[daily secrets] Secret Usage Report — 2026-06-01

[github-actions[bot]]

🔐 Daily Secrets Analysis Report

Date: 2026-06-01
Workflow Files Analyzed: 236
Run: §26776730136

---

📊 Executive Summary

Metric	Value
Total secrets.* References	6,272
github.token References	1,149
Unique Secret Types	38
Workflows with Redaction	236 / 236 (100%)
Token Cascade Instances	854
Explicit Permission Blocks	236 / 236 (100%)

---

🛡️ Security Posture

✅ Redaction System: All 236 workflows have redact_secrets steps — full coverage
✅ Token Cascades: 854 fallback chains (GH_AW_GITHUB_MCP_SERVER_TOKEN → GH_AW_GITHUB_TOKEN → GITHUB_TOKEN) present
✅ Permission Blocks: All 236 workflows have explicit permissions: definitions
✅ No Template Injection in run: steps: 0 direct github.event.* interpolations found in shell steps
✅ No Secrets in Job Outputs: The 42 grep hits are env-block references near job output declarations, not actual secret values piped into outputs

---

🎯 Key Findings

1. Comprehensive Token Cascade Pattern: The 3-tier fallback (GH_AW_GITHUB_MCP_SERVER_TOKEN → GH_AW_GITHUB_TOKEN → GITHUB_TOKEN) with 854 instances ensures workflows degrade gracefully across permission levels.
2. OTEL Observability Stack Dominates Secret Usage: GH_AW_OTEL_SENTRY_AUTHORIZATION (694), GH_AW_OTEL_SENTRY_ENDPOINT (464), GH_AW_OTEL_GRAFANA_AUTHORIZATION (462), and GH_AW_OTEL_GRAFANA_ENDPOINT (232) together account for ~30% of all secret references — consistent with telemetry instrumentation across all workflows.
3. AI Engine Secrets Present: ANTHROPIC_API_KEY (257), OPENAI_API_KEY (79), CODEX_API_KEY (78), GEMINI_API_KEY (5), OPENROUTER_API_KEY (1) — multi-engine support is reflected in secret distribution.
4. Anomaly — cjs (236 hits): secrets.cjs appears as a false positive from the grep pattern matching file extensions in glob paths. Not a real secret type.
5. Minor Third-party Secrets: DD_API_KEY/DD_APP_KEY (18 combined), NOTION_API_TOKEN (6), BRAVE_API_KEY (4), ANTIGRAVITY_API_KEY (6), SLACK_BOT_TOKEN (1) — low usage, likely feature-specific workflows.

---

💡 Recommendations

1. Clean Up False Positive Grep Pattern: The secrets.cjs (236 hits) is a grep artifact. The secret name regex should exclude lowercase and file-extension-like names — consider tightening to secrets\.[A-Z][A-Z0-9_]+ in future scans.
2. Monitor Rare Secrets: SLACK_BOT_TOKEN (1), OPENROUTER_API_KEY (1), GH_AW_OTEL_DATADOG_ENDPOINT (1) — single-use secrets should be audited periodically to confirm they are still needed.
3. Azure Credentials: AZURE_TENANT_ID, AZURE_CLIENT_SECRET, AZURE_CLIENT_ID (2 each) — low but present. Verify these are scoped to minimum required Azure permissions.

---

🔑 Top 20 Secrets by Usage

Rank	Secret Name	Occurrences	Category
1	GITHUB_TOKEN	3,143	GitHub Auth
2	GH_AW_GITHUB_TOKEN	3,066	GitHub Auth
3	GH_AW_GITHUB_MCP_SERVER_TOKEN	1,294	GitHub Auth
4	GH_AW_OTEL_SENTRY_AUTHORIZATION	694	Observability
5	GH_AW_OTEL_SENTRY_ENDPOINT	464	Observability
6	GH_AW_OTEL_GRAFANA_AUTHORIZATION	462	Observability
7	COPILOT_GITHUB_TOKEN	399	GitHub Auth
8	ANTHROPIC_API_KEY	257	AI Engine
9	GH_AW_OTEL_GRAFANA_ENDPOINT	232	Observability
10	OPENAI_API_KEY	79	AI Engine
11	CODEX_API_KEY	78	AI Engine
12	GH_AW_CI_TRIGGER_TOKEN	58	CI/CD
13	GH_AW_SIDE_REPO_PAT	20	GitHub Auth
14	TAVILY_API_KEY	13	External Tool
15	GH_AW_AGENT_TOKEN	12	GitHub Auth
16	SENTRY_OPENAI_API_KEY	10	Observability
17	SENTRY_ACCESS_TOKEN	10	Observability
18	DD_APP_KEY	10	Observability
19	DD_APPLICATION_KEY	10	Observability
20	GH_AW_PROJECT_GITHUB_TOKEN	8	GitHub Auth

📖 Reference Documentation

• Secrets specification: scratchpad/secrets-yml.md
• Redaction system: actions/setup/js/redact_secrets.cjs

---

Generated: 2026-06-01 19:25 UTC
Workflow: §26776730136

Generated by 🔒 Daily Secrets Analysis Agent · sonnet46 901K · ◷

• expires on Jun 4, 2026, 7:28 PM UTC

[github-actions[bot]]

This discussion has been marked as outdated by Daily Secrets Analysis Agent.

A newer discussion is available at Discussion #36508.