[daily secrets] Secrets Analysis Report 2026-06-15

[github-actions[bot]]

🔐 Daily Secrets Analysis Report

Date: 2026-06-15
Workflow Files Analyzed: 248
Run: §27569171701

📊 Executive Summary

Metric	Value
Total secrets.* References	7,152
github.token References	1,501
Unique Secret Types	38
Workflows with ANY Secret Usage	248 / 248 (100%)
Step-Level Secret Bindings	~7,148

🛡️ Security Posture

✅ Redaction System: 248/248 workflows have redact_secrets steps (100%)
✅ Token Cascade Chains: 902 instances of GH_AW_GITHUB_MCP_SERVER_TOKEN || GH_AW_GITHUB_TOKEN || GITHUB_TOKEN fallback
✅ Explicit Permission Blocks: 248/248 workflows define permissions: (100%)
✅ No Secrets in Outputs: 0 cases of value: ${{ secrets.* }} in job outputs: blocks
✅ Env Var Isolation: All github.event.* usage follows proper env var assignment pattern (not inline script interpolation)

🎯 Key Findings

1. GitHub Tokens dominate: GITHUB_TOKEN (3,926) and GH_AW_GITHUB_TOKEN (3,259) together account for the bulk of secret references, representing the layered PAT strategy.
2. Observability secrets are pervasive: Sentry + Grafana endpoint/auth secrets appear in 697–464 workflows respectively, consistent with universal OTEL telemetry coverage.
3. AI provider diversity: 5+ distinct LLM provider keys in active use (Anthropic 257, OpenAI 79, Codex 78, Gemini 5, Foundry 3) reflecting multi-model architecture.
4. Copilot token presence: COPILOT_GITHUB_TOKEN used in 419 step bindings, powering Copilot-based workflows.
5. Zero high-severity issues: No secrets in outputs, no inline interpolation risks, full redaction and permission coverage.

💡 Recommendations

1. Audit CODEX_API_KEY vs OPENAI_API_KEY overlap (78 vs 79 refs): Both keys appear in similar counts — verify these aren't redundant and workflows use the correct key per intended model provider.
2. Monitor GH_AW_SIDE_REPO_PAT (24 refs): This cross-repo PAT has broader scope than GITHUB_TOKEN; confirm all 24 usages require cross-repo access.
3. Review Azure credentials (AZURE_CLIENT_ID/SECRET/TENANT_ID — 2 refs each): Low usage suggests narrow scope; confirm these are intentionally limited.

🔑 Top 15 Secrets by Usage

Rank	Secret Name	Occurrences	Category
1	GITHUB_TOKEN	3,926	GitHub Token
2	GH_AW_GITHUB_TOKEN	3,259	GitHub PAT
3	GH_AW_GITHUB_MCP_SERVER_TOKEN	1,363	MCP Token
4	GH_AW_OTEL_SENTRY_AUTHORIZATION	697	Observability
5	GH_AW_OTEL_SENTRY_ENDPOINT	466	Observability
6	GH_AW_OTEL_GRAFANA_AUTHORIZATION	464	Observability
7	COPILOT_GITHUB_TOKEN	419	Copilot Token
8	ANTHROPIC_API_KEY	257	AI Provider
9	GH_AW_OTEL_GRAFANA_ENDPOINT	233	Observability
10	OPENAI_API_KEY	79	AI Provider
11	CODEX_API_KEY	78	AI Provider
12	GH_AW_CI_TRIGGER_TOKEN	59	CI Token
13	GH_AW_SIDE_REPO_PAT	24	Cross-Repo PAT
14	TAVILY_API_KEY	13	AI Tool
15	GH_AW_AGENT_TOKEN	13	Agent Token

📋 Full Secret Inventory (38 unique types)

Secret Name	Occurrences	Category
GITHUB_TOKEN	3,926	GitHub Token
GH_AW_GITHUB_TOKEN	3,259	GitHub PAT
GH_AW_GITHUB_MCP_SERVER_TOKEN	1,363	MCP Token
GH_AW_OTEL_SENTRY_AUTHORIZATION	697	Observability
GH_AW_OTEL_SENTRY_ENDPOINT	466	Observability
GH_AW_OTEL_GRAFANA_AUTHORIZATION	464	Observability
COPILOT_GITHUB_TOKEN	419	Copilot Token
ANTHROPIC_API_KEY	257	AI Provider
GH_AW_OTEL_GRAFANA_ENDPOINT	233	Observability
OPENAI_API_KEY	79	AI Provider
CODEX_API_KEY	78	AI Provider
GH_AW_CI_TRIGGER_TOKEN	59	CI Token
GH_AW_SIDE_REPO_PAT	24	Cross-Repo PAT
TAVILY_API_KEY	13	AI Tool
GH_AW_AGENT_TOKEN	13	Agent Token
DD_APP_KEY	10	Datadog
DD_APPLICATION_KEY	10	Datadog
SENTRY_OPENAI_API_KEY	8	Observability
SENTRY_ACCESS_TOKEN	8	Observability
GH_AW_PROJECT_GITHUB_TOKEN	8	GitHub Project PAT
DD_API_KEY	8	Datadog
DD_SITE	7	Datadog
NOTION_API_TOKEN	6	Integration
FOUNDRY_OPENAI_ENDPOINT	6	AI Provider
ANTIGRAVITY_API_KEY	6	AI Tool
GEMINI_API_KEY	5	AI Provider
GRAFANA_URL	4	Observability
GRAFANA_SERVICE_ACCOUNT_TOKEN	4	Observability
BRAVE_API_KEY	4	AI Tool
FOUNDRY_API_KEY	3	AI Provider
GH_AW_OTEL_DATADOG_API_KEY	2	Observability
CONTEXT	2	Internal
AZURE_TENANT_ID	2	Cloud
AZURE_CLIENT_SECRET	2	Cloud
AZURE_CLIENT_ID	2	Cloud
SLACK_BOT_TOKEN	1	Integration
OPENROUTER_API_KEY	1	AI Provider
GH_AW_OTEL_DATADOG_ENDPOINT	1	Observability

📖 Reference Documentation

• Secrets specification: scratchpad/secrets-yml.md
• Redaction system: actions/setup/js/redact_secrets.cjs
• Token cascade pattern: GH_AW_GITHUB_MCP_SERVER_TOKEN || GH_AW_GITHUB_TOKEN || GITHUB_TOKEN

---

Generated: 2026-06-15T19:05:28Z
Workflow: §27569171701

Generated by 🔒 Daily Secrets Analysis Agent · 211.3 AIC · ⌖ 14 AIC · ⊞ 18.3K · ◷

• expires on Jun 18, 2026, 11:08 AM UTC-08:00

[github-actions[bot]]

This discussion has been marked as outdated by Daily Secrets Analysis Agent.

A newer discussion is available at Discussion #39656.