[daily secrets] Daily Secrets Analysis Report — 2026-03-22

[github-actions[bot]]

🔐 Daily Secrets Analysis Report

Date: 2026-03-22
Workflow Files Analyzed: 177
Run: §23411263741

---

📊 Executive Summary

Metric	Value
Workflow files scanned	177
Total secrets.* references	3,663
github.token references	712
Unique named secret types	26
Workflows with redaction	177 / 177 (100%)
Workflows with permission blocks	177 / 177 (100%)
Token cascade fallback patterns	660
Secrets exposed in job outputs	0

---

🛡️ Security Posture

✅ Universal Redaction: All 177 workflows include redact_secrets.cjs — secrets are masked from logs before any agent output is processed.

✅ Full Permission Coverage: Every workflow declares explicit permissions: blocks — no implicit over-privileged tokens.

✅ Token Cascade Pattern: 660 instances of the 3-tier fallback chain (GH_AW_GITHUB_MCP_SERVER_TOKEN || GH_AW_GITHUB_TOKEN || GITHUB_TOKEN), enabling fine-grained token scoping while maintaining backwards compatibility.

✅ No Secrets in Outputs: Zero job output values expose secret references, preventing downstream secret leakage via needs.*.outputs.*.

✅ Env-Based Secret Injection: All secret values are passed through env: or with: parameters — never interpolated directly into shell run: blocks or prompt strings.

---

🎯 Key Findings

1. GitHub token dominance: GITHUB_TOKEN (2,100) and GH_AW_GITHUB_TOKEN (2,028) account for ~56% of all secret references, reflecting the platform-centric nature of these agentic workflows.

2. MCP server token adoption: GH_AW_GITHUB_MCP_SERVER_TOKEN appears 991 times across workflows — it has become a primary token for GitHub MCP server access, almost always via the cascade fallback.

3. AI engine diversification: The codebase supports 4 AI engines with distinct credentials:

   • Copilot (COPILOT_GITHUB_TOKEN): 79 workflows
   • Claude (ANTHROPIC_API_KEY): 40 workflows
   • Codex/OpenAI (CODEX_API_KEY / OPENAI_API_KEY): 18 workflows
   • Gemini (GEMINI_API_KEY): 1 workflow

4. Third-party integrations: Only 2 workflows use non-GitHub/AI secrets (Datadog in mcp-inspector, Notion in notion-issue-summary), keeping the third-party secret surface area minimal.

5. First run baseline: This is the inaugural daily secrets report — no prior data to compare against. This report establishes the baseline for future trend analysis.

---

💡 Recommendations

1. Track CONTEXT7_API_KEY explicitly: The CONTEXT7_API_KEY secret (2 references) was partially masked in extraction due to the numeric character in the name. Ensure this secret is explicitly included in the redaction list in redact_secrets.cjs.

2. Monitor GH_AW_PLUGINS_TOKEN: This token appears only once (in a cascade: GH_AW_PLUGINS_TOKEN || GH_AW_GITHUB_TOKEN || GITHUB_TOKEN). Verify it's still intentional and not an orphaned reference.

3. Review GH_AW_SIDE_REPO_PAT scope: 17 references across workflows for cross-repository access — periodically verify the minimum required scopes are granted.

4. Establish trend alerting: Now that a baseline exists (3,663 secret refs, 26 types), alert if daily delta exceeds ±5% or if new secret types appear without code review.

---

🔑 Full Secret Inventory (26 named secrets)

Rank	Secret Name	Occurrences	Category
1	GITHUB_TOKEN	2,100	GitHub Token
2	GH_AW_GITHUB_TOKEN	2,028	GitHub PAT
3	GH_AW_GITHUB_MCP_SERVER_TOKEN	991	GitHub PAT (MCP)
4	COPILOT_GITHUB_TOKEN	307	GitHub PAT (Copilot)
5	ANTHROPIC_API_KEY	160	AI Engine (Claude)
6	OPENAI_API_KEY	102	AI Engine (OpenAI)
7	CODEX_API_KEY	102	AI Engine (Codex)
8	GH_AW_CI_TRIGGER_TOKEN	42	CI Automation
9	GH_AW_SIDE_REPO_PAT	17	Cross-repo Access
10	TAVILY_API_KEY	15	Search API
11	NOTION_API_TOKEN	6	Third-party (Notion)
12	GH_AW_AGENT_TOKEN	6	Agent Auth
13	GH_AW_PROJECT_GITHUB_TOKEN	5	GitHub Projects
14	GEMINI_API_KEY	4	AI Engine (Gemini)
15	BRAVE_API_KEY	4	Search API
16	DD_SITE	3	Datadog
17	DD_APPLICATION_KEY	3	Datadog
18	DD_API_KEY	3	Datadog
19	SENTRY_OPENAI_API_KEY	2	Sentry
20	SENTRY_ACCESS_TOKEN	2	Sentry
21	CONTEXT7_API_KEY	2	Context7 MCP
22	AZURE_TENANT_ID	2	Azure
23	AZURE_CLIENT_SECRET	2	Azure
24	AZURE_CLIENT_ID	2	Azure
25	SLACK_BOT_TOKEN	1	Slack
26	GH_AW_PLUGINS_TOKEN	1	Plugins

📈 Workflow Density (Top 10 by Secret References)

Workflow	Secret References	Notable Secrets
mcp-inspector	52	Datadog, multi-engine
daily-news	37	Multi-provider
smoke-claude	33	Anthropic
smoke-copilot	32	Copilot
smoke-copilot-arm	30	Copilot (ARM)
deep-report	29	Multi-engine
smoke-project	28	Projects PAT
smoke-codex	28	Codex
release	28	Release tokens
unbloat-docs	27	Documentation

🤖 AI Engine Distribution

Engine	Workflows	Primary Secret
Copilot	79	COPILOT_GITHUB_TOKEN
Claude	40	ANTHROPIC_API_KEY
Codex / OpenAI	18	CODEX_API_KEY / OPENAI_API_KEY
Gemini	1	GEMINI_API_KEY

The remaining ~39 workflows use only GitHub tokens (no AI engine–specific API keys), typically for utility or CI workflows.

📖 Reference Documentation

• Secret specification: scratchpad/secrets-yml.md
• Redaction system: actions/setup/js/redact_secrets.cjs
• Token cascade pattern: defined in pkg/workflow/compiler_yaml.go

---

Generated: 2026-03-22 20:01 UTC
Workflow: daily-secrets.md

AI generated by Daily Secrets Analysis Agent · history

• expires on Mar 25, 2026, 8:03 PM UTC

[github-actions[bot]]

This discussion has been marked as outdated by Daily Secrets Analysis Agent.

A newer discussion is available at Discussion #22778.