You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
All github.event.* context values are safely marshalled into environment variables before reaching shell steps — no direct expression interpolation in run: blocks.
🔍 Key Findings
Perfect baseline coverage: 100% of workflows have both secret redaction and explicit permissions — a strong foundation.
DIFC proxy coverage at 60%: 155 of 257 workflows run with the DIFC outbound traffic proxy. The 102 non-DIFC workflows are primarily read-only audit/analysis workflows (e.g., ace-editor, agentic-token-audit), suggesting this split is intentional by security tier.
Dual Datadog key names: DD_APP_KEY (10 refs) and DD_APPLICATION_KEY (10 refs) coexist and are used as mutual fallbacks (${{ secrets.DD_APPLICATION_KEY || secrets.DD_APP_KEY }}). While safe, maintaining two secrets for the same purpose increases operational overhead.
Low-use secrets: Five secrets have only 1–2 occurrences — SLACK_BOT_TOKEN (1), OPENROUTER_API_KEY (1), GH_AW_OTEL_DATADOG_ENDPOINT (1), CONTEXT7_API_KEY (2), GH_AW_OTEL_DATADOG_ENDPOINT (1) — concentrated in single workflows. Worth auditing for continued necessity.
Azure credential isolation: AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, and AZURE_TENANT_ID appear exclusively in mcp-inspector.lock.yml (2 refs each) — well-isolated.
AI key concentration: ANTHROPIC_API_KEY is the dominant AI key (242 refs, 62 workflows / 24%). OPENAI_API_KEY (87 refs) and CODEX_API_KEY (86 refs) follow, suggesting near-equivalent Codex/OpenAI rollout.
💡 Recommendations
Consolidate DD_APP_KEY / DD_APPLICATION_KEY: Choose one canonical name and migrate all references. The current cascade pattern works but adds confusion.
Audit single-use secrets: Review SLACK_BOT_TOKEN, OPENROUTER_API_KEY, CONTEXT7_API_KEY, and GH_AW_OTEL_DATADOG_ENDPOINT — if the hosting workflow is experimental or deprecated, revoke and remove these secrets to reduce the attack surface.
Document DIFC coverage split: The 60%/40% DIFC/non-DIFC split appears intentional but is not documented. Adding a comment or manifest field (security_tier: standard|enhanced) would make the distinction explicit and auditable.
🔑 All 39 Secrets by Usage
Rank
Secret Name
Occurrences
Category
1
GITHUB_TOKEN
4,227
GitHub Token
2
GH_AW_GITHUB_TOKEN
3,320
GitHub Token
3
GH_AW_GITHUB_MCP_SERVER_TOKEN
1,401
GitHub Token (MCP)
4
GH_AW_OTEL_SENTRY_AUTHORIZATION
711
Observability
5
GH_AW_OTEL_SENTRY_ENDPOINT
475
Observability
6
GH_AW_OTEL_GRAFANA_AUTHORIZATION
473
Observability
7
COPILOT_GITHUB_TOKEN
448
GitHub Token
8
ANTHROPIC_API_KEY
242
AI API Key
9
GH_AW_OTEL_GRAFANA_ENDPOINT
237
Observability
10
OPENAI_API_KEY
87
AI API Key
11
CODEX_API_KEY
86
AI API Key
12
GH_AW_CI_TRIGGER_TOKEN
60
CI/CD Token
13
GH_AW_SIDE_REPO_PAT
24
GitHub PAT
14
GH_AW_AGENT_TOKEN
14
GitHub Token
15
TAVILY_API_KEY
12
AI Tool API
16
SENTRY_OPENAI_API_KEY
10
AI API Key
17
SENTRY_ACCESS_TOKEN
10
Observability
18
DD_APP_KEY
10
Observability (Datadog)
19
DD_APPLICATION_KEY
10
Observability (Datadog)
20
DD_API_KEY
8
Observability (Datadog)
21
GH_AW_PROJECT_GITHUB_TOKEN
7
GitHub Token
22
DD_SITE
7
Observability (Datadog)
23
NOTION_API_TOKEN
6
Integration
24
GRAFANA_URL
6
Observability
25
GRAFANA_SERVICE_ACCOUNT_TOKEN
6
Observability
26
FOUNDRY_OPENAI_ENDPOINT
6
AI API Endpoint
27
ANTIGRAVITY_API_KEY
6
AI API Key
28
GEMINI_API_KEY
5
AI API Key
29
BRAVE_API_KEY
4
Search API
30
FOUNDRY_API_KEY
3
AI API Key
31
AWI_MAINTENANCE_TOKEN
3
GitHub Token
32
GH_AW_OTEL_DATADOG_API_KEY
2
Observability
33
CONTEXT7_API_KEY
2
Documentation API
34
AZURE_TENANT_ID
2
Azure Auth
35
AZURE_CLIENT_SECRET
2
Azure Auth
36
AZURE_CLIENT_ID
2
Azure Auth
37
SLACK_BOT_TOKEN
1
Messaging
38
OPENROUTER_API_KEY
1
AI API Key
39
GH_AW_OTEL_DATADOG_ENDPOINT
1
Observability
Note: Count reflects all occurrences including token cascade chains (e.g., secrets.A \|\| secrets.B \|\| secrets.C counts as 3 refs).
