You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
β Redaction System: All 256 workflows include redact_secrets steps
β Token Cascades: 922 fallback chain instances (GH_AW_GITHUB_MCP_SERVER_TOKEN || GH_AW_GITHUB_TOKEN || GITHUB_TOKEN)
β Permission Blocks: All 256 workflows define explicit permissions:
β Secrets in Outputs: No direct secret values exposed in job outputs
π― Key Findings
100% Redaction Coverage: Every compiled workflow includes the redact_secrets.cjs step β a strong baseline posture.
Token Cascade Adoption: 922 instances of the 3-tier fallback chain ensure minimal-privilege token selection is consistently applied.
High GITHUB_TOKEN Concentration: secrets.GITHUB_TOKEN (4,238 refs) and secrets.GH_AW_GITHUB_TOKEN (3,618 refs) together account for ~93% of all secret references, which is expected for a GitHub Actions automation platform.
AI Provider Keys Present: ANTHROPIC_API_KEY (242 refs), OPENAI_API_KEY (81 refs), CODEX_API_KEY (80 refs), and GEMINI_API_KEY (5 refs) are present β these are high-value secrets warranting key rotation policy review.
Observability Secrets: Sentry, Grafana, and Datadog credentials appear across many workflows; ensure these are scoped to write-only or minimal permissions.
π‘ Recommendations
AI Provider Key Rotation: Establish a quarterly rotation policy for ANTHROPIC_API_KEY, OPENAI_API_KEY, CODEX_API_KEY given their high usage and sensitivity.
Observability Credential Scoping: Audit GH_AW_OTEL_SENTRY_*, GH_AW_OTEL_GRAFANA_*, and DD_* credentials to confirm they use minimal-scope API tokens.
Third-Party API Keys: Review single-use keys (SLACK_BOT_TOKEN, OPENROUTER_API_KEY, NOTION_API_TOKEN) to confirm they are still needed and not dormant.
Azure Credentials: AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZURE_TENANT_ID appear in only 2 workflows β verify they are correctly scoped to those workflows only.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
π Daily Secrets Analysis Report
Date: 2026-07-12
Workflow Files Analyzed: 256
Run: Β§29202875795
π Executive Summary
secrets.*referencesgithub.tokenreferencesπ‘οΈ Security Posture
β Redaction System: All 256 workflows include
redact_secretsstepsβ Token Cascades: 922 fallback chain instances (
GH_AW_GITHUB_MCP_SERVER_TOKEN || GH_AW_GITHUB_TOKEN || GITHUB_TOKEN)β Permission Blocks: All 256 workflows define explicit
permissions:β Secrets in Outputs: No direct secret values exposed in job outputs
π― Key Findings
redact_secrets.cjsstep β a strong baseline posture.secrets.GITHUB_TOKEN(4,238 refs) andsecrets.GH_AW_GITHUB_TOKEN(3,618 refs) together account for ~93% of all secret references, which is expected for a GitHub Actions automation platform.ANTHROPIC_API_KEY(242 refs),OPENAI_API_KEY(81 refs),CODEX_API_KEY(80 refs), andGEMINI_API_KEY(5 refs) are present β these are high-value secrets warranting key rotation policy review.π‘ Recommendations
ANTHROPIC_API_KEY,OPENAI_API_KEY,CODEX_API_KEYgiven their high usage and sensitivity.GH_AW_OTEL_SENTRY_*,GH_AW_OTEL_GRAFANA_*, andDD_*credentials to confirm they use minimal-scope API tokens.SLACK_BOT_TOKEN,OPENROUTER_API_KEY,NOTION_API_TOKEN) to confirm they are still needed and not dormant.AZURE_CLIENT_ID,AZURE_CLIENT_SECRET,AZURE_TENANT_IDappear in only 2 workflows β verify they are correctly scoped to those workflows only.π Top 15 Secrets by Usage
GITHUB_TOKENGH_AW_GITHUB_TOKENGH_AW_GITHUB_MCP_SERVER_TOKENCOPILOT_GITHUB_TOKENGH_AW_OTEL_SENTRY_AUTHORIZATIONGH_AW_OTEL_SENTRY_ENDPOINTGH_AW_OTEL_GRAFANA_AUTHORIZATIONANTHROPIC_API_KEYGH_AW_OTEL_GRAFANA_ENDPOINTOPENAI_API_KEYCODEX_API_KEYGH_AW_CI_TRIGGER_TOKENGH_AW_SIDE_REPO_PATGH_AW_AGENT_TOKENTAVILY_API_KEYπ All 40 Unique Secrets by Category
GitHub Tokens (6)
GITHUB_TOKEN,GH_AW_GITHUB_TOKEN,GH_AW_GITHUB_MCP_SERVER_TOKEN,COPILOT_GITHUB_TOKEN,GH_AW_PROJECT_GITHUB_TOKEN,GH_AW_SIDE_REPO_PATObservability (10)
GH_AW_OTEL_SENTRY_AUTHORIZATION,GH_AW_OTEL_SENTRY_ENDPOINT,GH_AW_OTEL_GRAFANA_AUTHORIZATION,GH_AW_OTEL_GRAFANA_ENDPOINT,GH_AW_OTEL_DATADOG_API_KEY,GH_AW_OTEL_DATADOG_ENDPOINT,DD_API_KEY,DD_APPLICATION_KEY,DD_APP_KEY,DD_SITEAI Providers (7)
ANTHROPIC_API_KEY,OPENAI_API_KEY,CODEX_API_KEY,GEMINI_API_KEY,OPENROUTER_API_KEY,SENTRY_OPENAI_API_KEY,FOUNDRY_API_KEYCI/CD & Automation (4)
GH_AW_CI_TRIGGER_TOKEN,GH_AW_AGENT_TOKEN,AWI_MAINTENANCE_TOKEN,CONTEXTThird-Party Services (8)
TAVILY_API_KEY,BRAVE_API_KEY,SLACK_BOT_TOKEN,NOTION_API_TOKEN,SENTRY_ACCESS_TOKEN,GRAFANA_SERVICE_ACCOUNT_TOKEN,GRAFANA_URL,ANTIGRAVITY_API_KEYCloud/Infrastructure (5)
AZURE_CLIENT_ID,AZURE_CLIENT_SECRET,AZURE_TENANT_ID,FOUNDRY_OPENAI_ENDPOINT,CODEX_API_KEYπ Reference Documentation
scratchpad/secrets-yml.mdactions/setup/js/redact_secrets.cjssecrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKENGenerated: 2026-07-12T17:56 UTC
Workflow Run: Β§29202875795
Beta Was this translation helpful? Give feedback.
All reactions