[daily secrets] Secret Usage Analysis — 2026-05-16

[github-actions[bot]]

Date: 2026-05-16
Workflow Files Analyzed: 228
Run: §25968906962

📊 Executive Summary

Metric	Value
Total secrets.* references	5,879
github.token references	1,064
Unique secret types	35
Workflows with redaction steps	228 / 228
Token cascade fallback chains	856
Explicit permission blocks	228 / 228

🛡️ Security Posture

✅ Redaction System: All 228 workflows include redact_secrets steps
✅ Token Cascades: 856 instances of GH_AW_GITHUB_MCP_SERVER_TOKEN || GH_AW_GITHUB_TOKEN || GITHUB_TOKEN fallback chains
✅ Permission Blocks: All 228 workflows define explicit permissions: blocks
✅ Secrets in Outputs: 38 grep matches investigated — confirmed false positives (secrets passed as env: vars to steps, not exposed in job outputs)
✅ Expression Injection: 3,804 github.event.* usages are all via safe GH_AW_EXPR_* environment variable extraction pattern — no direct interpolation risks

🎯 Key Findings

1. Full redaction coverage: Every compiled workflow (228/228) includes the redact_secrets step and explicit permissions — excellent baseline security posture.
2. GitHub token dominates: GH_AW_GITHUB_TOKEN (2,938) and GITHUB_TOKEN (2,873) account for ~57% of all secret references, consistent with GitHub API access patterns.
3. OTEL secrets are heavily used: The four OTEL secrets together account for 1,831 references — indicating comprehensive observability coverage across all workflows.
4. AI engine secrets present: ANTHROPIC_API_KEY (249), OPENAI_API_KEY (73), CODEX_API_KEY (72), GEMINI_API_KEY (5), and OPENROUTER_API_KEY (1) indicate multi-engine workflow support.

💡 Recommendations

1. Audit low-usage secrets: SLACK_BOT_TOKEN (1), OPENROUTER_API_KEY (1), CONTEXT (2), AZURE_* (2 each) — verify these are still needed or remove to reduce attack surface.
2. OTEL secret provisioning: Consumers of shared imports must provision GH_AW_OTEL_SENTRY_ENDPOINT, GH_AW_OTEL_SENTRY_AUTHORIZATION, GH_AW_OTEL_GRAFANA_ENDPOINT, GH_AW_OTEL_GRAFANA_AUTHORIZATION — the high usage (1,831 refs) makes these critical secrets.
3. Monitor GH_AW_SIDE_REPO_PAT: Only 19 usages — verify this cross-repo PAT has minimum required scope.

🔑 Top 20 Secrets by Usage

Rank	Secret Name	Occurrences	Category
1	GH_AW_GITHUB_TOKEN	2,938	GitHub Token
2	GITHUB_TOKEN	2,873	GitHub Token
3	GH_AW_GITHUB_MCP_SERVER_TOKEN	1,281	GitHub Token
4	GH_AW_OTEL_SENTRY_AUTHORIZATION	684	Observability
5	GH_AW_OTEL_GRAFANA_AUTHORIZATION	458	Observability
6	GH_AW_OTEL_SENTRY_ENDPOINT	456	Observability
7	COPILOT_GITHUB_TOKEN	383	GitHub Token
8	ANTHROPIC_API_KEY	249	AI Engine
9	GH_AW_OTEL_GRAFANA_ENDPOINT	230	Observability
10	OPENAI_API_KEY	73	AI Engine
11	CODEX_API_KEY	72	AI Engine
12	GH_AW_CI_TRIGGER_TOKEN	55	CI/CD
13	GH_AW_SIDE_REPO_PAT	19	Cross-repo
14	GH_AW_AGENT_TOKEN	17	Agent Auth
15	TAVILY_API_KEY	13	Search
16	GH_AW_PROJECT_GITHUB_TOKEN	7	GitHub Token
17	SENTRY_OPENAI_API_KEY	6	AI/Monitoring
18	SENTRY_ACCESS_TOKEN	6	Monitoring
19	NOTION_API_TOKEN	6	Integration
20	GH_AW_OTEL_HEADERS	6	Observability

📖 Reference Documentation

• Specification: scratchpad/secrets-yml.md
• Redaction System: actions/setup/js/redact_secrets.cjs

---

Generated: 2026-05-16 17:56 UTC
References: §25968906962

Generated by 🔒 Daily Secrets Analysis Agent · ● 3M · ◷

• expires on May 19, 2026, 5:59 PM UTC

[github-actions[bot]]

This discussion has been marked as outdated by Daily Secrets Analysis Agent.

A newer discussion is available at Discussion #32869.