[daily secrets] Daily Secrets Analysis Report – 2026-07-08 #44381
Closed
Replies: 1 comment
-
|
This discussion has been marked as outdated by Daily Secrets Analysis Agent. A newer discussion is available at Discussion #44602. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
🔐 Daily Secrets Analysis Report
Date: 2026-07-08
Workflow Files Analyzed: 259
Run: §28964743409
📊 Executive Summary
secrets.*referencesgithub.tokenreferencesgithub.token= 40with:inputs🛡️ Security Posture
redact_secrets)permissions:blocksgithub.event.*inrun:blockssecrets.*inrun:blockssecrets.*in joboutputs:🎯 Key Findings
Token cascade is universal — All 259 workflows use the three-tier fallback
GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN, providing consistent least-privilege token resolution.GitHub tokens dominate secret usage — 10,462 references (≈78% of all named secret refs) are GitHub authentication tokens. The remaining 22% covers AI/LLM API keys and observability credentials.
Observability secrets are heavily replicated — Sentry and Grafana endpoints/auth pairs account for 1,896 references combined across workflows, suggesting a shared telemetry injection pattern.
ANTHROPIC_API_KEY is the top AI key — 242 references, 3× more than OpenAI (81) and Codex (80), reflecting heavy reliance on Claude-family models.
echo secrets.*grep returned 3 false positives — All three are benign: one is a string literal in a release audit step, two are error-message templates in smoke tests advising users to configure the secret. No actual secret values are echoed.💡 Recommendations
Consider consolidating DD_APP_KEY / DD_APPLICATION_KEY — Both names appear with the same count (10), suggesting a naming inconsistency across workflows that could cause confusion or silent misconfiguration.
Review CONTEXT (2 refs) and OPENROUTER_API_KEY (1 ref) — Very low-usage secrets may be legacy or unused. Auditing them reduces the secret surface area.
Audit AZURE_ secrets (2 refs each)* — Only 2 usages per key suggests limited or experimental usage. Verify these are still needed or rotate/remove if not.
Monitor AI key diversification — With 10 distinct AI/LLM API key types, consider a secrets inventory policy to track key owners and rotation schedules.
🔑 Top 20 Secrets by Usage
GITHUB_TOKENGH_AW_GITHUB_TOKENGH_AW_GITHUB_MCP_SERVER_TOKENCOPILOT_GITHUB_TOKENGH_AW_OTEL_SENTRY_AUTHORIZATIONGH_AW_OTEL_SENTRY_ENDPOINTGH_AW_OTEL_GRAFANA_AUTHORIZATIONANTHROPIC_API_KEYGH_AW_OTEL_GRAFANA_ENDPOINTOPENAI_API_KEYCODEX_API_KEYGH_AW_CI_TRIGGER_TOKENGH_AW_SIDE_REPO_PATGH_AW_AGENT_TOKENTAVILY_API_KEYDD_APPLICATION_KEYDD_APP_KEYSENTRY_OPENAI_API_KEYSENTRY_ACCESS_TOKENGH_AW_CI_TRIGGER_TOKEN📂 Secret Categories Breakdown
github.token(inline)📖 Reference Documentation
scratchpad/secrets-yml.mdactions/setup/js/redact_secrets.cjsGH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKENGenerated: 2026-07-08T18:06:20Z
Workflow Run: §28964743409
Beta Was this translation helpful? Give feedback.
All reactions