[daily secrets] Secrets Analysis Report — 2026-07-05 #43604
Closed
Replies: 1 comment
-
|
This discussion has been marked as outdated by Daily Secrets Analysis Agent. A newer discussion is available at Discussion #43852. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
🔐 Daily Secrets Analysis Report
Date: 2026-07-05
Workflow Files Analyzed: 258
Run: §28749697979
📊 Executive Summary
secrets.*referencessecrets.*github.tokenreferencesSecrets span 3 major categories: GitHub tokens (75% of refs), observability (17%), and AI/LLM API keys (3.5%), with the remainder covering cloud infra, Slack, Notion, and PATs.
🛡️ Security Posture
All 258 workflows include explicit
permissions:blocks andredact_secretssteps — indicating consistent baseline security hygiene across the full workflow suite.The 13
github.event.*usages in run: blocks are all passed via environment variable assignments (not raw shell interpolation), making exploitation difficult. They reference PR numbers, SHAs, and run IDs — numeric or hash values with limited injection surface.Token-heavy footprint:
GITHUB_TOKEN+GH_AW_GITHUB_TOKENalone account for ~62% of all secret references (7,585 of 12,234). This is expected for an agentic workflow platform but warrants monitoring for unauthorized expansion.Observability secrets widely distributed:
GH_AW_OTEL_SENTRY_*andGH_AW_OTEL_GRAFANA_*appear in 1,896 references across workflows — ensuring telemetry but increasing the blast radius if these are compromised.AI API key usage dominated by Anthropic:
ANTHROPIC_API_KEY(242) leads, followed byOPENAI_API_KEY(81) andCODEX_API_KEY(80). 9 distinct AI provider keys are in use, suggesting broad multi-model strategy.Azure credentials present (limited):
AZURE_CLIENT_ID,AZURE_CLIENT_SECRET, andAZURE_TENANT_IDeach appear only 2 times — tightly scoped, low exposure.Stale or legacy keys:
NOTION_API_TOKEN,SLACK_BOT_TOKEN, andSENTRY_OPENAI_API_KEYappear in <15 references each — verify these are actively needed.💡 Recommendations
Audit
GH_AW_OTEL_*scope: With 1,896 references across observability secrets, ensure these are scoped to workflows that genuinely require telemetry and not inherited broadly.Review
github.event.*in run: blocks: While low risk today (env: wrapper), consider pre-computing these values in a${{ }}expression context to follow defense-in-depth.Rationalize AI API keys: With 9 distinct AI providers, review if all are actively used. Unused keys in compiled workflows should be removed to minimize secret sprawl.
Monitor GITHUB_TOKEN usage growth: At 4,253 refs, ensure
GITHUB_TOKENusage follows least-privilege patterns and is not used where a more scoped token would suffice.Validate
SLACK_BOT_TOKEN/NOTION_API_TOKEN: Low reference counts (<10 each) may indicate unused integrations — audit and revoke if not needed.🔑 Top 10 Secrets by Reference Count
GITHUB_TOKENGH_AW_GITHUB_TOKENGH_AW_GITHUB_MCP_SERVER_TOKENGH_AW_OTEL_SENTRY_AUTHORIZATIONGH_AW_OTEL_SENTRY_ENDPOINTGH_AW_OTEL_GRAFANA_AUTHORIZATIONCOPILOT_GITHUB_TOKENANTHROPIC_API_KEYGH_AW_OTEL_GRAFANA_ENDPOINTOPENAI_API_KEY🤖 AI/LLM API Keys Breakdown
ANTHROPIC_API_KEYOPENAI_API_KEYCODEX_API_KEYTAVILY_API_KEYANTIGRAVITY_API_KEYGEMINI_API_KEYFOUNDRY_API_KEYFOUNDRY_OPENAI_ENDPOINTBRAVE_API_KEYOPENROUTER_API_KEYTotal AI/LLM secret refs: ~436 across 9 providers
📡 Observability Secrets Breakdown
GH_AW_OTEL_SENTRY_AUTHORIZATIONGH_AW_OTEL_SENTRY_ENDPOINTGH_AW_OTEL_GRAFANA_AUTHORIZATIONGH_AW_OTEL_GRAFANA_ENDPOINTDD_APP_KEYDD_APPLICATION_KEYSENTRY_ACCESS_TOKENSENTRY_OPENAI_API_KEYDD_API_KEYGRAFANA_SERVICE_ACCOUNT_TOKENGRAFANA_URLThese use
${{ github.event.* }}inrun:step blocks, passed via env:ci-doctor.lock.ymlRUN_ID: ${{ github.event.workflow_run.id }}ci-doctor.lock.ymlHEAD_SHA: ${{ github.event.pull_request.head.sha }}ci-doctor.lock.ymlPR_NUMBER: ${{ github.event.pull_request.number }}agentic-token-trend-audit.lock.ymlDATE_RANGE_INPUT: ${{ github.event.inputs.date_range }}deep-report.lock.ymlREPO_NAME: ${{ github.event.repository.name }}uk-ai-operational-resilience.lock.ymlLOOKBACK_DAYS: ${{ github.event.inputs.lookback_days || '7' }}design-decision-gate.lock.ymlPR_NUMBER: ${{ github.event.pull_request.number || github.event.inputs.pr_number }}test-quality-sentinel.lock.ymlimpeccable-skills-reviewer.lock.ymlPR_NUMBER: ${{ github.event.pull_request.number }}pr-description-caveman.lock.ymlmattpocock-skills-reviewer.lock.ymlPR_NUMBER: ${{ github.event.pull_request.number }}All values are numeric/SHA types with minimal injection surface. Risk level: Low.
📖 Reference Documentation
scratchpad/secrets-yml.mdactions/setup/js/redact_secrets.cjsGenerated: 2026-07-05 17:58 UTC
Analyzed: 258
.lock.ymlfiles across.github/workflows/Beta Was this translation helpful? Give feedback.
All reactions