[daily secrets] Daily Secrets Analysis Report — 2026-02-19

[github-actions[bot]]

Overview

Scanned 153 compiled workflow files (.lock.yml) on February 19, 2026. Found 3,259 secrets.* references and 392 github.token references across 23 unique secret types. The security posture is excellent — all 153 workflows have redaction steps and explicit permission blocks in place.

Key Metrics

Metric	Value
Workflow Files Analyzed	153
Total secrets.* References	3,259
github.token References	392
Unique Secret Types	23
Workflows with Redaction	153 / 153 (100%)
Token Cascade Patterns	476
Explicit Permission Blocks	153 / 153 (100%)
Secrets Exposed in Outputs	0 ✅

Top 10 Secrets by Usage

Rank	Secret Name	Occurrences	Category
1	GITHUB_TOKEN	1,656	GitHub Auth
2	GH_AW_GITHUB_TOKEN	1,626	GitHub Auth
3	GH_AW_GITHUB_MCP_SERVER_TOKEN	777	MCP Server Auth
4	COPILOT_GITHUB_TOKEN	511	GitHub Auth
5	ANTHROPIC_API_KEY	185	AI Engine
6	OPENAI_API_KEY	68	AI Engine
7	CODEX_API_KEY	68	AI Engine
8	TAVILY_API_KEY	15	Search Tool
9	NOTION_API_TOKEN	6	Integration
10	GH_AW_PROJECT_GITHUB_TOKEN	6	GitHub Auth

View All Secret Types (23 total)

Secret Name	Occurrences	Category
GITHUB_TOKEN	1,656	GitHub Auth
GH_AW_GITHUB_TOKEN	1,626	GitHub Auth
GH_AW_GITHUB_MCP_SERVER_TOKEN	777	MCP Server Auth
COPILOT_GITHUB_TOKEN	511	GitHub Auth
ANTHROPIC_API_KEY	185	AI Engine (Claude)
OPENAI_API_KEY	68	AI Engine (OpenAI)
CODEX_API_KEY	68	AI Engine (Codex)
TAVILY_API_KEY	15	Search Tool
NOTION_API_TOKEN	6	Integration
GH_AW_PROJECT_GITHUB_TOKEN	6	GitHub Auth
GH_AW_AGENT_TOKEN	4	GitHub Auth
BRAVE_API_KEY	4	Search Tool
DD_SITE	3	Monitoring (Datadog)
DD_APPLICATION_KEY	3	Monitoring (Datadog)
DD_API_KEY	3	Monitoring (Datadog)
SENTRY_OPENAI_API_KEY	2	Error Tracking
SENTRY_ACCESS_TOKEN	2	Error Tracking
AZURE_TENANT_ID	2	Azure Auth
AZURE_CLIENT_SECRET	2	Azure Auth
AZURE_CLIENT_ID	2	Azure Auth
SLACK_BOT_TOKEN	1	Notification
GH_AW_BOT_DETECTION_TOKEN	1	Bot Detection
CONTEXT	2	Custom

🛡️ Security Posture

Protection Mechanisms

✅ Redaction System: 153/153 workflows have redact_secrets steps (100% coverage)
✅ Token Cascade Pattern: 476 instances of GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN fallback chains
✅ Explicit Permissions: 153/153 workflows define permissions: blocks (100% coverage)
✅ No Secrets in Outputs: 0 secret references found in job output declarations

Security Checks

Check	Result	Details
Secrets exposed in job outputs	✅ Clean	0 instances found
Redaction coverage	✅ 100%	All 153 workflows protected
Permission definitions	✅ 100%	All 153 workflows define permissions
Token cascade fallbacks	✅ Present	476 fallback chain instances

View Token Distribution Analysis

The token cascade pattern GH_AW_GITHUB_MCP_SERVER_TOKEN || GH_AW_GITHUB_TOKEN || GITHUB_TOKEN is the dominant auth pattern, appearing 476 times. This ensures graceful fallback across token types:

1. MCP-specific token (GH_AW_GITHUB_MCP_SERVER_TOKEN) — 777 refs — preferred when available for MCP server access
2. Primary workflow token (GH_AW_GITHUB_TOKEN) — 1,626 refs — standard token for most operations
3. Default GitHub token (GITHUB_TOKEN) — 1,656 refs — always-available fallback

AI Engine Token Distribution:

• Anthropic (Claude): 185 references
• OpenAI/Codex: 68 + 68 = 136 references
• Copilot-specific: 511 references

🎯 Key Findings

1. GitHub auth tokens dominate — GitHub authentication tokens (GITHUB_TOKEN, GH_AW_GITHUB_TOKEN, GH_AW_GITHUB_MCP_SERVER_TOKEN, COPILOT_GITHUB_TOKEN) account for 4,570 of ~3,651 total references, confirming the primary use-case is GitHub operations via MCP and direct API.

2. Multi-engine coverage — Secrets for three distinct AI engines (Anthropic, OpenAI/Codex, Copilot) are present, reflecting the multi-engine architecture. No single engine monopolizes the credential surface.

3. Perfect security hygiene — 100% redaction and 100% permission block coverage across all 153 workflows is an excellent baseline. The zero-secrets-in-outputs finding confirms workflows don't accidentally leak credentials to downstream jobs.

4. Niche integrations present — Monitoring (Datadog × 3), error tracking (Sentry × 2), Azure auth (× 2), Slack (× 1), and Notion (× 6) represent a small but real expansion of the credential surface beyond GitHub and AI engines.

💡 Recommendations

1. Monitor CONTEXT secret — The CONTEXT secret name (2 occurrences) is non-descriptive. Consider auditing these workflows to verify this is intentional naming and not a leftover placeholder.

2. Review Azure credential scope — 2 workflows use Azure credentials (AZURE_TENANT_ID, AZURE_CLIENT_SECRET, AZURE_CLIENT_ID). Ensure these are scoped to minimum required permissions and reviewed periodically.

3. Consider GH_AW_AGENT_TOKEN documentation — With only 4 references, this token's purpose may not be obvious. Adding documentation to the secrets spec would help future maintainers understand its role vs. GH_AW_GITHUB_TOKEN.

4. Maintain 100% redaction coverage — The current perfect coverage is a high bar to maintain as new workflows are added. Consider adding a CI check that verifies every .lock.yml contains a redaction step.

📖 Reference Documentation

• Specification: scratchpad/secrets-yml.md
• Redaction System: actions/setup/js/redact_secrets.cjs

References: §22197963734

AI generated by Daily Secrets Analysis Agent

• expires on Feb 22, 2026, 8:06 PM UTC

[github-actions[bot]]

This discussion was automatically closed because it expired on 2026-02-22T20:06:34.761Z.

Closed by Workflow