You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Template Injection Risk — Needs Review
Found 4,575 occurrences of github.event.* references outside of env: blocks. These could represent expression injection risks if user-controlled event data flows into shell commands via inline expressions. Each instance should be verified to ensure data is passed via environment variables, not inline expressions.
Secrets in Job Outputs
Found 33 potential cases where secrets appear in job outputs sections. On closer inspection these appear to be secrets.GITHUB_TOKEN passed as github-token: action inputs (standard pattern). No critical exposure found.
🎯 Key Findings
Universal Security Controls: All 256 workflows have both redaction steps and explicit permissions — excellent baseline posture.
Token Cascade Pattern: 922 uses of the three-tier token fallback chain ensures workflows degrade gracefully across permission levels.
AI Provider Diversity: 40 unique secret types reflect the breadth of AI/ML integrations (Anthropic, OpenAI, Gemini, Codex, Foundry, OpenRouter, etc.).
GITHUB_TOKEN Dominance: secrets.GITHUB_TOKEN (4,238) + secrets.GH_AW_GITHUB_TOKEN (3,618) together account for ~94% of all secret references — most secrets are authentication tokens, not sensitive data keys.
Audit Template Injection Risks: Review the 4,575 github.event.* usages outside env: blocks. Ensure all user-controlled data is passed via environment variables (not inline ${{ }} expressions in shell). Run actionlint to surface unsafe expression uses.
Validate Secrets in Outputs: Confirm the 33 flagged cases are all safe github-token: input patterns, not raw secret values exported as job outputs.
Secret Rotation Schedule: With 40+ unique secret types across AI providers, consider documenting rotation cadence for each category.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
🔐 Daily Secrets Analysis Report
Date: 2026-07-11
Workflow Files Analyzed: 256
Run: §29162449342
📊 Executive Summary
secrets.*Referencesgithub.tokenReferencesenvBlocksenvBlocks🛡️ Security Posture
✅ Redaction System: 256/256 workflows have
redact_secretssteps (100% coverage)✅ Token Cascades: 922 instances of
GH_AW_GITHUB_MCP_SERVER_TOKEN || GH_AW_GITHUB_TOKEN || GITHUB_TOKENfallback chains✅ Permission Blocks: 256 explicit
permissions:definitions (100% coverage)Template Injection Risk — Needs Review
Found 4,575 occurrences of
github.event.*references outside ofenv:blocks. These could represent expression injection risks if user-controlled event data flows into shell commands via inline expressions. Each instance should be verified to ensure data is passed via environment variables, not inline expressions.Secrets in Job Outputs
Found 33 potential cases where secrets appear in job outputs sections. On closer inspection these appear to be
secrets.GITHUB_TOKENpassed asgithub-token:action inputs (standard pattern). No critical exposure found.🎯 Key Findings
secrets.GITHUB_TOKEN(4,238) +secrets.GH_AW_GITHUB_TOKEN(3,618) together account for ~94% of all secret references — most secrets are authentication tokens, not sensitive data keys.💡 Recommendations
github.event.*usages outsideenv:blocks. Ensure all user-controlled data is passed via environment variables (not inline${{ }}expressions in shell). Runactionlintto surface unsafe expression uses.github-token:input patterns, not raw secret values exported as job outputs.🔑 Top 15 Secrets by Usage
GITHUB_TOKENGH_AW_GITHUB_TOKENGH_AW_GITHUB_MCP_SERVER_TOKENCOPILOT_GITHUB_TOKENGH_AW_OTEL_SENTRY_AUTHORIZATIONGH_AW_OTEL_SENTRY_ENDPOINTGH_AW_OTEL_GRAFANA_AUTHORIZATIONANTHROPIC_API_KEYGH_AW_OTEL_GRAFANA_ENDPOINTOPENAI_API_KEYCODEX_API_KEYGH_AW_CI_TRIGGER_TOKENGH_AW_SIDE_REPO_PATGH_AW_AGENT_TOKENTAVILY_API_KEY🗂️ All Secret Types by Category
GitHub Auth:
GITHUB_TOKEN,GH_AW_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,COPILOT_GITHUB_TOKEN,GH_AW_CI_TRIGGER_TOKEN,GH_AW_SIDE_REPO_PAT,GH_AW_AGENT_TOKEN,GH_AW_PROJECT_GITHUB_TOKEN,AWI_MAINTENANCE_TOKENAI Providers:
ANTHROPIC_API_KEY,OPENAI_API_KEY,CODEX_API_KEY,GEMINI_API_KEY,FOUNDRY_API_KEY,FOUNDRY_OPENAI_ENDPOINT,OPENROUTER_API_KEY,BRAVE_API_KEY,ANTIGRAVITY_API_KEY,SENTRY_OPENAI_API_KEYObservability:
GH_AW_OTEL_SENTRY_AUTHORIZATION,GH_AW_OTEL_SENTRY_ENDPOINT,GH_AW_OTEL_GRAFANA_AUTHORIZATION,GH_AW_OTEL_GRAFANA_ENDPOINT,GH_AW_OTEL_DATADOG_API_KEY,GH_AW_OTEL_DATADOG_ENDPOINT,DD_API_KEY,DD_APPLICATION_KEY,DD_APP_KEY,DD_SITE,GRAFANA_SERVICE_ACCOUNT_TOKEN,GRAFANA_URL,SENTRY_ACCESS_TOKENOther:
NOTION_API_TOKEN,SLACK_BOT_TOKEN,TAVILY_API_KEY,AZURE_CLIENT_ID,AZURE_CLIENT_SECRET,AZURE_TENANT_ID,CONTEXT📖 Reference Documentation
scratchpad/secrets-yml.mdactions/setup/js/redact_secrets.cjsGenerated: Sat Jul 11 17:56:12 UTC 2026
Workflow Run: §29162449342
Beta Was this translation helpful? Give feedback.
All reactions