You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Full redaction coverage: Every one of the 237 compiled workflows includes a redact_secrets step — the secret masking system is universally applied.
Token cascade pattern is pervasive: 857 cascade instances ensure workflows gracefully fall back from fine-grained MCP tokens to broader GitHub tokens, reducing credential blast radius.
OTEL observability secrets dominate mid-tier usage: GH_AW_OTEL_SENTRY_AUTHORIZATION (697), GH_AW_OTEL_SENTRY_ENDPOINT (466), GH_AW_OTEL_GRAFANA_AUTHORIZATION (464), and GH_AW_OTEL_GRAFANA_ENDPOINT (233) are consistently embedded in env blocks for telemetry — this is expected and architecturally consistent.
AI engine credentials present: ANTHROPIC_API_KEY (261), OPENAI_API_KEY (79), CODEX_API_KEY (78), GEMINI_API_KEY (5), and OPENROUTER_API_KEY (1) appear in engine-specific workflows only.
No secrets exposed in job outputs: The grep-based check found OTEL secrets in env value strings adjacent to outputs: YAML anchors — these are environment variable assignments, not output declarations. No actual secrets are passed through job outputs.
💡 Recommendations
Monitor GH_AW_CI_TRIGGER_TOKEN (58 uses): This token triggers CI pipelines — confirm it uses minimum necessary scopes and rotates on a schedule.
Audit GH_AW_SIDE_REPO_PAT (20 uses): Cross-repository PATs carry elevated risk; verify these workflows need cross-repo access and cannot use GITHUB_TOKEN.
Review niche secrets: ANTIGRAVITY_API_KEY (6), CONTEXT (2) — confirm these are still active integrations and not stale credentials.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
🔐 Daily Secrets Analysis Report
Date: 2026-05-31
Workflow Files Analyzed: 237
Run: §26720078572
📊 Executive Summary
secrets.*referencesgithub.tokenreferences🛡️ Security Posture
✅ Redaction System: 237/237 workflows have redaction steps (100%)
✅ Token Cascades: 857 fallback chain instances (
MCP_SERVER_TOKEN \|\| GH_AW_GITHUB_TOKEN \|\| GITHUB_TOKEN)✅ Permission Blocks: 237 explicit permission definitions (100% coverage)
✅ Secrets in Job Outputs: None found
i️
github.event.*references: 4,211 (expected — workflows read event payloads for context)🎯 Key Findings
redact_secretsstep — the secret masking system is universally applied.GH_AW_OTEL_SENTRY_AUTHORIZATION(697),GH_AW_OTEL_SENTRY_ENDPOINT(466),GH_AW_OTEL_GRAFANA_AUTHORIZATION(464), andGH_AW_OTEL_GRAFANA_ENDPOINT(233) are consistently embedded in env blocks for telemetry — this is expected and architecturally consistent.ANTHROPIC_API_KEY(261),OPENAI_API_KEY(79),CODEX_API_KEY(78),GEMINI_API_KEY(5), andOPENROUTER_API_KEY(1) appear in engine-specific workflows only.outputs:YAML anchors — these are environment variable assignments, not output declarations. No actual secrets are passed through job outputs.💡 Recommendations
GH_AW_CI_TRIGGER_TOKEN(58 uses): This token triggers CI pipelines — confirm it uses minimum necessary scopes and rotates on a schedule.GH_AW_SIDE_REPO_PAT(20 uses): Cross-repository PATs carry elevated risk; verify these workflows need cross-repo access and cannot useGITHUB_TOKEN.ANTIGRAVITY_API_KEY(6),CONTEXT(2) — confirm these are still active integrations and not stale credentials.🔑 Top 10 Secrets by Usage
GITHUB_TOKENGH_AW_GITHUB_TOKENGH_AW_GITHUB_MCP_SERVER_TOKENGH_AW_OTEL_SENTRY_AUTHORIZATIONGH_AW_OTEL_SENTRY_ENDPOINTGH_AW_OTEL_GRAFANA_AUTHORIZATIONCOPILOT_GITHUB_TOKENANTHROPIC_API_KEYGH_AW_OTEL_GRAFANA_ENDPOINTOPENAI_API_KEY📋 Full Secret Inventory (37 unique secrets)
GITHUB_TOKENGH_AW_GITHUB_TOKENGH_AW_GITHUB_MCP_SERVER_TOKENGH_AW_OTEL_SENTRY_AUTHORIZATIONGH_AW_OTEL_SENTRY_ENDPOINTGH_AW_OTEL_GRAFANA_AUTHORIZATIONCOPILOT_GITHUB_TOKENANTHROPIC_API_KEYGH_AW_OTEL_GRAFANA_ENDPOINTOPENAI_API_KEYCODEX_API_KEYGH_AW_CI_TRIGGER_TOKENGH_AW_SIDE_REPO_PATTAVILY_API_KEYGH_AW_AGENT_TOKENSENTRY_OPENAI_API_KEYSENTRY_ACCESS_TOKENDD_APP_KEYDD_APPLICATION_KEYDD_API_KEYGH_AW_PROJECT_GITHUB_TOKENDD_SITENOTION_API_TOKENGRAFANA_URLGRAFANA_SERVICE_ACCOUNT_TOKENANTIGRAVITY_API_KEYGEMINI_API_KEYBRAVE_API_KEYGH_AW_OTEL_DATADOG_API_KEYCONTEXTAZURE_TENANT_IDAZURE_CLIENT_SECRETAZURE_CLIENT_IDSLACK_BOT_TOKENOPENROUTER_API_KEYGH_AW_OTEL_DATADOG_ENDPOINT📖 Reference Documentation
scratchpad/secrets-yml.mdactions/setup/js/redact_secrets.cjsGenerated: 2026-05-31T17:56:52Z
References: §26720078572
Beta Was this translation helpful? Give feedback.
All reactions