[daily secrets] Secret Usage Analysis – 2026-07-10 #44808
Closed
Replies: 1 comment
-
|
This discussion has been marked as outdated by Daily Secrets Analysis Agent. A newer discussion is available at Discussion #44999. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
🔐 Daily Secrets Analysis Report
Date: 2026-07-10
Workflow Files Analyzed: 256
Run: §29113444343
📊 Executive Summary
secrets.*github.token🛡️ Security Posture
✅ Redaction System: 256/256 (100%) workflows include
redact_secretssteps✅ Permission Blocks: 256/256 (100%) workflows define explicit
permissions:✅ Token Cascades: 922 instances of
GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKENfallback chains✅ Secrets in Job Outputs: No confirmed secret value leakage in job outputs
✅ Expression Injection:
github.event.*references assigned toenv:variables (correct pattern) — no unsafe inline interpolation found🎯 Key Findings
GITHUB_TOKEN(4,236),GH_AW_GITHUB_TOKEN(3,618), andGH_AW_GITHUB_MCP_SERVER_TOKEN(1,690) account for ~73% of all secret references. The token cascade pattern provides a clean fallback hierarchy.github.tokenusage: 1,567 references indicate many steps rely on the built-in ephemeral token in addition to PATs — a positive sign.ANTHROPIC_API_KEY(242),OPENAI_API_KEY(81),CODEX_API_KEY(80),GEMINI_API_KEY(5),OPENROUTER_API_KEY(1) — broad AI provider coverage across agentic workflows.💡 Recommendations
COPILOT_GITHUB_TOKENusage (701 occurrences): Verify these are only in workflows requiring Copilot-specific scopes, not as a general PAT substitute.GH_AW_SIDE_REPO_PAT(24) andGH_AW_AGENT_TOKEN(15): Lower-usage tokens with broad names — confirm least-privilege scopes and document purpose.ANTHROPIC_API_KEY,OPENAI_API_KEY,CODEX_API_KEY,GEMINI_API_KEY,OPENROUTER_API_KEY). Periodically rotate and audit which workflows consume each.AWI_MAINTENANCE_TOKEN(4) andSLACK_BOT_TOKEN(1): Low-frequency tokens may indicate legacy integrations; confirm still needed.🔑 Top 20 Secrets by Usage
GITHUB_TOKENGH_AW_GITHUB_TOKENGH_AW_GITHUB_MCP_SERVER_TOKENCOPILOT_GITHUB_TOKENGH_AW_OTEL_SENTRY_AUTHORIZATIONGH_AW_OTEL_SENTRY_ENDPOINTGH_AW_OTEL_GRAFANA_AUTHORIZATIONANTHROPIC_API_KEYGH_AW_OTEL_GRAFANA_ENDPOINTOPENAI_API_KEYCODEX_API_KEYGH_AW_CI_TRIGGER_TOKENGH_AW_SIDE_REPO_PATGH_AW_AGENT_TOKENTAVILY_API_KEYSENTRY_OPENAI_API_KEYSENTRY_ACCESS_TOKENDD_APP_KEYDD_APPLICATION_KEYDD_API_KEY📋 All 40 Secret Types
ANTHROPIC_API_KEY,ANTIGRAVITY_API_KEY,AWI_MAINTENANCE_TOKEN,AZURE_CLIENT_ID,AZURE_CLIENT_SECRET,AZURE_TENANT_ID,BRAVE_API_KEY,CODEX_API_KEY,CONTEXT,COPILOT_GITHUB_TOKEN,DD_API_KEY,DD_APPLICATION_KEY,DD_APP_KEY,DD_SITE,FOUNDRY_API_KEY,FOUNDRY_OPENAI_ENDPOINT,GEMINI_API_KEY,GH_AW_AGENT_TOKEN,GH_AW_CI_TRIGGER_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,GH_AW_GITHUB_TOKEN,GH_AW_OTEL_DATADOG_API_KEY,GH_AW_OTEL_DATADOG_ENDPOINT,GH_AW_OTEL_GRAFANA_AUTHORIZATION,GH_AW_OTEL_GRAFANA_ENDPOINT,GH_AW_OTEL_SENTRY_AUTHORIZATION,GH_AW_OTEL_SENTRY_ENDPOINT,GH_AW_PROJECT_GITHUB_TOKEN,GH_AW_SIDE_REPO_PAT,GITHUB_TOKEN,GRAFANA_SERVICE_ACCOUNT_TOKEN,GRAFANA_URL,NOTION_API_TOKEN,OPENAI_API_KEY,OPENROUTER_API_KEY,SENTRY_ACCESS_TOKEN,SENTRY_OPENAI_API_KEY,SLACK_BOT_TOKEN,TAVILY_API_KEY📖 Reference Documentation
scratchpad/secrets-yml.mdactions/setup/js/redact_secrets.cjsGenerated: 2026-07-10T18:09:35Z
Workflow Run: §29113444343
Beta Was this translation helpful? Give feedback.
All reactions