[daily secrets] Secrets Analysis Report – 2026-07-09 #44602
Closed
Replies: 1 comment
-
|
This discussion has been marked as outdated by Daily Secrets Analysis Agent. A newer discussion is available at Discussion #44808. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
🔐 Daily Secrets Analysis Report
Date: 2026-07-09
Workflow Files Analyzed: 256
Run: §29039847615
📊 Executive Summary
secrets.*referencesgithub.tokenreferences🛡️ Security Posture
redact_secrets.cjs)permissions:blocksoutputs:run:github.event.*routed viaenv:All
github.event.*expressions (4,573 lines) are passed throughenv:variables rather than interpolated directly intorun:shell scripts, which is the correct mitigation for expression injection.🎯 Key Findings
Perfect security control coverage: Every workflow (256/256) has both a
permissions:block and aredact_secretsstep — indicating consistent and systematic security scaffolding across the entire compiled workflow fleet.Token cascade pattern widely adopted: 922 instances of the three-tier fallback chain (
GH_AW_GITHUB_MCP_SERVER_TOKEN || GH_AW_GITHUB_TOKEN || GITHUB_TOKEN) provide resilient authentication with least-privilege preference.AI API secret diversity is growing: 10 distinct AI provider secrets are in use (Anthropic, OpenAI, Codex, Gemini, Foundry, ANTIGRAVITY, Brave, Tavily, OpenRouter, Sentry-OpenAI), spanning 440+ total references.
ANTHROPIC_API_KEYleads at 242 references.secrets.cjspseudo-secret (false positive): 256 occurrences ofsecrets.cjsappear in the raw grep due to stringredact_secrets.cjsinrequire()calls — this is not a real secret reference. The actual unique secret types remain at 40 real secrets.Even job/step distribution: Secrets are almost equally split between job-level env (50.0%) and step-level env (49.9%), indicating consistent usage at both scopes without over-centralization.
💡 Recommendations
Audit low-use secrets for active need: Secrets like
OPENROUTER_API_KEY(1 use),SLACK_BOT_TOKEN(1 use), andCONTEXT(2 uses) should be verified as still needed. Low-usage secrets increase attack surface if orphaned.Monitor AI API key proliferation: With 10 AI providers now registered, consider a secret naming convention audit to ensure consistency (e.g.,
*_API_KEYpattern) and confirm all providers are still active.Review
SENTRY_ACCESS_TOKENvsSENTRY_OPENAI_API_KEY: Both have 10 references each. Verify there is no overlap or consolidation opportunity between the two Sentry-related credentials.Track
AZURE_CLIENT_SECRETcarefully: Azure service principal credentials (AZURE_CLIENT_ID,AZURE_CLIENT_SECRET,AZURE_TENANT_ID) each appear only 2 times — confirm these are in active use and have appropriate rotation schedules.🔑 Top 20 Secrets by Usage
GITHUB_TOKENGH_AW_GITHUB_TOKENGH_AW_GITHUB_MCP_SERVER_TOKENCOPILOT_GITHUB_TOKENGH_AW_OTEL_SENTRY_AUTHORIZATIONGH_AW_OTEL_SENTRY_ENDPOINTGH_AW_OTEL_GRAFANA_AUTHORIZATIONANTHROPIC_API_KEYGH_AW_OTEL_GRAFANA_ENDPOINTOPENAI_API_KEYCODEX_API_KEYGH_AW_CI_TRIGGER_TOKENGH_AW_SIDE_REPO_PATGH_AW_AGENT_TOKENTAVILY_API_KEYDD_APP_KEYDD_APPLICATION_KEYSENTRY_ACCESS_TOKENSENTRY_OPENAI_API_KEYDD_API_KEY🤖 AI Provider Secret Breakdown
ANTHROPIC_API_KEYOPENAI_API_KEYCODEX_API_KEYSENTRY_OPENAI_API_KEYTAVILY_API_KEYFOUNDRY_API_KEY,FOUNDRY_OPENAI_ENDPOINTANTIGRAVITY_API_KEYGEMINI_API_KEYBRAVE_API_KEYOPENROUTER_API_KEYTotal AI API references: 450
🔭 Observability Secret Breakdown
GH_AW_OTEL_SENTRY_AUTHORIZATION,GH_AW_OTEL_SENTRY_ENDPOINTGH_AW_OTEL_GRAFANA_AUTHORIZATION,GH_AW_OTEL_GRAFANA_ENDPOINTDD_API_KEY,DD_APP_KEY,DD_APPLICATION_KEY,DD_SITEGRAFANA_URL,GRAFANA_SERVICE_ACCOUNT_TOKENGH_AW_OTEL_DATADOG_API_KEY,GH_AW_OTEL_DATADOG_ENDPOINTSENTRY_ACCESS_TOKENTotal observability references: 1,924
📖 Reference Documentation
scratchpad/secrets-yml.mdactions/setup/js/redact_secrets.cjsGenerated: 2026-07-09 18:15 UTC
Workflow: §29039847615
Beta Was this translation helpful? Give feedback.
All reactions