You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
GitHub token-family secrets dominate usage: GITHUB_TOKEN (3,653), GH_AW_GITHUB_TOKEN (3,230), and GH_AW_GITHUB_MCP_SERVER_TOKEN (1,351) together account for 96% of all secret references.
π‘οΈ Security Posture
Control
Status
Coverage
Secret Redaction Steps
β Present
246/246 (100%)
Permission Blocks
β Present
246/246 (100%)
Token Cascade Fallback
β Present
246/246 (100%)
Secrets in Job Outputs
β None Found
0 instances
Direct Template Injection (run: blocks)
β None confirmed
0 confirmed risks
All 246 workflows use the 3-part token cascade pattern (GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN), providing 2,092 instances of proper fallback resilience.
Note on permissions: {}: All workflows declare permissions: {} (empty block), which delegates to repository default permissions rather than specifying explicit least-privilege scopes. Consider moving to explicit permission scopes (e.g. contents: read) to enforce least-privilege.
π― Key Findings
Token Cascade Uniformity: 100% of workflows implement the MCP β custom PAT β GITHUB_TOKEN fallback chain, ensuring resilience to token unavailability.
Universal Redaction: Every compiled workflow includes redact_secrets integration, preventing accidental secret leakage in logs.
AI/LLM Key Footprint: 437 total AI provider secret references across 5 providers (Anthropic: 257, OpenAI: 79, Codex: 78, Gemini: 5, Others: 18). Anthropic dominates at 59% of AI key usage.
Observability Telemetry: OTEL secret references total ~1,860 across Sentry (1,163), Grafana (697), and Datadog (25) integrations.
False Positive Cleared: Initial scan flagged 5 files for github.event.* references in run: blocks. Deeper analysis confirmed these are all safe env: variable assignments, not direct shell interpolation.
π‘ Recommendations
Adopt Explicit Permissions: Replace permissions: {} with specific scopes per workflow (e.g. contents: read, issues: write). This enforces least-privilege and prevents accidental over-permissioning.
Audit COPILOT_GITHUB_TOKEN: Used in 419 locations β validate whether all usages require this specialized token vs. the standard cascade.
Review DD_ Keys*: Datadog secrets (DD_API_KEY, DD_APPLICATION_KEY, DD_APP_KEY) appear in 25 references across separate keys β consider consolidating or confirming this is intentional deduplication.
Monitor AI Key Diversity: 5 different AI provider key types in use. Establish a rotation schedule and monitor for unused providers.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
π Daily Secrets Analysis Report
Date: 2026-06-13
Workflow Files Analyzed: 246
Run: Β§27474603932
π Executive Summary
secrets.*Referencesgithub.tokenReferencesGitHub token-family secrets dominate usage:
GITHUB_TOKEN(3,653),GH_AW_GITHUB_TOKEN(3,230), andGH_AW_GITHUB_MCP_SERVER_TOKEN(1,351) together account for 96% of all secret references.π‘οΈ Security Posture
All 246 workflows use the 3-part token cascade pattern (
GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN), providing 2,092 instances of proper fallback resilience.Note on
permissions: {}: All workflows declarepermissions: {}(empty block), which delegates to repository default permissions rather than specifying explicit least-privilege scopes. Consider moving to explicit permission scopes (e.g.contents: read) to enforce least-privilege.π― Key Findings
redact_secretsintegration, preventing accidental secret leakage in logs.github.event.*references inrun:blocks. Deeper analysis confirmed these are all safeenv:variable assignments, not direct shell interpolation.π‘ Recommendations
permissions: {}with specific scopes per workflow (e.g.contents: read,issues: write). This enforces least-privilege and prevents accidental over-permissioning.DD_API_KEY,DD_APPLICATION_KEY,DD_APP_KEY) appear in 25 references across separate keys β consider consolidating or confirming this is intentional deduplication.π Top 15 Secrets by Usage
GITHUB_TOKENGH_AW_GITHUB_TOKENGH_AW_GITHUB_MCP_SERVER_TOKENGH_AW_OTEL_SENTRY_AUTHORIZATIONGH_AW_OTEL_SENTRY_ENDPOINTGH_AW_OTEL_GRAFANA_AUTHORIZATIONCOPILOT_GITHUB_TOKENANTHROPIC_API_KEYGH_AW_OTEL_GRAFANA_ENDPOINTOPENAI_API_KEYCODEX_API_KEYGH_AW_CI_TRIGGER_TOKENGH_AW_SIDE_REPO_PATTAVILY_API_KEYGH_AW_AGENT_TOKENπ€ AI/LLM Provider Breakdown
ANTHROPIC_API_KEYOPENAI_API_KEYCODEX_API_KEYSENTRY_OPENAI_API_KEYFOUNDRY_OPENAI_ENDPOINTGEMINI_API_KEYFOUNDRY_API_KEYOPENROUTER_API_KEYπ‘ Observability Telemetry Breakdown
GH_AW_OTEL_SENTRY_AUTHORIZATIONGH_AW_OTEL_SENTRY_ENDPOINTGH_AW_OTEL_GRAFANA_AUTHORIZATIONGH_AW_OTEL_GRAFANA_ENDPOINTDD_APP_KEY+DD_APPLICATION_KEYDD_API_KEYDD_SITEπ External Integration Secrets
TAVILY_API_KEYNOTION_API_TOKENANTIGRAVITY_API_KEYBRAVE_API_KEYSLACK_BOT_TOKENβοΈ Azure / Cloud Provider Secrets
AZURE_CLIENT_IDAZURE_CLIENT_SECRETAZURE_TENANT_IDGRAFANA_SERVICE_ACCOUNT_TOKENGRAFANA_URLπ Reference Documentation
scratchpad/secrets-yml.mdactions/setup/js/redact_secrets.cjsGenerated: 2026-06-13T18:02:47Z
References: Β§27474603932
Beta Was this translation helpful? Give feedback.
All reactions