You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Secret reference density: ~35.5 refs per workflow on average.
π‘οΈ Security Posture
Control
Status
Coverage
Secrets Redaction Steps
β Active
249/249 (100%)
Explicit Permission Blocks
β Active
249/249 (100%)
Hardcoded Tokens
β None Found
0 detected
Secrets in Job Outputs
β Clean
0 found
Template Injection (github.event in run:)
β Safe
0 unsafe usages
Token Cascade Fallback Chains
β Active
899 instances
secrets: inherit Usage
β None
0 workflows
All 4,422github.event.* references safely use the env-variable pattern (GH_AW_EXPR_*: ${{ github.event.xxx }}), with zero direct interpolation in run: scripts.
π― Key Findings
Full Security Control Coverage: All 249 workflows have both redaction steps and explicit permissions: blocks β 100% compliance, no gaps.
GitHub Token Dominance: GitHub authentication tokens account for ~96% of all secrets.* references. GITHUB_TOKEN (4,099) and GH_AW_GITHUB_TOKEN (3,216) together represent ~99% of the GitHub token category.
Universal Token Cascade: All 249 workflows implement the three-level fallback chain (GH_AW_GITHUB_MCP_SERVER_TOKEN β GH_AW_GITHUB_TOKEN β GITHUB_TOKEN), providing resilient, least-privilege token selection across 899 cascade instances.
AI/LLM Provider Diversity: 7 distinct AI providers are represented. Anthropic Claude leads with 228 refs (~55% of AI key usage), followed by OpenAI (81) and Codex (80). This diversity reduces single-provider dependency.
CONTEXT Secret β Unusual Name: 2 occurrences of a secret named CONTEXT were found. This is worth verifying that it follows naming conventions and doesn't accidentally expose sensitive context blobs.
π‘ Recommendations
Review CONTEXT Secret: Investigate the 2 workflows using secrets.CONTEXT to confirm the name is intentional and the value contains only expected data. Consider renaming to a more descriptive name (e.g., GH_AW_CONTEXT) for clarity.
Monitor AI Key Growth: Anthropic usage (228 refs) has surpassed OpenAI (81) as the primary LLM provider. Track whether new AI provider secrets are added through the standard review process.
Maintain Redaction Coverage: The current 100% redaction coverage is exemplary. Ensure any new workflows added to CI are validated to include redaction steps before merge.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
π Daily Secrets Analysis Report
Date: 2026-06-20
Workflow Files Analyzed: 249
Run: Β§27879344731
π Executive Summary
secrets.*Referencesgithub.tokenReferencesSecret reference density: ~35.5 refs per workflow on average.
π‘οΈ Security Posture
github.eventinrun:)secrets: inheritUsageAll 4,422
github.event.*references safely use the env-variable pattern (GH_AW_EXPR_*: ${{ github.event.xxx }}), with zero direct interpolation inrun:scripts.π― Key Findings
Full Security Control Coverage: All 249 workflows have both redaction steps and explicit
permissions:blocks β 100% compliance, no gaps.GitHub Token Dominance: GitHub authentication tokens account for ~96% of all
secrets.*references.GITHUB_TOKEN(4,099) andGH_AW_GITHUB_TOKEN(3,216) together represent ~99% of the GitHub token category.Universal Token Cascade: All 249 workflows implement the three-level fallback chain (
GH_AW_GITHUB_MCP_SERVER_TOKEN β GH_AW_GITHUB_TOKEN β GITHUB_TOKEN), providing resilient, least-privilege token selection across 899 cascade instances.AI/LLM Provider Diversity: 7 distinct AI providers are represented. Anthropic Claude leads with 228 refs (~55% of AI key usage), followed by OpenAI (81) and Codex (80). This diversity reduces single-provider dependency.
CONTEXTSecret β Unusual Name: 2 occurrences of a secret namedCONTEXTwere found. This is worth verifying that it follows naming conventions and doesn't accidentally expose sensitive context blobs.π‘ Recommendations
Review
CONTEXTSecret: Investigate the 2 workflows usingsecrets.CONTEXTto confirm the name is intentional and the value contains only expected data. Consider renaming to a more descriptive name (e.g.,GH_AW_CONTEXT) for clarity.Monitor AI Key Growth: Anthropic usage (228 refs) has surpassed OpenAI (81) as the primary LLM provider. Track whether new AI provider secrets are added through the standard review process.
Maintain Redaction Coverage: The current 100% redaction coverage is exemplary. Ensure any new workflows added to CI are validated to include redaction steps before merge.
π Top 20 Secrets by Usage
GITHUB_TOKENGH_AW_GITHUB_TOKENGH_AW_GITHUB_MCP_SERVER_TOKENGH_AW_OTEL_SENTRY_AUTHORIZATIONGH_AW_OTEL_SENTRY_ENDPOINTGH_AW_OTEL_GRAFANA_AUTHORIZATIONCOPILOT_GITHUB_TOKENGH_AW_OTEL_GRAFANA_ENDPOINTANTHROPIC_API_KEYGH_AW_CI_TRIGGER_TOKENGH_AW_SIDE_REPO_PATOPENAI_API_KEYCODEX_API_KEYGH_AW_AGENT_TOKENTAVILY_API_KEYSENTRY_OPENAI_API_KEYSENTRY_ACCESS_TOKENDD_APP_KEYDD_APPLICATION_KEYDD_API_KEYπ Secret Categories Breakdown
GitHub Auth Tokens (8 secrets):
GITHUB_TOKEN,GH_AW_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,COPILOT_GITHUB_TOKEN,GH_AW_CI_TRIGGER_TOKEN,GH_AW_SIDE_REPO_PAT,GH_AW_AGENT_TOKEN,GH_AW_PROJECT_GITHUB_TOKENAI/LLM Keys (13 secrets): Anthropic, OpenAI, Codex, Gemini, Foundry (Γ2), Brave, Tavily, Antigravity, OpenRouter, Sentry-OpenAI
Observability (14 secrets): OTEL Sentry/Grafana/Datadog endpoints & auth,
DD_*,GRAFANA_*,SENTRY_ACCESS_TOKEN,SLACK_BOT_TOKENCloud/Integration (6 secrets): Azure (Client ID/Secret/Tenant),
NOTION_API_TOKEN,CONTEXTπ Reference Documentation
scratchpad/secrets-yml.mdactions/setup/js/redact_secrets.cjsGH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKENGenerated: 2026-06-20T18:01:55Z
Workflow: Β§27879344731
Beta Was this translation helpful? Give feedback.
All reactions