[daily secrets] Daily Secrets Analysis - February 1, 2026

[github-actions[bot]]

Date: February 1, 2026
Workflow Files Analyzed: 147
Run: §21560684618

📊 Executive Summary

• Total Secret References: 3,108 (secrets.*)
• GitHub Token References: 299 (github.token)
• Unique Secret Types: 24
• Step-Level Usage: 1,804 (58% of secret references)
• Redaction Coverage: 147/147 workflows (100%)

🔑 Top 10 Secrets by Usage

Rank	Secret Name	Occurrences	Category
1	GITHUB_TOKEN	1,510	GitHub Token
2	GH_AW_GITHUB_TOKEN	1,325	GitHub Token
3	GH_AW_GITHUB_MCP_SERVER_TOKEN	728	GitHub MCP Token
4	COPILOT_GITHUB_TOKEN	485	GitHub Token
5	CLAUDE_CODE_OAUTH_TOKEN	175	OAuth Token
6	ANTHROPIC_API_KEY	175	API Key
7	OPENAI_API_KEY	64	API Key
8	CODEX_API_KEY	64	API Key
9	TAVILY_API_KEY	19	API Key
10	GH_AW_AGENT_TOKEN	13	GitHub Token

View All 24 Secret Types

Secret Name	Occurrences
GITHUB_TOKEN	1,510
GH_AW_GITHUB_TOKEN	1,325
GH_AW_GITHUB_MCP_SERVER_TOKEN	728
COPILOT_GITHUB_TOKEN	485
CLAUDE_CODE_OAUTH_TOKEN	175
ANTHROPIC_API_KEY	175
OPENAI_API_KEY	64
CODEX_API_KEY	64
TAVILY_API_KEY	19
GH_AW_AGENT_TOKEN	13
APP_PRIVATE_KEY	10
NOTION_API_TOKEN	8
GH_AW_PROJECT_GITHUB_TOKEN	8
BRAVE_API_KEY	6
SENTRY_OPENAI_API_KEY	3
SENTRY_ACCESS_TOKEN	3
DD_SITE	3
DD_APPLICATION_KEY	3
DD_API_KEY	3
CONTEXT7_API_KEY	3
AZURE_TENANT_ID	3
AZURE_CLIENT_SECRET	3
AZURE_CLIENT_ID	3
SLACK_BOT_TOKEN	1

🛡️ Security Posture

Protection Mechanisms

✅ Universal Redaction: 147/147 workflows (100%) have redaction steps
✅ Token Cascades: 437 instances of fallback chains (GH_AW_GITHUB_MCP_SERVER_TOKEN || GH_AW_GITHUB_TOKEN || GITHUB_TOKEN)
✅ Permission Blocks: 147 workflows have explicit permission definitions
✅ No Hardcoded Credentials: 0 potential hardcoded tokens detected
✅ No Secrets in Outputs: 0 instances of secrets exposed in job outputs

Security Checks

Template Injection Analysis

Status: ⚠️ Requires Attention

• github.event References: 1,770 instances found
• Safe-Inputs Protection: Only 9/147 workflows (6%) use safe-inputs feature
• Risk Level: Medium - Most workflows rely on expression interpolation without safe-inputs

Sample Usage Patterns:

DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
GH_AW_GITHUB_EVENT_COMMENT_ID: ${{ github.event.comment.id }}
GH_AW_GITHUB_EVENT_DISCUSSION_NUMBER: ${{ github.event.discussion.number }}
GH_AW_GITHUB_EVENT_ISSUE_NUMBER: ${{ github.event.issue.number }}

Recommendation: Most workflows use safe metadata fields (repository, issue numbers, etc.) which have low injection risk. However, consider expanding safe-inputs feature adoption for workflows handling user-controlled text (titles, bodies, comments).

📈 Secret Distribution by Workflow Type

Workflow Category	Secret References
Daily/Scheduled Workflows	560 (18%)
Issue Workflows	80 (3%)
CI/CD Workflows	64 (2%)
Agent Workflows	42 (1%)
PR Workflows	38 (1%)
Other Workflows	2,324 (75%)

Analysis: The majority of secret usage (75%) is distributed across various workflow types. Daily/scheduled workflows account for 18% of usage, likely due to automated monitoring and analysis tasks.

🎯 Key Findings

1. Strong Security Baseline: 100% redaction coverage across all workflows demonstrates excellent secret hygiene
2. Token Cascade Pattern: 437 instances of fallback chains provide robust authentication resilience
3. Low Safe-Inputs Adoption: Only 6% of workflows use safe-inputs feature, though most github.event usage appears to be for safe metadata fields
4. GitHub Token Dominance: 4,048/3,108 references (>100% because github.token counted separately) are GitHub authentication tokens, showing heavy GitHub API integration
5. Diverse Secret Portfolio: 24 unique secret types supporting various integrations (GitHub, Anthropic, OpenAI, Azure, Datadog, etc.)

💡 Recommendations

1. Monitor Safe-Inputs Adoption: Track adoption of the safe-inputs feature in workflows that process user-generated content (issue/PR/discussion bodies and comments)
2. Audit github.event Usage: Review the 1,770 github.event references to identify any instances using user-controlled fields without safe-inputs protection
3. Secret Type Audit: Consider consolidating or documenting the 24 different secret types to ensure each serves a clear purpose
4. Token Cascade Standardization: Document the token cascade pattern as a best practice for other repositories

📖 Reference Documentation

For detailed information about secret usage patterns and security mechanisms:

• Secrets Specification: scratchpad/secrets-yml.md
• Redaction System: actions/setup/js/redact_secrets.cjs
• Safe-Inputs Feature: Workflow frontmatter safe-inputs configuration

---

Generated: 2026-02-01T09:46:01Z
Next Analysis: Daily at 00:00 UTC

AI generated by Daily Secrets Analysis Agent

• expires on Feb 4, 2026, 9:49 AM UTC

[github-actions[bot]]

This discussion was automatically closed because it expired on 2026-02-04T09:49:16.163Z.