You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
β Redaction System: Every workflow (258/258) includes a redact_secrets step β all secret values are masked from logs before they can be exposed.
β Explicit Permissions: Every workflow (258/258) declares a permissions: block, enforcing least-privilege access.
β Token Cascade Pattern: 931 instances of the 3-tier fallback (GH_AW_GITHUB_MCP_SERVER_TOKEN || GH_AW_GITHUB_TOKEN || GITHUB_TOKEN) provide graceful degradation.
β No Secrets in Outputs: Zero secret values found in job outputs: definitions β no cross-job secret leakage paths detected.
β No Unsafe User-Content Interpolation: No direct interpolation of user-supplied fields (body/title/comment) into run: scripts detected β template injection risk is low.
β No secrets: inherit: No workflows use broad secrets: inherit forwarding.
π― Key Findings
GitHub Token Dominance: secrets.GITHUB_TOKEN (4,254) and secrets.GH_AW_GITHUB_TOKEN (3,333) account for ~100% of all 7,577 secret references combined with the MCP server token (1,408). Authentication tokens are the most pervasive secret type by a large margin.
Observability Surface: 5 OTEL-related secrets (GH_AW_OTEL_SENTRY_AUTHORIZATION, GH_AW_OTEL_SENTRY_ENDPOINT, GH_AW_OTEL_GRAFANA_AUTHORIZATION, GH_AW_OTEL_GRAFANA_ENDPOINT) appear in 711β237 occurrences each, reflecting a consistent telemetry pattern across all agentic workflows.
AI/ML Key Diversity: 11 distinct AI/ML API keys are in use (Anthropic, OpenAI, Codex, Gemini, Tavily, Brave, Foundry, AntiGravity, OpenRouter, Sentry-OpenAI, Context7), spanning multiple providers. ANTHROPIC_API_KEY (238) and OPENAI_API_KEY (81) lead this category.
Narrow-Scope Secrets: SLACK_BOT_TOKEN (1), OPENROUTER_API_KEY (1), and GH_AW_OTEL_DATADOG_ENDPOINT (1) appear in a single workflow each β indicating single-purpose integrations.
Artifact in Secret Scan: secrets.cjs (258 occurrences) is a false positive from redact_secrets.cjs file path references, not an actual secret. All 39 true secret names use UPPER_SNAKE_CASE convention.
π‘ Recommendations
Review Narrow-Scope Secrets: SLACK_BOT_TOKEN, OPENROUTER_API_KEY, GH_AW_OTEL_DATADOG_ENDPOINT, and SENTRY_ACCESS_TOKEN appear in only 1 workflow each. Verify these are still needed and consider consolidating or documenting them.
Audit Duplicate Datadog Keys: Both DD_API_KEY and GH_AW_OTEL_DATADOG_API_KEY exist for Datadog (8 vs 2 occurrences), as do DD_APP_KEY/DD_APPLICATION_KEY. Consider standardizing to a single naming convention.
Context7 Secret Tracking: CONTEXT7_API_KEY appears in the scan β verify it is intentionally in use and properly documented in the secrets inventory.
Continue Monitoring github.event.* Patterns: While no unsafe interpolation into run: scripts was found, 4,594 expression-level github.event.* references exist outside env: blocks (primarily in if: conditions and inline expressions). These are structurally safe by design but warrant periodic review as new workflows are added.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
π Daily Secrets Analysis Report
Date: 2026-07-06
Workflow Files Analyzed: 258
Run: Β§28813483784
π Executive Summary
secrets.*Referencesgithub.tokenReferencesπ‘οΈ Security Posture
β Redaction System: Every workflow (258/258) includes a
redact_secretsstep β all secret values are masked from logs before they can be exposed.β Explicit Permissions: Every workflow (258/258) declares a
permissions:block, enforcing least-privilege access.β Token Cascade Pattern: 931 instances of the 3-tier fallback (
GH_AW_GITHUB_MCP_SERVER_TOKEN || GH_AW_GITHUB_TOKEN || GITHUB_TOKEN) provide graceful degradation.β No Secrets in Outputs: Zero secret values found in job
