[daily secrets] 🔐 Secrets Analysis Report - May 21, 2026

[github-actions[bot]]

🔐 Daily Secrets Analysis Report

Date: May 21, 2026
Workflow Files Analyzed: 233
Run: §26244584107

---

📊 Executive Summary

• Total Secret References: 6,058 (secrets.*)
• GitHub Token References: 1,124 (github.token)
• Unique Secret Types: 37 distinct secret names
• Step-Level Usage: 2,582 occurrences (100% of structured usage)
• Job-Level Usage: 0 occurrences (0%)

🛡️ Security Posture

✅ Redaction System: 233/233 workflows (100%) have redaction steps
✅ Token Cascades: 1,309 instances of secure fallback chains
⚠️ GitHub Event References: 4,060 instances (potential template injection vectors)
⚠️ Secrets in Outputs: 41 potential secret exposures in job outputs
⚠️ Echo Secrets: 4 instances of secrets being echoed (logging risk)
✅ Hardcoded Tokens: 0 hardcoded tokens found

🎯 Key Findings

1. Perfect Redaction Coverage: All 233 workflows implement the redact_secrets step, ensuring comprehensive secret protection in logs and outputs.

2. Token Cascade Pattern: The secure token cascade pattern (GH_AW_GITHUB_MCP_SERVER_TOKEN || GH_AW_GITHUB_TOKEN || GITHUB_TOKEN) is consistently applied across 1,309 locations, providing robust fallback authentication.

3. High GitHub Event Usage: 4,060 references to github.event.* expressions detected across workflows. While this enables dynamic workflow behavior, each instance should be reviewed to ensure proper sanitization through the sanitized step to prevent template injection attacks.

4. Secrets in Job Outputs: 41 instances where secrets may be exposed through job outputs. This requires immediate attention as it could leak sensitive data to downstream jobs or logs.

5. Observability Integration: Significant usage of OTEL secrets (1,159 authorization headers, 697 endpoints) indicates strong observability practices with Sentry and Grafana integration.

6. Balanced Token Distribution: GitHub tokens are well-distributed:

   • GH_AW_GITHUB_TOKEN: 3,022 (49.9%)
   • GITHUB_TOKEN: 2,953 (48.7%)
   • GH_AW_GITHUB_MCP_SERVER_TOKEN: 1,278 (21.1%)

💡 Recommendations

1. Audit Secrets in Outputs: Review the 41 instances where secrets appear in job outputs. These should be sanitized or removed to prevent exposure.

2. Review GitHub Event Usage: While the 4,060 github.event.* references are not inherently unsafe, ensure all user-provided content (issue bodies, PR descriptions, comments) flows through the sanitized step before being used in expressions.

3. Eliminate Echo Secrets: Remove the 4 instances of secrets being echoed. Use the redaction system instead of manual logging for sensitive data.

4. Permission Blocks: Consider adding explicit permissions: blocks to workflows to follow the principle of least privilege (currently 0 explicit permission blocks detected).

5. Secret Rotation: With 37 unique secret types in use, establish a regular rotation schedule for API keys and tokens, prioritizing the most frequently used secrets.

🔑 Top 15 Secrets by Usage

Rank	Secret Name	Occurrences	Category
1	GH_AW_GITHUB_TOKEN	3,022	GH-AW GitHub Token
2	GITHUB_TOKEN	2,953	GitHub Default Token
3	GH_AW_GITHUB_MCP_SERVER_TOKEN	1,278	MCP Server Token
4	GH_AW_OTEL_SENTRY_AUTHORIZATION	695	OTEL Authorization
5	GH_AW_OTEL_SENTRY_ENDPOINT	464	OTEL Endpoint
6	GH_AW_OTEL_GRAFANA_AUTHORIZATION	464	OTEL Authorization
7	COPILOT_GITHUB_TOKEN	399	Copilot GitHub Token
8	ANTHROPIC_API_KEY	253	AI Model API (Claude)
9	GH_AW_OTEL_GRAFANA_ENDPOINT	233	OTEL Endpoint
10	OPENAI_API_KEY	73	AI Model API (OpenAI)
11	CODEX_API_KEY	72	API Key
12	GH_AW_CI_TRIGGER_TOKEN	56	CI Trigger Token
13	GH_AW_SIDE_REPO_PAT	19	Repository PAT
14	TAVILY_API_KEY	13	API Key
15	SENTRY_OPENAI_API_KEY	12	API Key

Secret Categories Breakdown:

• GitHub Tokens: 7,652 total references (4 types)
• AI Model APIs: 410 total references (5 types)
• OTEL/Observability: 1,856 total references (4 types)
• Other APIs: 140 total references (24 types)

📂 Workflow Type Distribution

By Workflow Category:

• Daily workflows: 55 (23.6%)
• Testing workflows: 9 (3.9%)
• Agent workflows: 4 (1.7%)
• Other workflows: 165 (70.8%)

Secret Usage Patterns:

• 100% of secrets are configured at step level (within env: blocks in steps)
• 0% of secrets are configured at job level
• This indicates consistent application of the step-level secret scoping pattern

⚠️ Security Concerns Details

Secrets in Job Outputs (41 instances)

Sample workflows with potential secret exposure:

• approach-validator.lock.yml
• blog-auditor.lock.yml
• Additional workflows flagged for review

Action Required: Audit these workflows to ensure secrets are not being passed through job outputs. Use intermediate files or step outputs with sanitization instead.

GitHub Event References (4,060 instances)

Top files with github.event.* usage:

• ab-testing-advisor.lock.yml
• ace-editor.lock.yml
• agent-performance-analyzer.lock.yml
• agent-persona-explorer.lock.yml
• ai-moderator.lock.yml

Note: Most workflows properly sanitize user input through the sanitized step. This is best practice and should continue.

Echo Secrets (4 instances)

Found 4 cases where secrets are echoed to logs. These should be removed or replaced with redacted logging.

📖 Reference Documentation

For detailed information about secret usage patterns in gh-aw:

• Secrets Specification: scratchpad/secrets-yml.md
• Redaction System: actions/setup/js/redact_secrets.cjs
• Token Cascade Pattern: See workflow frontmatter tools: configuration
• Sanitization: All workflows use the sanitized step for user input

---

Generated: 2026-05-21T18:17:16Z
Workflow: daily-secrets.md

Generated by 🔒 Daily Secrets Analysis Agent · ● 878.7K · ◷

• expires on May 24, 2026, 6:21 PM UTC

[github-actions[bot]]

This discussion has been marked as outdated by Daily Secrets Analysis Agent.

A newer discussion is available at Discussion #34270.