[daily secrets] Secret Usage Analysis - February 10, 2026

[github-actions[bot]]

📊 Executive Summary

Analyzed 148 compiled workflow files for secret usage patterns and security controls.

Key Metrics:

• Total Secret References: 4,983 (3,271 secrets.* + 440 github.token + rest in expressions)
• Unique Secret Types: 23 distinct secrets
• Security Coverage: 100% (148/148 workflows have redaction + permissions)
• Token Cascades: 609 fallback chains for resilience

🔑 Secret Usage by Category

GitHub Access Tokens (3,959 refs - 79.5%)

Secret Name	Count	Purpose
GITHUB_TOKEN	1,675	Default workflow token
GH_AW_GITHUB_TOKEN	1,511	Enhanced permissions token
GH_AW_GITHUB_MCP_SERVER_TOKEN	754	MCP server authentication
COPILOT_GITHUB_TOKEN	491	GitHub Copilot integration
GH_AW_PROJECT_GITHUB_TOKEN	11	Project board access
GH_AW_AGENT_TOKEN	6	Agent-specific operations

AI Service Tokens (481 refs - 9.7%)

Service	Secrets	Total Refs
Anthropic Claude	ANTHROPIC_API_KEY, CLAUDE_CODE_OAUTH_TOKEN	350
OpenAI/Codex	OPENAI_API_KEY, CODEX_API_KEY, SENTRY_OPENAI_API_KEY	131

Third-Party Services (53 refs - 1.1%)

View All Third-Party Secrets

Service	Secret	Count
Tavily Search	TAVILY_API_KEY	15
Notion	NOTION_API_TOKEN	8
Datadog	DD_SITE, DD_API_KEY, DD_APPLICATION_KEY	9
Azure	AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZURE_TENANT_ID	9
Brave Search	BRAVE_API_KEY	6
Context7	CONTEXT7_API_KEY	3
Sentry	SENTRY_ACCESS_TOKEN	3
Slack	SLACK_BOT_TOKEN	1

🛡️ Security Posture Analysis

✅ Protection Mechanisms (100% Coverage)

Security Control	Coverage	Status
Redaction Steps	148/148 (100%)	✅ Full coverage
Permission Blocks	148/148 (100%)	✅ All workflows scoped
Token Cascades	609 instances	✅ Resilient fallbacks
Secrets in Outputs	0 detected	✅ No exposure risk

Token Cascade Pattern (609 uses):

env:
  GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}

This pattern ensures workflows continue functioning even if specific tokens are unavailable.

⚠️ Findings Requiring Attention

Template Injection Analysis

Finding: 1,925 instances of github.event.* expressions detected across workflows.

Context: These are primarily in safe-inputs/safe-outputs sanitization steps where github.event data is explicitly sanitized before use. Most are legitimate patterns like:

• github.event.discussion.number
• github.event.issue.number
• github.event.pull_request.number

Risk Assessment: LOW - These expressions are used in controlled contexts with sanitization layers.

Recommendation: Continue monitoring; no immediate action required.

📈 Distribution Analysis

Secret References by Context:

• Step-level usage: 192 explicit env declarations
• Expression interpolation: 4,791 inline references
• Job-level usage: Minimal (most secrets passed per-step)

Top 5 Most-Used Secrets:

1. GITHUB_TOKEN - 1,675 (33.6%)
2. GH_AW_GITHUB_TOKEN - 1,511 (30.3%)
3. GH_AW_GITHUB_MCP_SERVER_TOKEN - 754 (15.1%)
4. COPILOT_GITHUB_TOKEN - 491 (9.9%)
5. CLAUDE_CODE_OAUTH_TOKEN - 175 (3.5%)

🎯 Key Findings

1. Excellent Security Hygiene: 100% of workflows implement redaction and permission controls
2. Token Resilience: 609 cascade patterns ensure graceful degradation
3. No Secret Leakage: Zero instances of secrets exposed in job outputs
4. Diverse Secret Portfolio: 23 unique secrets supporting GitHub, AI services, and integrations
5. GitHub-Centric: 79.5% of all secret references are GitHub tokens (expected for GitHub Actions)

💡 Recommendations

1. Monitor Token Cascade Usage: With 609 instances, ensure fallback tokens remain valid and properly scoped
2. Track AI Service Costs: 481 AI service token references suggest significant API usage - monitor for cost optimization
3. Document Third-Party Integrations: 8 external services require secret management - maintain up-to-date documentation
4. Regular Secret Rotation: Implement rotation schedules for long-lived tokens (especially MCP server tokens)
5. Safe-Inputs Adoption: Consider enabling safe-inputs feature for additional input sanitization (currently 0/148 workflows)

📖 Reference Documentation

Secret Management:

• Specification: scratchpad/secrets-yml.md
• Redaction System: actions/setup/js/redact_secrets.cjs

Token Cascades:

• Pattern ensures workflows function with available tokens
• Fallback order: Specific → General → Default
• Implementation in all 148 workflows

---

Generated: 2026-02-10 18:38 UTC
Workflow Run: §21877692794
Analyzed Files: 148 .lock.yml workflows

AI generated by Daily Secrets Analysis Agent

• expires on Feb 13, 2026, 6:40 PM UTC

[github-actions[bot]]

This discussion was automatically closed because it expired on 2026-02-13T18:40:07.932Z.

Closed by Workflow