[daily secrets] Secret Usage Analysis – 2026-05-09

[github-actions[bot]]

🔐 Daily Secrets Analysis Report

Date: 2026-05-09
Workflow Files Analyzed: 218
Run: §25607842931

📊 Executive Summary

Metric	Value
Total secrets.* references	5,378
github.token references	999
Unique secret types	32
GitHub token refs (all forms)	3,664
Cascade fallback chains	814

🛡️ Security Posture

✅ Redaction System: 218/218 workflows (100%) have redaction steps
✅ Permission Blocks: 218/218 workflows (100%) define explicit permissions
✅ Token Cascade Fallbacks: 814 instances of GH_AW_GITHUB_MCP_SERVER_TOKEN || GH_AW_GITHUB_TOKEN || GITHUB_TOKEN for resilient auth
✅ No Direct Interpolation: All secrets passed via env: blocks — no direct injection in run: scripts
✅ No Secrets in Job Outputs: Secrets are not exposed through job output values

🤖 AI Engine Distribution

Engine	Workflows
Copilot	144 (66%)
Anthropic (Claude)	62 (28%)
Codex / OpenAI	17 (8%)

🎯 Key Findings

1. Full Coverage of Security Controls: Every workflow has both a redaction step and an explicit permissions block — a strong security baseline across the entire workflow fleet.
2. Cascade Auth Pattern Dominant: 814 occurrences of the 3-tier token fallback chain, enabling workflows to run with the least-privileged available credential.
3. Diverse External Integrations: 32 unique secret types span observability (OTEL, Datadog, Grafana), third-party AI APIs, Slack, Notion, Sentry, Azure AD — each representing an external trust boundary.

💡 Recommendations

1. Audit low-usage secrets: Secrets used fewer than 5 times (GEMINI_API_KEY, SENTRY_OPENAI_API_KEY, SENTRY_ACCESS_TOKEN, BRAVE_API_KEY, SLACK_BOT_TOKEN, OPENROUTER_API_KEY) should be reviewed for necessity.
2. Monitor CONTEXT secret (2 usages): Generic name may indicate a leaking or overly broad credential — confirm its scope and consider renaming.
3. OTEL header secrets (GH_AW_OTEL_HEADERS, GH_AW_OTEL_ENDPOINT — 437 each): Confirm these are rotated on a schedule since they are used in nearly every workflow.

🔑 Top 10 Secrets by Usage

Rank	Secret Name	Occurrences	Category
1	GH_AW_GITHUB_TOKEN	2,798	GitHub Auth
2	GITHUB_TOKEN	2,740	GitHub Auth (built-in)
3	GH_AW_GITHUB_MCP_SERVER_TOKEN	1,219	GitHub MCP Auth
4	GH_AW_OTEL_HEADERS	437	Observability
5	GH_AW_OTEL_ENDPOINT	437	Observability
6	COPILOT_GITHUB_TOKEN	355	Copilot Engine Auth
7	ANTHROPIC_API_KEY	245	Claude Engine Auth
8	OPENAI_API_KEY	73	OpenAI Auth
9	CODEX_API_KEY	72	Codex Engine Auth
10	GH_AW_CI_TRIGGER_TOKEN	50	CI Automation

📋 All 32 Secret Types

Secret Name	Occurrences
GH_AW_GITHUB_TOKEN	2,798
GITHUB_TOKEN	2,740
GH_AW_GITHUB_MCP_SERVER_TOKEN	1,219
GH_AW_OTEL_HEADERS	437
GH_AW_OTEL_ENDPOINT	437
COPILOT_GITHUB_TOKEN	355
ANTHROPIC_API_KEY	245
OPENAI_API_KEY	73
CODEX_API_KEY	72
GH_AW_CI_TRIGGER_TOKEN	50
GH_AW_SIDE_REPO_PAT	19
GH_AW_AGENT_TOKEN	17
TAVILY_API_KEY	13
GH_AW_PROJECT_GITHUB_TOKEN	7
NOTION_API_TOKEN	6
GEMINI_API_KEY	5
SENTRY_OPENAI_API_KEY	4
SENTRY_ACCESS_TOKEN	4
BRAVE_API_KEY	4
DD_SITE	3
DD_APPLICATION_KEY	3
DD_API_KEY	3
SENTRY_API_KEY	2
GRAFANA_URL	2
GRAFANA_SERVICE_ACCOUNT_TOKEN	2
CONTEXT	2
AZURE_TENANT_ID	2
AZURE_CLIENT_SECRET	2
AZURE_CLIENT_ID	2
SLACK_BOT_TOKEN	1
OPENROUTER_API_KEY	1

📖 Reference Documentation

• Secret specification: scratchpad/secrets-yml.md
• Redaction system: actions/setup/js/redact_secrets.cjs

---

Generated: 2026-05-09 17:55 UTC
Workflow: daily-secrets-analysis

Generated by Daily Secrets Analysis Agent · ● 2.4M · ◷

• expires on May 12, 2026, 5:57 PM UTC

[github-actions[bot]]

This discussion has been marked as outdated by Daily Secrets Analysis Agent.

A newer discussion is available at Discussion #31364.