[daily secrets] Secret Usage Analysis — 2026-05-31

[github-actions[bot]]

🔐 Daily Secrets Analysis Report

Date: 2026-05-31
Workflow Files Analyzed: 237
Run: §26720078572

📊 Executive Summary

Metric	Value
Total secrets.* references	6,297
github.token references	1,156
Unique secret types	37
Step-level secret usage	2,561

🛡️ Security Posture

✅ Redaction System: 237/237 workflows have redaction steps (100%)
✅ Token Cascades: 857 fallback chain instances (MCP_SERVER_TOKEN \|\| GH_AW_GITHUB_TOKEN \|\| GITHUB_TOKEN)
✅ Permission Blocks: 237 explicit permission definitions (100% coverage)
✅ Secrets in Job Outputs: None found
i️ github.event.* references: 4,211 (expected — workflows read event payloads for context)

🎯 Key Findings

1. Full redaction coverage: Every one of the 237 compiled workflows includes a redact_secrets step — the secret masking system is universally applied.
2. Token cascade pattern is pervasive: 857 cascade instances ensure workflows gracefully fall back from fine-grained MCP tokens to broader GitHub tokens, reducing credential blast radius.
3. OTEL observability secrets dominate mid-tier usage: GH_AW_OTEL_SENTRY_AUTHORIZATION (697), GH_AW_OTEL_SENTRY_ENDPOINT (466), GH_AW_OTEL_GRAFANA_AUTHORIZATION (464), and GH_AW_OTEL_GRAFANA_ENDPOINT (233) are consistently embedded in env blocks for telemetry — this is expected and architecturally consistent.
4. AI engine credentials present: ANTHROPIC_API_KEY (261), OPENAI_API_KEY (79), CODEX_API_KEY (78), GEMINI_API_KEY (5), and OPENROUTER_API_KEY (1) appear in engine-specific workflows only.
5. No secrets exposed in job outputs: The grep-based check found OTEL secrets in env value strings adjacent to outputs: YAML anchors — these are environment variable assignments, not output declarations. No actual secrets are passed through job outputs.

💡 Recommendations

1. Monitor GH_AW_CI_TRIGGER_TOKEN (58 uses): This token triggers CI pipelines — confirm it uses minimum necessary scopes and rotates on a schedule.
2. Audit GH_AW_SIDE_REPO_PAT (20 uses): Cross-repository PATs carry elevated risk; verify these workflows need cross-repo access and cannot use GITHUB_TOKEN.
3. Review niche secrets: ANTIGRAVITY_API_KEY (6), CONTEXT (2) — confirm these are still active integrations and not stale credentials.

🔑 Top 10 Secrets by Usage

Rank	Secret Name	Occurrences	Category
1	GITHUB_TOKEN	3,154	GitHub Token
2	GH_AW_GITHUB_TOKEN	3,078	GitHub Token
3	GH_AW_GITHUB_MCP_SERVER_TOKEN	1,299	MCP Server Token
4	GH_AW_OTEL_SENTRY_AUTHORIZATION	697	Observability
5	GH_AW_OTEL_SENTRY_ENDPOINT	466	Observability
6	GH_AW_OTEL_GRAFANA_AUTHORIZATION	464	Observability
7	COPILOT_GITHUB_TOKEN	399	AI Engine
8	ANTHROPIC_API_KEY	261	AI Engine
9	GH_AW_OTEL_GRAFANA_ENDPOINT	233	Observability
10	OPENAI_API_KEY	79	AI Engine

📋 Full Secret Inventory (37 unique secrets)

Secret Name	Occurrences	Category
GITHUB_TOKEN	3,154	GitHub Token
GH_AW_GITHUB_TOKEN	3,078	GitHub Token
GH_AW_GITHUB_MCP_SERVER_TOKEN	1,299	MCP Server Token
GH_AW_OTEL_SENTRY_AUTHORIZATION	697	Observability
GH_AW_OTEL_SENTRY_ENDPOINT	466	Observability
GH_AW_OTEL_GRAFANA_AUTHORIZATION	464	Observability
COPILOT_GITHUB_TOKEN	399	AI Engine
ANTHROPIC_API_KEY	261	AI Engine
GH_AW_OTEL_GRAFANA_ENDPOINT	233	Observability
OPENAI_API_KEY	79	AI Engine
CODEX_API_KEY	78	AI Engine
GH_AW_CI_TRIGGER_TOKEN	58	CI Infrastructure
GH_AW_SIDE_REPO_PAT	20	Cross-Repo PAT
TAVILY_API_KEY	13	External Tool
GH_AW_AGENT_TOKEN	12	Agent Token
SENTRY_OPENAI_API_KEY	10	Observability
SENTRY_ACCESS_TOKEN	10	Observability
DD_APP_KEY	10	Observability
DD_APPLICATION_KEY	10	Observability
DD_API_KEY	8	Observability
GH_AW_PROJECT_GITHUB_TOKEN	7	GitHub Token
DD_SITE	7	Observability
NOTION_API_TOKEN	6	External Tool
GRAFANA_URL	6	Observability
GRAFANA_SERVICE_ACCOUNT_TOKEN	6	Observability
ANTIGRAVITY_API_KEY	6	External Tool
GEMINI_API_KEY	5	AI Engine
BRAVE_API_KEY	4	External Tool
GH_AW_OTEL_DATADOG_API_KEY	2	Observability
CONTEXT	2	Unknown
AZURE_TENANT_ID	2	Cloud Credentials
AZURE_CLIENT_SECRET	2	Cloud Credentials
AZURE_CLIENT_ID	2	Cloud Credentials
SLACK_BOT_TOKEN	1	Notification
OPENROUTER_API_KEY	1	AI Engine
GH_AW_OTEL_DATADOG_ENDPOINT	1	Observability

📖 Reference Documentation

• Specification: scratchpad/secrets-yml.md
• Redaction System: actions/setup/js/redact_secrets.cjs

Generated: 2026-05-31T17:56:52Z
References: §26720078572

Generated by 🔒 Daily Secrets Analysis Agent · sonnet46 708K · ◷

• expires on Jun 3, 2026, 5:59 PM UTC

[github-actions[bot]]

This discussion has been marked as outdated by Daily Secrets Analysis Agent.

A newer discussion is available at Discussion #36312.