[daily secrets] 2026-06-07 Secrets Analysis

[github-actions[bot]]

Date: 2026-06-07 | Run: §27100312918

📊 Executive Summary

Metric	Value
Workflow files analyzed	243
secrets.* references	6,817
github.token references	1,212
Unique secret types	38
Workflows with redaction	243/243 (100%)
Workflows with permissions	243/243 (100%)
Token cascade instances	881

🛡️ Security Posture

✅ Redaction System: 100% of workflows include redact_secrets.cjs — all secrets are scrubbed from logs
✅ Explicit Permissions: 100% of workflows declare a permissions: block
✅ Token Cascade: 881 fallback chains (GH_AW_GITHUB_MCP_SERVER_TOKEN || GH_AW_GITHUB_TOKEN || GITHUB_TOKEN)
✅ No Shell Injection Risk: 0 github.event.* references in run: steps (4,547 safe usages in if: expressions only)
✅ No Secrets in Outputs: 0 secrets exposed as job output values

🎯 Key Findings

1. GitHub Token Dominance: GitHub auth tokens (GITHUB_TOKEN + GH_AW_GITHUB_TOKEN + GH_AW_GITHUB_MCP_SERVER_TOKEN) account for 8,116 references (72% of all secret refs), confirming GitHub API access as the primary integration point.

2. Near-Universal OTEL Coverage: Sentry observability is active in 235/243 files (97%), Grafana in 234/243 (96%). Only Datadog remains limited (1 file — likely experimental).

3. AI/LLM Secret Breadth: 6 distinct AI provider secrets in use (Anthropic, OpenAI, Codex, Gemini, OpenRouter, Foundry), with Anthropic leading at 261 refs across 66 workflows. CODEX_API_KEY (78 refs, 14 files) reflects growing OpenAI Codex adoption.

4. CONTEXT7_API_KEY Spotted: A new secret (2 refs) appeared that wasn't in earlier baseline scans — likely a recently added context provider integration.

💡 Recommendations

1. Evaluate Datadog Rollout: GH_AW_OTEL_DATADOG_API_KEY appears in only 1 workflow. If Datadog is a planned provider, extend coverage; if experimental, consider removing to reduce secret surface.

2. Review CONTEXT7_API_KEY: New secret with 2 references — confirm it is intentional and documented in scratchpad/secrets-yml.md.

3. Monitor CODEX_API_KEY Growth: Rapidly adopted (78 refs, 14 files). Ensure usage guidelines and rotation policies are in place alongside existing OPENAI_API_KEY policies.

🔑 Top 15 Secrets by Usage

Rank	Secret Name	Occurrences	Category
1	GITHUB_TOKEN	3,599	GitHub Auth
2	GH_AW_GITHUB_TOKEN	3,183	GitHub Auth
3	GH_AW_GITHUB_MCP_SERVER_TOKEN	1,334	GitHub Auth (MCP)
4	GH_AW_OTEL_SENTRY_AUTHORIZATION	706	Observability
5	GH_AW_OTEL_SENTRY_ENDPOINT	472	Observability
6	GH_AW_OTEL_GRAFANA_AUTHORIZATION	470	Observability
7	COPILOT_GITHUB_TOKEN	415	GitHub Auth (Copilot)
8	ANTHROPIC_API_KEY	261	AI/LLM
9	GH_AW_OTEL_GRAFANA_ENDPOINT	236	Observability
10	OPENAI_API_KEY	79	AI/LLM
11	CODEX_API_KEY	78	AI/LLM
12	GH_AW_CI_TRIGGER_TOKEN	58	CI Automation
13	GH_AW_SIDE_REPO_PAT	22	Cross-Repo
14	TAVILY_API_KEY	13	AI/LLM (Search)
15	GH_AW_AGENT_TOKEN	13	Agent Auth

🤖 AI/LLM Provider Secret Distribution

Provider	Secret	Refs	Files
Anthropic	ANTHROPIC_API_KEY	261	66
OpenAI	OPENAI_API_KEY	79	15
OpenAI Codex	CODEX_API_KEY	78	14
Google	GEMINI_API_KEY	5	2
Foundry	FOUNDRY_API_KEY / FOUNDRY_OPENAI_ENDPOINT	6	1
OpenRouter	OPENROUTER_API_KEY	1	1
Antigravity	ANTIGRAVITY_API_KEY	6	1
Sentry/OpenAI	SENTRY_OPENAI_API_KEY	10	—

📡 OTEL Observability Coverage

Provider	Auth Secret	Endpoint Secret	Files Covered
Sentry	706 refs	472 refs	235/243 (97%)
Grafana	470 refs	236 refs	234/243 (96%)
Datadog	2 refs	1 ref	1/243 (<1%)

📖 Reference Documentation

• Secret specification: scratchpad/secrets-yml.md
• Redaction system: actions/setup/js/redact_secrets.cjs

---

References: §27100312918

Generated by 🔒 Daily Secrets Analysis Agent · ⌖ 32 AIC · ⊞ 18.6K · ◷

• expires on Jun 10, 2026, 10:03 AM UTC-08:00

[github-actions[bot]]

This discussion has been marked as outdated by Daily Secrets Analysis Agent.

A newer discussion is available at Discussion #37889.