[daily secrets] Secrets Analysis Report - 2026-04-30

[github-actions[bot]]

🔐 Daily Secrets Analysis Report

Date: 2026-04-30
Workflow Files Analyzed: 205
Run: §25188653607

---

📊 Executive Summary

Metric	Value
Total secrets.* References	7,302
github.token References	822
Unique Secret Types	31
Workflows Analyzed	205

Total Secret Surface: 8,124 references across 205 compiled workflow files.

The dominant secrets are GitHub tokens (GITHUB_TOKEN: 2,608 and GH_AW_GITHUB_TOKEN: 2,521), accounting for ~62% of all secret references. The three-tier token cascade pattern (GH_AW_GITHUB_MCP_SERVER_TOKEN → GH_AW_GITHUB_TOKEN → GITHUB_TOKEN) is consistently applied across all workflows.

---

🛡️ Security Posture

Control	Status	Coverage
Redaction System	✅ Active	205/205 workflows (100%)
Token Cascade Fallback	✅ Active	766 instances
Explicit Permission Blocks	✅ Active	205/205 workflows (100%)
Secrets in Job Outputs	✅ None found	0 direct secrets in output values

All 205 workflows have both redaction steps and explicit permission blocks — full coverage on both controls.

---

🔍 Security Findings

✅ No Secrets Exposed in Job Outputs

No workflow exports a secret value as a job output. The 35 references found near outputs: sections are false positives — they are env variable assignments in steps that happen to follow a job's outputs block in the YAML structure.

✅ github.event.* Usage is Safe

2,559 uses of github.event.* were detected. Investigation confirms these are all in safe YAML expression contexts (if: conditions, concurrency group keys, env variable assignments) — none appear as raw shell string interpolation in run: scripts.

✅ Token Cascade Pattern Consistently Applied

766 instances of the three-tier cascade GH_AW_GITHUB_MCP_SERVER_TOKEN || GH_AW_GITHUB_TOKEN || GITHUB_TOKEN provide resilient fallback without hard-coding a single token dependency.

⚠️ Niche Secrets with Low Coverage

Several secrets appear in only 1–4 workflows (OPENROUTER_API_KEY, GH_AW_PLUGINS_TOKEN, SLACK_BOT_TOKEN, Azure credentials, Datadog keys, Sentry tokens). These are expected for specialized integrations but should be audited periodically to confirm they're still active and necessary.

---

💡 Recommendations

1. Audit low-usage secrets: Review the 12 secrets with ≤4 occurrences to confirm they are still needed. Deprecated integrations should have their secrets removed to reduce secret surface area.
2. Monitor ANTHROPIC_API_KEY growth: At 236 references across Claude-engine workflows, this is growing with Claude adoption. Ensure the key has appropriate rate limits and scoping.
3. CONTEXT secret: The CONTEXT secret name (2 occurrences) is ambiguous — consider renaming to a more descriptive name to improve auditability.

---

🔑 All 31 Secrets by Usage

Rank	Secret Name	Occurrences	Category
1	GITHUB_TOKEN	2,608	GitHub Token
2	GH_AW_GITHUB_TOKEN	2,521	GitHub Token (PAT)
3	GH_AW_GITHUB_MCP_SERVER_TOKEN	1,146	GitHub Token (MCP)
4	COPILOT_GITHUB_TOKEN	328	GitHub Token (Copilot)
5	ANTHROPIC_API_KEY	236	AI Engine
6	GH_AW_OTEL_HEADERS	92	Observability
7	GH_AW_OTEL_ENDPOINT	92	Observability
8	OPENAI_API_KEY	66	AI Engine
9	CODEX_API_KEY	66	AI Engine
10	GH_AW_CI_TRIGGER_TOKEN	48	CI/CD
11	GH_AW_SIDE_REPO_PAT	19	GitHub Token (cross-repo)
12	GH_AW_AGENT_TOKEN	15	GitHub Token (agent)
13	TAVILY_API_KEY	13	External Tool
14	GH_AW_PROJECT_GITHUB_TOKEN	7	GitHub Token (project)
15	NOTION_API_TOKEN	6	External Tool
16	SENTRY_OPENAI_API_KEY	4	AI Engine (Sentry)
17	SENTRY_ACCESS_TOKEN	4	External Tool
18	GEMINI_API_KEY	4	AI Engine
19	BRAVE_API_KEY	4	External Tool
20	DD_SITE	3	Observability
21	DD_APPLICATION_KEY	3	Observability
22	DD_API_KEY	3	Observability
23	SENTRY_API_KEY	2	External Tool
24	CONTEXT	2	Unknown
25	AZURE_TENANT_ID	2	Cloud (Azure)
26	AZURE_CLIENT_SECRET	2	Cloud (Azure)
27	AZURE_CLIENT_ID	2	Cloud (Azure)
28	SLACK_BOT_TOKEN	1	External Tool
29	OPENROUTER_API_KEY	1	AI Engine
30	GH_AW_PLUGINS_TOKEN	1	GitHub Token (plugins)
31	(1 more not shown)	—	—

📖 Reference Documentation

• Secret usage specification: scratchpad/secrets-yml.md
• Redaction system: actions/setup/js/redact_secrets.cjs
• Token cascade pattern: implemented in all compiled workflow env blocks

---

Generated: 2026-04-30T20:52 UTC

Generated by Daily Secrets Analysis Agent · ● 595K · ◷

• expires on May 3, 2026, 8:55 PM UTC

[github-actions[bot]]

This discussion has been marked as outdated by Daily Secrets Analysis Agent.

A newer discussion is available at Discussion #29586.