outputs:definitions β no cross-job secret leakage paths detected.β No Unsafe User-Content Interpolation: No direct interpolation of user-supplied fields (body/title/comment) into
run:scripts detected β template injection risk is low.β No
secrets: inherit: No workflows use broadsecrets: inheritforwarding.π― Key Findings
secrets.GITHUB_TOKEN(4,254) andsecrets.GH_AW_GITHUB_TOKEN(3,333) account for ~100% of all 7,577 secret references combined with the MCP server token (1,408). Authentication tokens are the most pervasive secret type by a large margin.GH_AW_OTEL_SENTRY_AUTHORIZATION,GH_AW_OTEL_SENTRY_ENDPOINT,GH_AW_OTEL_GRAFANA_AUTHORIZATION,GH_AW_OTEL_GRAFANA_ENDPOINT) appear in 711β237 occurrences each, reflecting a consistent telemetry pattern across all agentic workflows.ANTHROPIC_API_KEY(238) andOPENAI_API_KEY(81) lead this category.SLACK_BOT_TOKEN(1),OPENROUTER_API_KEY(1), andGH_AW_OTEL_DATADOG_ENDPOINT(1) appear in a single workflow each β indicating single-purpose integrations.secrets.cjs(258 occurrences) is a false positive fromredact_secrets.cjsfile path references, not an actual secret. All 39 true secret names useUPPER_SNAKE_CASEconvention.π‘ Recommendations
SLACK_BOT_TOKEN,OPENROUTER_API_KEY,GH_AW_OTEL_DATADOG_ENDPOINT, andSENTRY_ACCESS_TOKENappear in only 1 workflow each. Verify these are still needed and consider consolidating or documenting them.DD_API_KEYandGH_AW_OTEL_DATADOG_API_KEYexist for Datadog (8 vs 2 occurrences), as doDD_APP_KEY/DD_APPLICATION_KEY. Consider standardizing to a single naming convention.CONTEXT7_API_KEYappears in the scan β verify it is intentionally in use and properly documented in the secrets inventory.github.event.*Patterns: While no unsafe interpolation intorun:scripts was found, 4,594 expression-levelgithub.event.*references exist outsideenv:blocks (primarily inif:conditions and inline expressions). These are structurally safe by design but warrant periodic review as new workflows are added.π Top 15 Secrets by Usage
GITHUB_TOKENGH_AW_GITHUB_TOKENGH_AW_GITHUB_MCP_SERVER_TOKENGH_AW_OTEL_SENTRY_AUTHORIZATIONGH_AW_OTEL_SENTRY_ENDPOINTGH_AW_OTEL_GRAFANA_AUTHORIZATIONCOPILOT_GITHUB_TOKENANTHROPIC_API_KEYGH_AW_OTEL_GRAFANA_ENDPOINTOPENAI_API_KEYCODEX_API_KEYGH_AW_CI_TRIGGER_TOKENGH_AW_SIDE_REPO_PATGH_AW_AGENT_TOKENTAVILY_API_KEYπ Secret Inventory by Category
GitHub Auth (6):
GITHUB_TOKEN,GH_AW_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,COPILOT_GITHUB_TOKEN,GH_AW_SIDE_REPO_PAT,GH_AW_PROJECT_GITHUB_TOKEN,GH_AW_AGENT_TOKENObservability / OTEL (14):
GH_AW_OTEL_SENTRY_AUTHORIZATION,GH_AW_OTEL_SENTRY_ENDPOINT,GH_AW_OTEL_GRAFANA_AUTHORIZATION,GH_AW_OTEL_GRAFANA_ENDPOINT,SENTRY_ACCESS_TOKEN,SENTRY_OPENAI_API_KEY,DD_API_KEY,DD_APP_KEY,DD_APPLICATION_KEY,DD_SITE,GH_AW_OTEL_DATADOG_API_KEY,GH_AW_OTEL_DATADOG_ENDPOINT,GRAFANA_URL,GRAFANA_SERVICE_ACCOUNT_TOKENAI/ML APIs (11):
ANTHROPIC_API_KEY,OPENAI_API_KEY,CODEX_API_KEY,GEMINI_API_KEY,TAVILY_API_KEY,BRAVE_API_KEY,FOUNDRY_API_KEY,FOUNDRY_OPENAI_ENDPOINT,ANTIGRAVITY_API_KEY,OPENROUTER_API_KEY,CONTEXT7_API_KEYCI/CD (1):
GH_AW_CI_TRIGGER_TOKENCloud / Identity (3):
AZURE_CLIENT_ID,AZURE_CLIENT_SECRET,AZURE_TENANT_IDIntegrations (4):
NOTION_API_TOKEN,SLACK_BOT_TOKEN,AWI_MAINTENANCE_TOKEN,GH_AW_COPILOT_GITHUB_TOKENπ Trends (Baseline Established)
This is the first run establishing the baseline for future comparisons.
secrets.*refsgithub.tokenrefsFuture runs will compare against this baseline.
π Reference Documentation
scratchpad/secrets-yml.mdactions/setup/js/redact_secrets.cjsGH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKENGenerated: 2026-07-06T18:20:33Z
Workflow: Β§28813483784
Beta Was this translation helpful? Give feedback.
All reactions