rock and do some Googling. Back? Ok, great. I won't explain what it is, but if you're reading this post, you've probably been tasked to find and patch all vulnerable systems. And management would like to see a comprehensive report of which machines have been patched....
Luckily enough, with Puppet, Facter, and MCollective, that's a trivial task.