You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
All workflow files use proper env-var injection to pass secrets to scripts — no direct ${{ secrets.X }} interpolation within run: script bodies was found.
🔑 Top Secrets by Usage
Top 10 Secrets by Occurrence Count
Rank
Secret Name
Occurrences
Category
1
GITHUB_TOKEN
3,636
Built-in GitHub Token
2
GH_AW_GITHUB_TOKEN
3,220
Custom GitHub PAT
3
GH_AW_GITHUB_MCP_SERVER_TOKEN
1,352
MCP Server Token
4
GH_AW_OTEL_SENTRY_AUTHORIZATION
706
Observability (Sentry)
5
GH_AW_OTEL_SENTRY_ENDPOINT
472
Observability (Sentry)
6
GH_AW_OTEL_GRAFANA_AUTHORIZATION
470
Observability (Grafana)
7
COPILOT_GITHUB_TOKEN
427
Copilot Token
8
ANTHROPIC_API_KEY
261
AI API (Anthropic)
9
GH_AW_OTEL_GRAFANA_ENDPOINT
236
Observability (Grafana)
10
OPENAI_API_KEY
79
AI API (OpenAI)
All 38 Unique Secrets (Full Inventory)
Secret Name
Occurrences
Category
GITHUB_TOKEN
3,636
Built-in
GH_AW_GITHUB_TOKEN
3,220
Auth
GH_AW_GITHUB_MCP_SERVER_TOKEN
1,352
MCP
GH_AW_OTEL_SENTRY_AUTHORIZATION
706
Observability
GH_AW_OTEL_SENTRY_ENDPOINT
472
Observability
GH_AW_OTEL_GRAFANA_AUTHORIZATION
470
Observability
COPILOT_GITHUB_TOKEN
427
Auth
ANTHROPIC_API_KEY
261
AI
GH_AW_OTEL_GRAFANA_ENDPOINT
236
Observability
OPENAI_API_KEY
79
AI
CODEX_API_KEY
78
AI
GH_AW_CI_TRIGGER_TOKEN
58
CI
GH_AW_SIDE_REPO_PAT
22
Auth
GH_AW_AGENT_TOKEN
13
Auth
TAVILY_API_KEY
13
AI (Search)
DD_APP_KEY
10
Observability (DD)
DD_APPLICATION_KEY
10
Observability (DD)
SENTRY_ACCESS_TOKEN
10
Observability
SENTRY_OPENAI_API_KEY
10
AI
GH_AW_PROJECT_GITHUB_TOKEN
9
Auth
DD_API_KEY
8
Observability (DD)
DD_SITE
7
Observability (DD)
GRAFANA_SERVICE_ACCOUNT_TOKEN
6
Observability
GRAFANA_URL
6
Observability
NOTION_API_TOKEN
6
Integration
ANTIGRAVITY_API_KEY
6
Integration
GEMINI_API_KEY
5
AI
BRAVE_API_KEY
4
AI (Search)
FOUNDRY_API_KEY
3
AI
FOUNDRY_OPENAI_ENDPOINT
3
AI
AZURE_CLIENT_ID
2
Azure
AZURE_CLIENT_SECRET
2
Azure
AZURE_TENANT_ID
2
Azure
CONTEXT
2
Misc
GH_AW_OTEL_DATADOG_API_KEY
2
Observability (DD)
GH_AW_OTEL_DATADOG_ENDPOINT
1
Observability (DD)
OPENROUTER_API_KEY
1
AI
SLACK_BOT_TOKEN
1
Integration
🎯 Key Findings
Token Cascade Pattern is Well-Established: 893 instances of secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN ensure graceful token fallback across all auth-requiring steps.
AI Integration is Widespread: 85/246 workflows (34.6%) use at least one AI provider API key (Anthropic, OpenAI, Codex, Gemini, Foundry, OpenRouter). ANTHROPIC_API_KEY is the dominant AI secret at 261 occurrences.
Observability Stack Well-Instrumented: Sentry (706+472=1,178 refs), Grafana (470+236=706 refs), and Datadog (8+10+10+2+1=31 refs) are integrated across the fleet. Dual-endpoint headers in OTEL configs are common.
Low-Usage Secrets May Be Candidates for Audit: SLACK_BOT_TOKEN (1), OPENROUTER_API_KEY (1), GH_AW_OTEL_DATADOG_ENDPOINT (1), AZURE_* (2 each) — verify these are still actively needed.
DD_APP_KEY vs DD_APPLICATION_KEY Duplication: Both appear 10 times — these may refer to the same Datadog credential under two naming conventions.
