[daily secrets] Secrets Analysis Report - 2026-05-23

[github-actions[bot]]

🔐 Daily Secrets Analysis Report

Date: 2026-05-23
Workflow Files Analyzed: 234
Run: §26339597034

📊 Executive Summary

• Total Secret References: 6,082 (secrets.*)
• GitHub Token References: 1,135 (github.token)
• Unique Secret Types: 36
• Step-Level Usage: 2,455 (100%) — All secrets are scoped to steps, not job-level
• Redaction Coverage: 234/234 workflows (100%) ✅

🛡️ Security Posture

✅ Redaction System: 234/234 workflows (100%) have redact_secrets steps
✅ Token Cascades: 848 instances of GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN fallback chains
✅ Permission Blocks: 234 explicit permission definitions (100% coverage)
✅ No Hardcoded Tokens: 0 instances of hardcoded token patterns (ghp_, github_pat_)
✅ No Secrets in Outputs: 0 secrets exposed through job outputs

⚠️ Areas of Concern:

• 4,075 direct github.event.* interpolations found outside of env: blocks (potential template injection vectors)
• 751 instances of secrets passed to external actions (non-GitHub-owned actions)

🎯 Key Findings

1. Comprehensive Redaction Coverage: Every workflow implements the redaction system, providing defense-in-depth against accidental secret leakage in logs.

2. GitHub Token Dominance: The top 3 secrets account for 93% of all secret usage:

   • GH_AW_GITHUB_TOKEN (3,035 uses) - Primary GitHub token
   • GITHUB_TOKEN (2,969 uses) - Standard GitHub Actions token
   • GH_AW_GITHUB_MCP_SERVER_TOKEN (1,284 uses) - MCP server authentication

3. OTEL Observability Infrastructure: Significant usage of observability secrets (1,852 references) for Sentry and Grafana integrations, indicating mature monitoring practices.

4. Template Injection Surface: 4,075 direct github.event.* interpolations represent potential attack vectors if event data is not sanitized through the env: context first.

5. External Action Trust: 751 instances of secrets passed to external (non-GitHub) actions should be periodically audited to ensure trust boundaries are appropriate.

💡 Recommendations

1. Audit Direct Event Interpolations: Review workflows using github.event.* outside of env: blocks. Prefer sanitizing through environment variables first to prevent template injection attacks.

2. External Action Review: Conduct quarterly audits of the 751 instances where secrets are passed to external actions. Verify these actions are from trusted sources and pin to specific commit SHAs.

3. Secret Consolidation: Consider whether the 36 unique secret types can be consolidated. Multiple similar secrets (e.g., various OTEL endpoints) could potentially use a single unified configuration.

4. Monitor Token Cascade Usage: The 848 token cascade patterns are working as designed, but track this metric over time to detect anomalies that might indicate configuration issues.

🔑 Top 10 Secrets by Usage

Rank	Secret Name	Occurrences	Category
1	GH_AW_GITHUB_TOKEN	3,035	GitHub Authentication
2	GITHUB_TOKEN	2,969	GitHub Authentication
3	GH_AW_GITHUB_MCP_SERVER_TOKEN	1,284	GitHub MCP Server
4	GH_AW_OTEL_SENTRY_AUTHORIZATION	694	Observability
5	GH_AW_OTEL_SENTRY_ENDPOINT	464	Observability
6	GH_AW_OTEL_GRAFANA_AUTHORIZATION	462	Observability
7	COPILOT_GITHUB_TOKEN	407	GitHub Copilot
8	ANTHROPIC_API_KEY	253	AI Engine
9	GH_AW_OTEL_GRAFANA_ENDPOINT	232	Observability
10	OPENAI_API_KEY	73	AI Engine

Secret Categories Breakdown:

• GitHub Authentication: 6,922 total references (3 primary token types)
• Observability (OTEL): 1,852 references (Sentry, Grafana, Datadog)
• AI Engine API Keys: 658 references (Anthropic, OpenAI, Codex, Gemini, etc.)
• Other Services: 14 additional secret types (Notion, Slack, Azure, etc.)

📊 Secret Distribution Analysis

By Structural Location

• Step-level env: blocks: 2,455 (100%)
• Job-level env: blocks: 0 (0%)

Analysis: All secrets are scoped to individual steps rather than entire jobs, following the principle of least privilege. This limits the exposure window and blast radius of any compromised secret.

By Security Control

• Workflows with redaction: 234/234 (100%)
• Token cascade patterns: 848 instances
• Permission blocks: 234 (100%)

Analysis: Universal adoption of security controls indicates mature secret management practices across all workflows.

🔍 Security Deep Dive

Template Injection Risk Assessment

Finding: 4,075 instances of direct github.event.* interpolation outside of env: blocks.

Risk Level: Medium — These could allow template injection if event data contains malicious payloads.

Sample Workflows: First 5 affected:

• ab-testing-advisor.lock.yml
• ace-editor.lock.yml
• agent-performance-analyzer.lock.yml
• agent-persona-explorer.lock.yml
• agentic-token-audit.lock.yml

Mitigation: GitHub's built-in sanitization provides baseline protection, and the universal redaction system provides additional defense. However, best practice is to sanitize through env: first.

External Action Trust Boundaries

Finding: 751 instances of secrets passed to non-GitHub-owned actions.

Risk Level: Low to Medium — Depends on action trustworthiness and secret sensitivity.

Recommendation: Implement action pinning to specific commit SHAs and maintain an allowlist of trusted external actions.

Secrets in Job Outputs

Finding: 0 instances of secrets exposed through job outputs.

Risk Level: None — No secrets are being leaked through the job output mechanism.

Status: ✅ Excellent — This is a common anti-pattern that is correctly avoided.

📖 Reference Documentation

For detailed information about secret usage patterns and security controls, see:

• Specification: scratchpad/secrets-yml.md
• Redaction System: actions/setup/js/redact_secrets.cjs
• Token Cascade Pattern: actions/setup/js/safe_outputs_tools.json
• Security Model: SECURITY.md

---

Generated: 2026-05-23 at 17:57 UTC
Workflow: daily-secrets-analysis.md

Generated by 🔒 Daily Secrets Analysis Agent · ● 792.5K · ◷

• expires on May 26, 2026, 6:00 PM UTC

[github-actions[bot]]

This discussion has been marked as outdated by Daily Secrets Analysis Agent.

A newer discussion is available at Discussion #34499.