You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
All 259 workflows have 100% baseline security controls in place. No template-injection risks, no secrets in run-script interpolations, and no secret values exposed via job outputs.
🎯 Key Findings
Token cascade is universal — All 259 workflows use the three-tier fallback GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN, providing consistent least-privilege token resolution.
GitHub tokens dominate secret usage — 10,462 references (≈78% of all named secret refs) are GitHub authentication tokens. The remaining 22% covers AI/LLM API keys and observability credentials.
Observability secrets are heavily replicated — Sentry and Grafana endpoints/auth pairs account for 1,896 references combined across workflows, suggesting a shared telemetry injection pattern.
ANTHROPIC_API_KEY is the top AI key — 242 references, 3× more than OpenAI (81) and Codex (80), reflecting heavy reliance on Claude-family models.
echo secrets.* grep returned 3 false positives — All three are benign: one is a string literal in a release audit step, two are error-message templates in smoke tests advising users to configure the secret. No actual secret values are echoed.
💡 Recommendations
Consider consolidating DD_APP_KEY / DD_APPLICATION_KEY — Both names appear with the same count (10), suggesting a naming inconsistency across workflows that could cause confusion or silent misconfiguration.
Review CONTEXT (2 refs) and OPENROUTER_API_KEY (1 ref) — Very low-usage secrets may be legacy or unused. Auditing them reduces the secret surface area.
Audit AZURE_ secrets (2 refs each)* — Only 2 usages per key suggests limited or experimental usage. Verify these are still needed or rotate/remove if not.
Monitor AI key diversification — With 10 distinct AI/LLM API key types, consider a secrets inventory policy to track key owners and rotation schedules.
🔑 Top 20 Secrets by Usage
Rank
Secret Name
Occurrences
Category
1
GITHUB_TOKEN
4,275
GitHub Auth
2
GH_AW_GITHUB_TOKEN
3,651
GitHub Auth
3
GH_AW_GITHUB_MCP_SERVER_TOKEN
1,711
GitHub Auth
4
COPILOT_GITHUB_TOKEN
715
GitHub Auth
5
GH_AW_OTEL_SENTRY_AUTHORIZATION
711
Observability
6
GH_AW_OTEL_SENTRY_ENDPOINT
475
Observability
7
GH_AW_OTEL_GRAFANA_AUTHORIZATION
473
Observability
8
ANTHROPIC_API_KEY
242
AI/LLM
9
GH_AW_OTEL_GRAFANA_ENDPOINT
237
Observability
10
OPENAI_API_KEY
81
AI/LLM
11
CODEX_API_KEY
80
AI/LLM
12
GH_AW_CI_TRIGGER_TOKEN
60
GitHub Auth
13
GH_AW_SIDE_REPO_PAT
24
GitHub Auth
14
GH_AW_AGENT_TOKEN
15
GitHub Auth
15
TAVILY_API_KEY
12
AI/LLM
16
DD_APPLICATION_KEY
10
Observability
17
DD_APP_KEY
10
Observability
18
SENTRY_OPENAI_API_KEY
10
AI/LLM
19
SENTRY_ACCESS_TOKEN
10
Observability
20
GH_AW_CI_TRIGGER_TOKEN
60
GitHub Auth
📂 Secret Categories Breakdown
Category
Unique Keys
Total References
% of Total
GitHub Auth Tokens
9
10,462
~78%
Observability (Sentry/Grafana/DD)
13
1,956
~15%
AI / LLM API Keys
10
444
~3%
Other (Notion, Azure, Slack, etc.)
8
15
<1%
github.token (inline)
1
1,578
~12%
Note: Percentages are relative to named secrets.* references (8,466 total). github.token (1,578) is counted separately as it references the built-in workflow token.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
🔐 Daily Secrets Analysis Report
Date: 2026-07-08
Workflow Files Analyzed: 259
Run: §28964743409
📊 Executive Summary
secrets.*referencesgithub.tokenreferencesgithub.token= 40with:inputs🛡️ Security Posture
redact_secrets)permissions:blocksgithub.event.*inrun:blockssecrets.*inrun:blockssecrets.*in joboutputs:🎯 Key Findings
Token cascade is universal — All 259 workflows use the three-tier fallback
GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN, providing consistent least-privilege token resolution.GitHub tokens dominate secret usage — 10,462 references (≈78% of all named secret refs) are GitHub authentication tokens. The remaining 22% covers AI/LLM API keys and observability credentials.
Observability secrets are heavily replicated — Sentry and Grafana endpoints/auth pairs account for 1,896 references combined across workflows, suggesting a shared telemetry injection pattern.
ANTHROPIC_API_KEY is the top AI key — 242 references, 3× more than OpenAI (81) and Codex (80), reflecting heavy reliance on Claude-family models.
echo secrets.*grep returned 3 false positives — All three are benign: one is a string literal in a release audit step, two are error-message templates in smoke tests advising users to configure the secret. No actual secret values are echoed.💡 Recommendations
Consider consolidating DD_APP_KEY / DD_APPLICATION_KEY — Both names appear with the same count (10), suggesting a naming inconsistency across workflows that could cause confusion or silent misconfiguration.
Review CONTEXT (2 refs) and OPENROUTER_API_KEY (1 ref) — Very low-usage secrets may be legacy or unused. Auditing them reduces the secret surface area.
Audit AZURE_ secrets (2 refs each)* — Only 2 usages per key suggests limited or experimental usage. Verify these are still needed or rotate/remove if not.
Monitor AI key diversification — With 10 distinct AI/LLM API key types, consider a secrets inventory policy to track key owners and rotation schedules.
🔑 Top 20 Secrets by Usage
GITHUB_TOKENGH_AW_GITHUB_TOKENGH_AW_GITHUB_MCP_SERVER_TOKENCOPILOT_GITHUB_TOKENGH_AW_OTEL_SENTRY_AUTHORIZATIONGH_AW_OTEL_SENTRY_ENDPOINTGH_AW_OTEL_GRAFANA_AUTHORIZATIONANTHROPIC_API_KEYGH_AW_OTEL_GRAFANA_ENDPOINTOPENAI_API_KEYCODEX_API_KEYGH_AW_CI_TRIGGER_TOKENGH_AW_SIDE_REPO_PATGH_AW_AGENT_TOKENTAVILY_API_KEYDD_APPLICATION_KEYDD_APP_KEYSENTRY_OPENAI_API_KEYSENTRY_ACCESS_TOKENGH_AW_CI_TRIGGER_TOKEN📂 Secret Categories Breakdown
github.token(inline)📖 Reference Documentation
scratchpad/secrets-yml.mdactions/setup/js/redact_secrets.cjsGH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKENGenerated: 2026-07-08T18:06:20Z
Workflow Run: §28964743409
Beta Was this translation helpful? Give feedback.
All reactions