[daily secrets] Secret Usage Analysis — 2026-07-16 #46061
Closed
Replies: 1 comment
-
|
This discussion has been marked as outdated by Daily Secrets Analysis Agent. A newer discussion is available at Discussion #46290. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
🔐 Daily Secrets Analysis Report
Date: 2026-07-16
Workflow Files Analyzed: 258
Run: §29521850438
📊 Executive Summary
secrets.*Referencesgithub.tokenReferences🛡️ Security Posture
✅ Redaction System: 258/258 workflows (100%) include
redact_secretssteps✅ Token Cascades: 929 instances of
GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKENfallback chains✅ Permission Blocks: 258 workflows have explicit
permissions:definitions✅ Secrets in Job Outputs: 0 confirmed secret leaks into job-level
outputs:blocksi️
github.event.*Usage: 4,620 references — all appear insideenv:mappings (no unsafe inline interpolation inrun:steps)🎯 Key Findings
GITHUB_TOKEN(4,271),GH_AW_GITHUB_TOKEN(3,653), andGH_AW_GITHUB_MCP_SERVER_TOKEN(1,703) together account for ~56% of all secret references, consistent with the cascading token pattern used across all agent workflows.ANTHROPIC_API_KEY(243) andOPENAI_API_KEY(93) are widely referenced, reflecting the multi-model AI agent architecture.CODEX_API_KEY(92) andGEMINI_API_KEY(5) also present.SLACK_BOT_TOKEN(1),OPENROUTER_API_KEY(1),AZURE_*(2 each), andFOUNDRY_API_KEY(3) are used in very few workflows.💡 Recommendations
SLACK_BOT_TOKEN,OPENROUTER_API_KEY,FOUNDRY_*,AZURE_*) should be verified as intentionally present and not orphaned credentials.COPILOT_GITHUB_TOKENgrowth: At 728 references, this token is expanding and warrants a periodic access-scope audit.CONTEXTsecret: Only 2 references to a secret namedCONTEXT— verify this is intentional and not a naming collision with environment variables.🔑 Top 10 Secrets by Usage
GITHUB_TOKENGH_AW_GITHUB_TOKENGH_AW_GITHUB_MCP_SERVER_TOKENCOPILOT_GITHUB_TOKENGH_AW_OTEL_SENTRY_AUTHORIZATIONGH_AW_OTEL_SENTRY_ENDPOINTGH_AW_OTEL_GRAFANA_AUTHORIZATIONANTHROPIC_API_KEYGH_AW_OTEL_GRAFANA_ENDPOINTOPENAI_API_KEY📋 All 40 Unique Secret Types
GITHUB_TOKENGH_AW_GITHUB_TOKENGH_AW_GITHUB_MCP_SERVER_TOKENCOPILOT_GITHUB_TOKENGH_AW_OTEL_SENTRY_AUTHORIZATIONGH_AW_OTEL_SENTRY_ENDPOINTGH_AW_OTEL_GRAFANA_AUTHORIZATIONANTHROPIC_API_KEYGH_AW_OTEL_GRAFANA_ENDPOINTOPENAI_API_KEYCODEX_API_KEYGH_AW_CI_TRIGGER_TOKENGH_AW_SIDE_REPO_PATGH_AW_AGENT_TOKENTAVILY_API_KEYSENTRY_OPENAI_API_KEYSENTRY_ACCESS_TOKENDD_APP_KEYDD_APPLICATION_KEYDD_API_KEYDD_SITENOTION_API_TOKENGRAFANA_URLGRAFANA_SERVICE_ACCOUNT_TOKENFOUNDRY_OPENAI_ENDPOINTANTIGRAVITY_API_KEYGH_AW_PROJECT_GITHUB_TOKENGEMINI_API_KEYBRAVE_API_KEYAWI_MAINTENANCE_TOKENFOUNDRY_API_KEYGH_AW_OTEL_DATADOG_API_KEYCONTEXTAZURE_TENANT_IDAZURE_CLIENT_SECRETAZURE_CLIENT_IDSLACK_BOT_TOKENOPENROUTER_API_KEYGH_AW_OTEL_DATADOG_ENDPOINT📖 Reference Documentation
scratchpad/secrets-yml.mdactions/setup/js/redact_secrets.cjsGenerated: 2026-07-16 17:59 UTC
Workflow: §29521850438
Beta Was this translation helpful? Give feedback.
All reactions