[daily secrets] Daily Secrets Analysis — 2026-04-03

[github-actions[bot]]

🔐 Daily Secrets Analysis Report

Date: 2026-04-03
Workflow Files Analyzed: 183
Run: §23964232811

---

📊 Executive Summary

Metric	Value
Total secrets.* references	3,581
github.token references	748
Unique secret types	27 (+ 1 false positive)
Workflows with secrets	183 / 183 (100%)
Avg unique secret types per workflow	4.3

All 183 compiled workflows carry the full security stack: redaction, permission blocks, and github.token usage — no gaps detected.

---

🛡️ Security Posture

Control	Status	Count
Redaction steps (redact_secrets.cjs)	✅ All	183 / 183 (100%)
Explicit permissions: blocks	✅ All	183
Token cascade fallback chains	✅ Present	689 instances
Secrets in job outputs:	✅ Clean	0
github.event.* in if:/env: contexts	✅ Expected	2,285 (all structured)

The 2,285 github.event.* references outside bare env: keys are not injection risks — they appear exclusively in:

• group: (concurrency) — safe metadata
• if: conditions — conditional evaluation, not script interpolation
• Structured GH_AW_GITHUB_EVENT_* env var assignments
• ref: checkout pinning

---

🎯 Key Findings

1. Full coverage of security controls: Every one of the 183 workflows has a redact_secrets.cjs step, an explicit permissions block, and github.token usage — a strong baseline.
2. Token cascade pattern is widespread: 689 instances of the 3-level fallback (GH_AW_GITHUB_MCP_SERVER_TOKEN || GH_AW_GITHUB_TOKEN || GITHUB_TOKEN) ensure graceful degradation across permission tiers.
3. AI engine diversity: 5 AI engines have dedicated secrets — Copilot (80 workflows), Claude/Anthropic (41), OpenAI (18), Codex (18), Gemini (1) — reflecting the multi-engine architecture.
4. Third-party integrations are narrow and bounded: Only 14 workflows use non-GitHub/non-AI secrets (Slack, Notion, Brave, Tavily, Datadog, Sentry, Azure) — no sprawl detected.
5. secrets.cjs false positive: The unique-name scan picked up redact_secrets.cjs file path references as a "secret named cjs". This is noise — 183 occurrences from the redaction step itself.

---

💡 Recommendations

1. Document the Gemini workflow: Only 1 workflow uses GEMINI_API_KEY. Verify it is intentional and not a stale experiment.
2. Review GH_AW_PLUGINS_TOKEN (1 workflow): Single-use secrets are high-risk if forgotten. Confirm the token is still needed and rotated regularly.
3. Monitor Azure credentials: 3 secrets (AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZURE_TENANT_ID) appear in only 1 workflow each. Validate necessity and access scope.

---

🔑 Full Secret Inventory (by usage)

Rank	Secret Name	Occurrences	Category
1	GITHUB_TOKEN	1,981	GitHub Built-in
2	GH_AW_GITHUB_TOKEN	1,889	GitHub PAT
3	GH_AW_GITHUB_MCP_SERVER_TOKEN	1,029	GitHub MCP
4	COPILOT_GITHUB_TOKEN	312	AI Engine
5	ANTHROPIC_API_KEY	164	AI Engine (Claude)
6	OPENAI_API_KEY	102	AI Engine (OpenAI)
7	CODEX_API_KEY	102	AI Engine (Codex)
8	GH_AW_CI_TRIGGER_TOKEN	42	CI Infrastructure
9	GH_AW_SIDE_REPO_PAT	19	GitHub PAT
10	TAVILY_API_KEY	15	Search Tool
11	GH_AW_PROJECT_GITHUB_TOKEN	7	GitHub PAT
12	NOTION_API_TOKEN	6	Third-Party
13	GH_AW_AGENT_TOKEN	6	Agent Infrastructure
14	GEMINI_API_KEY	4	AI Engine (Gemini)
15	BRAVE_API_KEY	4	Search Tool
16	DD_SITE	3	Observability
17	DD_APPLICATION_KEY	3	Observability
18	DD_API_KEY	3	Observability
19	SENTRY_OPENAI_API_KEY	2	Observability
20	SENTRY_ACCESS_TOKEN	2	Observability
21	CONTEXT	2	Custom
22	AZURE_TENANT_ID	2	Cloud (Azure)
23	AZURE_CLIENT_SECRET	2	Cloud (Azure)
24	AZURE_CLIENT_ID	2	Cloud (Azure)
25	SLACK_BOT_TOKEN	1	Messaging
26	GH_AW_PLUGINS_TOKEN	1	Plugin Infrastructure

🤖 AI Engine Adoption (by workflow count)

Engine	Secret	Workflows Using
GitHub Copilot	COPILOT_GITHUB_TOKEN	80
Anthropic Claude	ANTHROPIC_API_KEY	41
OpenAI	OPENAI_API_KEY	18
Codex	CODEX_API_KEY	18
Google Gemini	GEMINI_API_KEY	1

📖 Reference Documentation

• Redaction System: actions/setup/js/redact_secrets.cjs
• Token cascade pattern: GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN
• Secrets specification: scratchpad/secrets-yml.md

---

Generated: 2026-04-03 22:18 UTC
Workflow: §23964232811

Generated by Daily Secrets Analysis Agent · ● 380.1K · ◷

• expires on Apr 6, 2026, 10:20 PM UTC

[github-actions[bot]]

This discussion has been marked as outdated by Daily Secrets Analysis Agent.

A newer discussion is available at Discussion #24595.