[daily secrets] Daily Secrets Analysis Report - 2026-04-01

[github-actions[bot]]

🔐 Daily Secrets Analysis Report

Date: 2026-04-01
Workflow Files Analyzed: 179
Run: §23873650954

---

📊 Executive Summary

Metric	Value
Total secrets.* references	5,994
github.token references	728
Unique secret types	26
Workflows with redaction	179 / 179 (100%)
Workflows with permissions	179 / 179 (100%)
Token cascade patterns	179 workflows

All 179 workflows have both redaction steps and explicit permission blocks — a strong security baseline.

---

🛡️ Security Posture

✅ Redaction System: 179/179 workflows include redact_secrets steps
✅ Permission Blocks: 179/179 workflows define explicit permissions:
✅ Token Cascades: 179 workflows use MCP server token fallback chains
✅ No secrets in job outputs: 0 instances detected
✅ No direct event-body injection: 0 instances of github.event.comment.body / issue.body / pull_request.body directly interpolated in run: scripts
✅ No secrets in if: conditions: 0 instances

github.token is used in two safe patterns:

• GH_TOKEN: $\{\{ github.token }} env assignment — 232 instances
• git remote set-url authentication — 406 instances

---

🎯 Key Findings

1. Token concentration: GITHUB_TOKEN (2,133) and GH_AW_GITHUB_TOKEN (2,053) account for ~69% of all secret references, consistent with workflows that need repo read/write access.

2. MCP server token saturation: GH_AW_GITHUB_MCP_SERVER_TOKEN appears in all 179 workflows (1,001 total refs) via cascade patterns — high coverage indicates widespread GitHub MCP adoption.

3. Multi-AI provider support: 41 workflows use ANTHROPIC_API_KEY, 19 use OPENAI_API_KEY, 18 use CODEX_API_KEY, 1 uses GEMINI_API_KEY — reflecting engine diversity.

4. CONTEXT7_API_KEY: A new secret (CONTEXT7_API_KEY) appears in mcp-inspector.lock.yml — 2 references. Low usage may indicate a new or experimental integration.

5. Specialty secrets are narrowly scoped: Datadog (DD_*: 3 refs), Sentry (2 refs), Azure (AZURE_*: 2 refs each), Slack (1 ref), and Notion (6 refs) are highly targeted — good principle of least-privilege.

---

💡 Recommendations

1. Monitor CONTEXT7_API_KEY: Verify this secret is properly registered in repo settings and follows the naming convention for MCP tool secrets.
2. Audit COPILOT_GITHUB_TOKEN usage: 311 references across workflows — confirm this token's scope is limited to the minimum required permissions.
3. Review GH_AW_SIDE_REPO_PAT: 19 references suggest cross-repo access. Verify the scope of this PAT and whether it can be replaced with fine-grained tokens.

---

🔑 Top 10 Secrets by Usage

Rank	Secret Name	Occurrences	Category
1	GITHUB_TOKEN	2,133	GitHub Token
2	GH_AW_GITHUB_TOKEN	2,053	GitHub PAT
3	GH_AW_GITHUB_MCP_SERVER_TOKEN	1,001	MCP Server Token
4	COPILOT_GITHUB_TOKEN	311	Copilot Token
5	ANTHROPIC_API_KEY	164	AI Provider (Claude)
6	OPENAI_API_KEY	102	AI Provider (OpenAI)
7	CODEX_API_KEY	102	AI Provider (Codex)
8	GH_AW_CI_TRIGGER_TOKEN	42	CI Token
9	GH_AW_SIDE_REPO_PAT	19	Cross-Repo PAT
10	TAVILY_API_KEY	15	Web Search API

📋 Full Secret Inventory (26 types)

Secret Name	Occurrences	Category
GITHUB_TOKEN	2,133	GitHub Token
GH_AW_GITHUB_TOKEN	2,053	GitHub PAT
GH_AW_GITHUB_MCP_SERVER_TOKEN	1,001	MCP Server Token
COPILOT_GITHUB_TOKEN	311	Copilot Token
ANTHROPIC_API_KEY	164	AI Provider
OPENAI_API_KEY	102	AI Provider
CODEX_API_KEY	102	AI Provider
GH_AW_CI_TRIGGER_TOKEN	42	CI Token
GH_AW_SIDE_REPO_PAT	19	Cross-Repo PAT
TAVILY_API_KEY	15	Web Search
GH_AW_PROJECT_GITHUB_TOKEN	9	Project Token
NOTION_API_TOKEN	6	Integration
GH_AW_AGENT_TOKEN	6	Agent Token
GEMINI_API_KEY	4	AI Provider
BRAVE_API_KEY	4	Web Search
DD_SITE	3	Datadog
DD_APPLICATION_KEY	3	Datadog
DD_API_KEY	3	Datadog
SENTRY_OPENAI_API_KEY	2	Sentry/OpenAI
SENTRY_ACCESS_TOKEN	2	Sentry
CONTEXT7_API_KEY	2	MCP Tool (new)
AZURE_TENANT_ID	2	Azure
AZURE_CLIENT_SECRET	2	Azure
AZURE_CLIENT_ID	2	Azure
SLACK_BOT_TOKEN	1	Messaging
GH_AW_PLUGINS_TOKEN	1	Plugins

github.token (built-in): 728 additional refs (not counted above)

🤖 AI Provider Distribution

Provider	Secret	Workflows Using	Total Refs
Anthropic (Claude)	ANTHROPIC_API_KEY	41	164
OpenAI (GPT)	OPENAI_API_KEY	19	102
OpenAI (Codex)	CODEX_API_KEY	18	102
Google (Gemini)	GEMINI_API_KEY	1	4

Multi-provider coverage spans 79 of 179 workflows (44%).

📖 Reference Documentation

• Specification: scratchpad/secrets-yml.md
• Redaction system: actions/setup/js/redact_secrets.cjs

---

Generated: 2026-04-01T22:21 UTC
Workflow: Daily Secrets Analysis

AI generated by Daily Secrets Analysis Agent · history

• expires on Apr 4, 2026, 10:25 PM UTC

[github-actions[bot]]

This discussion has been marked as outdated by Daily Secrets Analysis Agent.

A newer discussion is available at Discussion #24183.