You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Secret usage analysis across 157 compiled workflow files (.lock.yml) in the github/gh-aw repository. All workflows have redaction enabled and explicit permission blocks — the repository demonstrates a strong security posture.
✅ Redaction: 157/157 workflows include redact_secrets.cjs — full coverage
✅ Permissions: 157/157 workflows define explicit permissions: blocks
✅ Token cascade: 594 instances of GH_AW_GITHUB_MCP_SERVER_TOKEN || GH_AW_GITHUB_TOKEN || GITHUB_TOKEN fallback chains
✅ Secrets in outputs: 0 — no secrets leaked into job outputs
✅ Event data: github.event.* values routed through env: variables (safe pattern)
Top 10 Secrets by Usage
Rank
Secret Name
Occurrences
Category
1
GITHUB_TOKEN
1,827
GitHub Token
2
GH_AW_GITHUB_TOKEN
1,781
GitHub Token
3
GH_AW_GITHUB_MCP_SERVER_TOKEN
903
MCP Server Token
4
COPILOT_GITHUB_TOKEN
516
Copilot Token
5
ANTHROPIC_API_KEY
190
AI Engine Key
6
OPENAI_API_KEY
75
AI Engine Key
7
CODEX_API_KEY
75
AI Engine Key
8
TAVILY_API_KEY
15
Tool Key
9
NOTION_API_TOKEN
6
Integration Token
9
GH_AW_PROJECT_GITHUB_TOKEN
6
GitHub Token
View All 24 Unique Secret Types
Secret Name
Occurrences
Category
GITHUB_TOKEN
1,827
GitHub Token
GH_AW_GITHUB_TOKEN
1,781
GitHub Token
GH_AW_GITHUB_MCP_SERVER_TOKEN
903
MCP Server Token
COPILOT_GITHUB_TOKEN
516
Copilot Token
ANTHROPIC_API_KEY
190
AI Engine Key
OPENAI_API_KEY
75
AI Engine Key
CODEX_API_KEY
75
AI Engine Key
TAVILY_API_KEY
15
Tool Key
NOTION_API_TOKEN
6
Integration Token
GH_AW_PROJECT_GITHUB_TOKEN
6
GitHub Token
GH_AW_AGENT_TOKEN
5
GitHub Token
GEMINI_API_KEY
5
AI Engine Key
BRAVE_API_KEY
4
Tool Key
DD_API_KEY
3
Monitoring
DD_APPLICATION_KEY
3
Monitoring
DD_SITE
3
Monitoring
SENTRY_OPENAI_API_KEY
2
Monitoring
SENTRY_ACCESS_TOKEN
2
Monitoring
CONTEXT7_API_KEY
2
Tool Key
AZURE_CLIENT_ID
2
Azure Auth
AZURE_CLIENT_SECRET
2
Azure Auth
AZURE_TENANT_ID
2
Azure Auth
SLACK_BOT_TOKEN
1
Notification
GH_AW_BOT_DETECTION_TOKEN
1
GitHub Token
Key Findings
Token cascade pattern is dominant: The three-way fallback chain (GH_AW_GITHUB_MCP_SERVER_TOKEN || GH_AW_GITHUB_TOKEN || GITHUB_TOKEN) accounts for 594 instances, providing graceful degradation when specialized tokens are unavailable.
AI engine keys split evenly: OPENAI_API_KEY and CODEX_API_KEY each have 75 occurrences, suggesting equivalent Codex/OpenAI engine coverage. ANTHROPIC_API_KEY (190) is the most-used AI key by a wide margin, reflecting Copilot/Claude engine predominance.
Monitoring secrets are rare: Datadog (DD_*) and Sentry secrets appear in only 2–3 workflows each, consistent with targeted observability rather than broad instrumentation.
github.token separately tracked: 400 github.token references (GITHUB_TOKEN implicit token) are tracked separately from the 1,827 secrets.GITHUB_TOKEN explicit references.
Recommendations
Monitor COPILOT_GITHUB_TOKEN growth: At 516 occurrences, this token is widely used. Ensure rotation policies are in place.
Azure credential inventory: The 3 Azure secrets (CLIENT_ID, CLIENT_SECRET, TENANT_ID) appear in only 2 workflows each — verify these are still actively used and rotate if stale.
SLACK_BOT_TOKEN single use: Only one workflow references this token. Confirm the integration is still needed.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
Overview
Secret usage analysis across 157 compiled workflow files (
.lock.yml) in thegithub/gh-awrepository. All workflows have redaction enabled and explicit permission blocks — the repository demonstrates a strong security posture.Run: §22263340694 · Date: 2026-02-21
Key Metrics
secrets.*referencesgithub.tokenreferencesSecurity Posture
✅ Redaction: 157/157 workflows include
redact_secrets.cjs— full coverage✅ Permissions: 157/157 workflows define explicit
permissions:blocks✅ Token cascade: 594 instances of
GH_AW_GITHUB_MCP_SERVER_TOKEN || GH_AW_GITHUB_TOKEN || GITHUB_TOKENfallback chains✅ Secrets in outputs: 0 — no secrets leaked into job outputs
✅ Event data:
github.event.*values routed throughenv:variables (safe pattern)Top 10 Secrets by Usage
GITHUB_TOKENGH_AW_GITHUB_TOKENGH_AW_GITHUB_MCP_SERVER_TOKENCOPILOT_GITHUB_TOKENANTHROPIC_API_KEYOPENAI_API_KEYCODEX_API_KEYTAVILY_API_KEYNOTION_API_TOKENGH_AW_PROJECT_GITHUB_TOKENView All 24 Unique Secret Types
GITHUB_TOKENGH_AW_GITHUB_TOKENGH_AW_GITHUB_MCP_SERVER_TOKENCOPILOT_GITHUB_TOKENANTHROPIC_API_KEYOPENAI_API_KEYCODEX_API_KEYTAVILY_API_KEYNOTION_API_TOKENGH_AW_PROJECT_GITHUB_TOKENGH_AW_AGENT_TOKENGEMINI_API_KEYBRAVE_API_KEYDD_API_KEYDD_APPLICATION_KEYDD_SITESENTRY_OPENAI_API_KEYSENTRY_ACCESS_TOKENCONTEXT7_API_KEYAZURE_CLIENT_IDAZURE_CLIENT_SECRETAZURE_TENANT_IDSLACK_BOT_TOKENGH_AW_BOT_DETECTION_TOKENKey Findings
Token cascade pattern is dominant: The three-way fallback chain (
GH_AW_GITHUB_MCP_SERVER_TOKEN || GH_AW_GITHUB_TOKEN || GITHUB_TOKEN) accounts for 594 instances, providing graceful degradation when specialized tokens are unavailable.AI engine keys split evenly: OPENAI_API_KEY and CODEX_API_KEY each have 75 occurrences, suggesting equivalent Codex/OpenAI engine coverage. ANTHROPIC_API_KEY (190) is the most-used AI key by a wide margin, reflecting Copilot/Claude engine predominance.
Monitoring secrets are rare: Datadog (DD_*) and Sentry secrets appear in only 2–3 workflows each, consistent with targeted observability rather than broad instrumentation.
github.token separately tracked: 400
github.tokenreferences (GITHUB_TOKEN implicit token) are tracked separately from the 1,827secrets.GITHUB_TOKENexplicit references.Recommendations
Reference Documentation
scratchpad/secrets-yml.mdactions/setup/js/redact_secrets.cjsGenerated: 2026-02-21 19:59 UTC
Beta Was this translation helpful? Give feedback.
All reactions