[daily secrets] Secret Usage Analysis — 2026-07-11 #44999
Closed
Replies: 1 comment
-
|
This discussion has been marked as outdated by Daily Secrets Analysis Agent. A newer discussion is available at Discussion #45116. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
🔐 Daily Secrets Analysis Report
Date: 2026-07-11
Workflow Files Analyzed: 256
Run: §29162449342
📊 Executive Summary
secrets.*Referencesgithub.tokenReferencesenvBlocksenvBlocks🛡️ Security Posture
✅ Redaction System: 256/256 workflows have
redact_secretssteps (100% coverage)✅ Token Cascades: 922 instances of
GH_AW_GITHUB_MCP_SERVER_TOKEN || GH_AW_GITHUB_TOKEN || GITHUB_TOKENfallback chains✅ Permission Blocks: 256 explicit
permissions:definitions (100% coverage)Template Injection Risk — Needs Review
Found 4,575 occurrences of
github.event.*references outside ofenv:blocks. These could represent expression injection risks if user-controlled event data flows into shell commands via inline expressions. Each instance should be verified to ensure data is passed via environment variables, not inline expressions.Secrets in Job Outputs
Found 33 potential cases where secrets appear in job outputs sections. On closer inspection these appear to be
secrets.GITHUB_TOKENpassed asgithub-token:action inputs (standard pattern). No critical exposure found.🎯 Key Findings
secrets.GITHUB_TOKEN(4,238) +secrets.GH_AW_GITHUB_TOKEN(3,618) together account for ~94% of all secret references — most secrets are authentication tokens, not sensitive data keys.💡 Recommendations
github.event.*usages outsideenv:blocks. Ensure all user-controlled data is passed via environment variables (not inline${{ }}expressions in shell). Runactionlintto surface unsafe expression uses.github-token:input patterns, not raw secret values exported as job outputs.🔑 Top 15 Secrets by Usage
GITHUB_TOKENGH_AW_GITHUB_TOKENGH_AW_GITHUB_MCP_SERVER_TOKENCOPILOT_GITHUB_TOKENGH_AW_OTEL_SENTRY_AUTHORIZATIONGH_AW_OTEL_SENTRY_ENDPOINTGH_AW_OTEL_GRAFANA_AUTHORIZATIONANTHROPIC_API_KEYGH_AW_OTEL_GRAFANA_ENDPOINTOPENAI_API_KEYCODEX_API_KEYGH_AW_CI_TRIGGER_TOKENGH_AW_SIDE_REPO_PATGH_AW_AGENT_TOKENTAVILY_API_KEY🗂️ All Secret Types by Category
GitHub Auth:
GITHUB_TOKEN,GH_AW_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,COPILOT_GITHUB_TOKEN,GH_AW_CI_TRIGGER_TOKEN,GH_AW_SIDE_REPO_PAT,GH_AW_AGENT_TOKEN,GH_AW_PROJECT_GITHUB_TOKEN,AWI_MAINTENANCE_TOKENAI Providers:
ANTHROPIC_API_KEY,OPENAI_API_KEY,CODEX_API_KEY,GEMINI_API_KEY,FOUNDRY_API_KEY,FOUNDRY_OPENAI_ENDPOINT,OPENROUTER_API_KEY,BRAVE_API_KEY,ANTIGRAVITY_API_KEY,SENTRY_OPENAI_API_KEYObservability:
GH_AW_OTEL_SENTRY_AUTHORIZATION,GH_AW_OTEL_SENTRY_ENDPOINT,GH_AW_OTEL_GRAFANA_AUTHORIZATION,GH_AW_OTEL_GRAFANA_ENDPOINT,GH_AW_OTEL_DATADOG_API_KEY,GH_AW_OTEL_DATADOG_ENDPOINT,DD_API_KEY,DD_APPLICATION_KEY,DD_APP_KEY,DD_SITE,GRAFANA_SERVICE_ACCOUNT_TOKEN,GRAFANA_URL,SENTRY_ACCESS_TOKENOther:
NOTION_API_TOKEN,SLACK_BOT_TOKEN,TAVILY_API_KEY,AZURE_CLIENT_ID,AZURE_CLIENT_SECRET,AZURE_TENANT_ID,CONTEXT📖 Reference Documentation
scratchpad/secrets-yml.mdactions/setup/js/redact_secrets.cjsGenerated: Sat Jul 11 17:56:12 UTC 2026
Workflow Run: §29162449342
Beta Was this translation helpful? Give feedback.
All reactions