[daily secrets] Secrets Analysis Report — 2026-07-17 #46290
Closed
Replies: 1 comment
-
|
This discussion has been marked as outdated by Daily Secrets Analysis Agent. A newer discussion is available at Discussion #46466. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
🔐 Daily Secrets Analysis Report
Date: 2026-07-17
Workflow Files Analyzed: 258
Run: §29601845517
📊 Executive Summary
secrets.*referencesgithub.tokenreferences🛡️ Security Posture
✅ Redaction System: All 258 workflows include
redact_secretssteps — full coverage✅ Permission Blocks: All 258 workflows have explicit
permissions:declarations✅ Token Cascades: 929 instances of
GH_AW_GITHUB_MCP_SERVER_TOKEN || GH_AW_GITHUB_TOKEN || GITHUB_TOKENfallback chains — consistent least-privilege pattern✅ Secrets in Job Outputs: The one detected match (
github-tokeninbot-detection.lock.yml) is awith:input parameter to an action, not a true output exposure — false positivei️ Event Interpolation: 4,620
github.event.*references outsideenv:blocks — these are standard Actions expression patterns (numeric IDs, not free-text), expected for agentic workflows🎯 Key Findings
GITHUB_TOKEN4,272 ·GH_AW_GITHUB_TOKEN3,654 ·GH_AW_GITHUB_MCP_SERVER_TOKEN1,703) account for 88% of allsecrets.*references, reflecting the core MCP gateway authentication model.ANTHROPIC_API_KEY(243),OPENAI_API_KEY(93),CODEX_API_KEY(92) are used in a subset of agent workflows, appropriately scoped.SLACK_BOT_TOKEN,OPENROUTER_API_KEY,CONTEXT,AWI_MAINTENANCE_TOKEN, etc.) — confirm they are still active and needed.💡 Recommendations
COPILOT_GITHUB_TOKEN: At 727 references it is the 4th-most-used token. Confirm it cannot be substituted with the already-cascadedGH_AW_GITHUB_MCP_SERVER_TOKENto reduce token types.|| secrets.GITHUB_TOKENfallback) is recommended monthly.🔑 Top 10 Secrets by Usage
GITHUB_TOKENGH_AW_GITHUB_TOKENGH_AW_GITHUB_MCP_SERVER_TOKENCOPILOT_GITHUB_TOKENGH_AW_OTEL_SENTRY_AUTHORIZATIONGH_AW_OTEL_SENTRY_ENDPOINTGH_AW_OTEL_GRAFANA_AUTHORIZATIONANTHROPIC_API_KEYGH_AW_OTEL_GRAFANA_ENDPOINTOPENAI_API_KEY📋 Low-Frequency Secrets (≤6 uses)
SLACK_BOT_TOKENOPENROUTER_API_KEYGH_AW_OTEL_DATADOG_ENDPOINTFOUNDRY_API_KEYAWI_MAINTENANCE_TOKENBRAVE_API_KEYGH_AW_PROJECT_GITHUB_TOKENCONTEXTAZURE_CLIENT_IDAZURE_CLIENT_SECRETAZURE_TENANT_IDANTIGRAVITY_API_KEY📖 Reference Documentation
scratchpad/secrets-yml.mdactions/setup/js/redact_secrets.cjsGenerated: 2026-07-17 17:57 UTC
Workflow: §29601845517
Beta Was this translation helpful? Give feedback.
All reactions