[daily secrets] Daily Secrets Analysis — 2026-04-09

[github-actions[bot]]

🔐 Daily Secrets Analysis Report

Date: 2026-04-09
Workflow Files Analyzed: 187 .lock.yml files
Run: §24216234477

---

📊 Executive Summary

Metric	Value
Total secrets.* references	3,813 (+ 187 false positives from redact_secrets.cjs path)
github.token references	750
Unique secret types	30
Workflows analyzed	187

The repository maintains a strong security posture across all 187 compiled workflows, with 100% coverage of both redaction controls and explicit permission declarations.

---

🛡️ Security Posture

Control	Status	Coverage
Redaction steps	✅ All workflows	187/187 (100%)
permissions: blocks	✅ All workflows	187/187 (100%)
Token cascade fallback chains	✅ Present	702 instances
Secrets exposed in job outputs:	✅ None found	0
Template injection in run: blocks	✅ None found	0

Token Cascade Pattern: All workflows use the secure fallback chain secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN, ensuring minimal-privilege operation with 702 cascade instances covering all access patterns.

---

🎯 Key Findings

1. Universal Redaction Coverage: Every single workflow (187/187) includes the redact_secrets.cjs step, ensuring secrets are scrubbed from logs. This is exemplary coverage.

2. AI Engine Secret Diversity: 52 workflows use ANTHROPIC_API_KEY (Claude engine), 11 use OPENAI_API_KEY, and 11 use CODEX_API_KEY, reflecting the multi-engine architecture. This is expected and healthy.

3. False Positive in Grep (secrets.cjs): The regex pattern secrets\.[A-Z_a-z]* matched occurrences of redact_secrets.cjs as if cjs were a secret name. This is a benign artifact of the redaction module path — not a real secret.

4. github.event.* Pattern Count: The 2,364 matches for github.event. outside env: blocks are all legitimate — they appear in if: conditions and group: concurrency keys, not in inline run: scripts. Zero template injection risks were found.

5. Specialised Integrations: Azure (1 workflow), DataDog (1 workflow), and Sentry (2 workflows) secrets are tightly scoped, indicating minimal blast radius for third-party integrations.

---

💡 Recommendations

1. Maintain Universal Coverage: The 100% redaction and permissions coverage is excellent. Enforce this in CI to prevent any regression as new workflows are added.

2. Monitor 3rd-Party Key Growth: Anthropic usage (52 workflows) dominates. As the multi-engine portfolio grows, consider auditing quarterly that no API keys are leaked across workflow boundaries.

3. Review CONTEXT Secret (2 occurrences): This is an unusually generic name. Confirm it maps to a well-documented secret with clear ownership and expiry.

4. GH_AW_PLUGINS_TOKEN (1 occurrence): Low-usage tokens with single-workflow scope should be reviewed periodically to ensure they are still needed and properly rotated.

---

🔑 All Secrets by Usage (30 unique types)

Rank	Secret Name	Occurrences	Category
1	GITHUB_TOKEN	2,191	GitHub Token
2	GH_AW_GITHUB_TOKEN	2,107	GitHub Token (PAT)
3	GH_AW_GITHUB_MCP_SERVER_TOKEN	1,049	GitHub MCP Token
4	COPILOT_GITHUB_TOKEN	302	Copilot Auth
5	ANTHROPIC_API_KEY	208	AI Engine (Claude)
6	GH_AW_OTEL_ENDPOINT	159	Observability
7	OPENAI_API_KEY	60	AI Engine (OpenAI)
8	CODEX_API_KEY	60	AI Engine (Codex)
9	GH_AW_OTEL_HEADERS	53	Observability
10	GH_AW_CI_TRIGGER_TOKEN	43	CI Automation
11	GH_AW_SIDE_REPO_PAT	19	Cross-repo Access
12	TAVILY_API_KEY	13	Web Search Tool
13	GH_AW_AGENT_TOKEN	13	Agent Auth
14	GH_AW_PROJECT_GITHUB_TOKEN	7 (note: listed as 8 in raw data)	Project Board
15	NOTION_API_TOKEN	6	Notion Integration
16	GEMINI_API_KEY	4	AI Engine (Gemini)
17	BRAVE_API_KEY	4	Web Search Tool
18	DD_SITE	3	DataDog
19	DD_APPLICATION_KEY	3	DataDog
20	DD_API_KEY	3	DataDog
21	SENTRY_OPENAI_API_KEY	2	Sentry/OpenAI
22	SENTRY_API_KEY	2	Sentry
23	SENTRY_ACCESS_TOKEN	2	Sentry
24	CONTEXT	2	Unknown/Generic
25	AZURE_TENANT_ID	2	Azure
26	AZURE_CLIENT_SECRET	2	Azure
27	AZURE_CLIENT_ID	2	Azure
28	SLACK_BOT_TOKEN	1	Slack Notification
29	GH_AW_PLUGINS_TOKEN	1	Plugin Registry

Note: cjs (187 occurrences) is a false positive from redact_secrets.cjs path matching — not a real secret.

📈 Workflow Coverage by Secret Category

Category	Workflows
GitHub Token users	187 (all)
Copilot engine	187 (all)
Claude (Anthropic) engine	52
OpenAI engine	11
Codex engine	11
Observability (OTEL)	~30 (est.)
Third-party integrations (Azure/DD/Sentry)	≤4

📖 Reference Documentation

• Secrets specification: scratchpad/secrets-yml.md
• Redaction system: actions/setup/js/redact_secrets.cjs
• Workflow source: .github/workflows/*.lock.yml (187 compiled files)

---

Generated: 2026-04-09T22:23:52Z
Workflow: §24216234477

Generated by Daily Secrets Analysis Agent · ● 421.8K · ◷

• expires on Apr 12, 2026, 10:27 PM UTC

[github-actions[bot]]

This discussion has been marked as outdated by Daily Secrets Analysis Agent.

A newer discussion is available at Discussion #25714.