💡 Recommendations
Audit low-usage secrets — 8 secrets appear ≤2 times. Confirm they are still required or remove them to reduce the credential surface area.
Investigate DD key duplication — DD_APP_KEY and DD_APPLICATION_KEY both appear 10 times. Consolidate to one canonical name to avoid confusion.
Monitor AI key sprawl — With 7 AI provider keys now in use, consider establishing a governance policy for adding new AI integrations.
Maintain 100% redaction coverage — Current posture is perfect. Enforce this via CI validation when new workflows are added.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
📊 Executive Summary
secrets.*References: 6,882github.tokenReferences: 1,224🛡️ Security Posture
All workflow files use proper env-var injection to pass secrets to scripts — no direct
${{ secrets.X }}interpolation withinrun:script bodies was found.🔑 Top Secrets by Usage
Top 10 Secrets by Occurrence Count
GITHUB_TOKENGH_AW_GITHUB_TOKENGH_AW_GITHUB_MCP_SERVER_TOKENGH_AW_OTEL_SENTRY_AUTHORIZATIONGH_AW_OTEL_SENTRY_ENDPOINTGH_AW_OTEL_GRAFANA_AUTHORIZATIONCOPILOT_GITHUB_TOKENANTHROPIC_API_KEYGH_AW_OTEL_GRAFANA_ENDPOINTOPENAI_API_KEYAll 38 Unique Secrets (Full Inventory)
GITHUB_TOKENGH_AW_GITHUB_TOKENGH_AW_GITHUB_MCP_SERVER_TOKENGH_AW_OTEL_SENTRY_AUTHORIZATIONGH_AW_OTEL_SENTRY_ENDPOINTGH_AW_OTEL_GRAFANA_AUTHORIZATIONCOPILOT_GITHUB_TOKENANTHROPIC_API_KEYGH_AW_OTEL_GRAFANA_ENDPOINTOPENAI_API_KEYCODEX_API_KEYGH_AW_CI_TRIGGER_TOKENGH_AW_SIDE_REPO_PATGH_AW_AGENT_TOKENTAVILY_API_KEYDD_APP_KEYDD_APPLICATION_KEYSENTRY_ACCESS_TOKENSENTRY_OPENAI_API_KEYGH_AW_PROJECT_GITHUB_TOKENDD_API_KEYDD_SITEGRAFANA_SERVICE_ACCOUNT_TOKENGRAFANA_URLNOTION_API_TOKENANTIGRAVITY_API_KEYGEMINI_API_KEYBRAVE_API_KEYFOUNDRY_API_KEYFOUNDRY_OPENAI_ENDPOINTAZURE_CLIENT_IDAZURE_CLIENT_SECRETAZURE_TENANT_IDCONTEXTGH_AW_OTEL_DATADOG_API_KEYGH_AW_OTEL_DATADOG_ENDPOINTOPENROUTER_API_KEYSLACK_BOT_TOKEN🎯 Key Findings
Token Cascade Pattern is Well-Established: 893 instances of
secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKENensure graceful token fallback across all auth-requiring steps.AI Integration is Widespread: 85/246 workflows (34.6%) use at least one AI provider API key (Anthropic, OpenAI, Codex, Gemini, Foundry, OpenRouter).
ANTHROPIC_API_KEYis the dominant AI secret at 261 occurrences.Observability Stack Well-Instrumented: Sentry (706+472=1,178 refs), Grafana (470+236=706 refs), and Datadog (8+10+10+2+1=31 refs) are integrated across the fleet. Dual-endpoint headers in OTEL configs are common.
Low-Usage Secrets May Be Candidates for Audit:
SLACK_BOT_TOKEN(1),OPENROUTER_API_KEY(1),GH_AW_OTEL_DATADOG_ENDPOINT(1),AZURE_*(2 each) — verify these are still actively needed.DD_APP_KEY vs DD_APPLICATION_KEY Duplication: Both appear 10 times — these may refer to the same Datadog credential under two naming conventions.
💡 Recommendations
Audit low-usage secrets — 8 secrets appear ≤2 times. Confirm they are still required or remove them to reduce the credential surface area.
Investigate DD key duplication —
DD_APP_KEYandDD_APPLICATION_KEYboth appear 10 times. Consolidate to one canonical name to avoid confusion.Monitor AI key sprawl — With 7 AI provider keys now in use, consider establishing a governance policy for adding new AI integrations.
Maintain 100% redaction coverage — Current posture is perfect. Enforce this via CI validation when new workflows are added.
Generated: 2026-06-08T18:29:45Z
Workflow: §27158255793
Beta Was this translation helpful? Give feedback.
All reactions