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
🔐 Daily Secrets Analysis Report
Date: 2026-06-29
Workflow Files Analyzed: 257
Run: §28393458702
📊 Executive Summary
secrets.*referencesgithub.tokenreferencesBreakdown by category:
secrets.*🛡️ Security Posture
permissions:blocksAll
github.event.*context values are safely marshalled into environment variables before reaching shell steps — no direct expression interpolation inrun:blocks.🔍 Key Findings
Perfect baseline coverage: 100% of workflows have both secret redaction and explicit permissions — a strong foundation.
DIFC proxy coverage at 60%: 155 of 257 workflows run with the DIFC outbound traffic proxy. The 102 non-DIFC workflows are primarily read-only audit/analysis workflows (e.g.,
ace-editor,agentic-token-audit), suggesting this split is intentional by security tier.Dual Datadog key names:
DD_APP_KEY(10 refs) andDD_APPLICATION_KEY(10 refs) coexist and are used as mutual fallbacks (${{ secrets.DD_APPLICATION_KEY || secrets.DD_APP_KEY }}). While safe, maintaining two secrets for the same purpose increases operational overhead.Low-use secrets: Five secrets have only 1–2 occurrences —
SLACK_BOT_TOKEN(1),OPENROUTER_API_KEY(1),GH_AW_OTEL_DATADOG_ENDPOINT(1),CONTEXT7_API_KEY(2),GH_AW_OTEL_DATADOG_ENDPOINT(1) — concentrated in single workflows. Worth auditing for continued necessity.Azure credential isolation:
AZURE_CLIENT_ID,AZURE_CLIENT_SECRET, andAZURE_TENANT_IDappear exclusively inmcp-inspector.lock.yml(2 refs each) — well-isolated.AI key concentration:
ANTHROPIC_API_KEYis the dominant AI key (242 refs, 62 workflows / 24%).OPENAI_API_KEY(87 refs) andCODEX_API_KEY(86 refs) follow, suggesting near-equivalent Codex/OpenAI rollout.💡 Recommendations
Consolidate
DD_APP_KEY/DD_APPLICATION_KEY: Choose one canonical name and migrate all references. The current cascade pattern works but adds confusion.Audit single-use secrets: Review
SLACK_BOT_TOKEN,OPENROUTER_API_KEY,CONTEXT7_API_KEY, andGH_AW_OTEL_DATADOG_ENDPOINT— if the hosting workflow is experimental or deprecated, revoke and remove these secrets to reduce the attack surface.Document DIFC coverage split: The 60%/40% DIFC/non-DIFC split appears intentional but is not documented. Adding a comment or manifest field (
security_tier: standard|enhanced) would make the distinction explicit and auditable.🔑 All 39 Secrets by Usage
GITHUB_TOKENGH_AW_GITHUB_TOKENGH_AW_GITHUB_MCP_SERVER_TOKENGH_AW_OTEL_SENTRY_AUTHORIZATIONGH_AW_OTEL_SENTRY_ENDPOINTGH_AW_OTEL_GRAFANA_AUTHORIZATIONCOPILOT_GITHUB_TOKENANTHROPIC_API_KEYGH_AW_OTEL_GRAFANA_ENDPOINTOPENAI_API_KEYCODEX_API_KEYGH_AW_CI_TRIGGER_TOKENGH_AW_SIDE_REPO_PATGH_AW_AGENT_TOKENTAVILY_API_KEYSENTRY_OPENAI_API_KEYSENTRY_ACCESS_TOKENDD_APP_KEYDD_APPLICATION_KEYDD_API_KEYGH_AW_PROJECT_GITHUB_TOKENDD_SITENOTION_API_TOKENGRAFANA_URLGRAFANA_SERVICE_ACCOUNT_TOKENFOUNDRY_OPENAI_ENDPOINTANTIGRAVITY_API_KEYGEMINI_API_KEYBRAVE_API_KEYFOUNDRY_API_KEYAWI_MAINTENANCE_TOKENGH_AW_OTEL_DATADOG_API_KEYCONTEXT7_API_KEYAZURE_TENANT_IDAZURE_CLIENT_SECRETAZURE_CLIENT_IDSLACK_BOT_TOKENOPENROUTER_API_KEYGH_AW_OTEL_DATADOG_ENDPOINT📊 Distribution Statistics
Step-level env blocks: 13,439
Job-level env blocks: 1,559
AI API key-bearing workflows: 62/257 (24%) — includes ANTHROPIC, OPENAI, GEMINI, CODEX, FOUNDRY, OPENROUTER, BRAVE, TAVILY
Observability-instrumented workflows: All 257 (via GH_AW_OTEL_* secrets)
github.event. usage pattern*: 4,573 total references, all safely via
env:variable assignment — zero direct shell interpolation confirmed.📖 Reference Documentation
scratchpad/secrets-yml.mdactions/setup/js/redact_secrets.cjssecrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKENGenerated: 2026-06-29T18:21 UTC
Workflow: §28393458702
Beta Was this translation helpful? Give feedback.
All reactions