[daily secrets] Daily Secrets Analysis Report - 2026-03-10

[github-actions[bot]]

🔐 Daily Secrets Analysis Report

Date: 2026-03-10
Workflow Files Analyzed: 166
Run: §22921825804

📊 Executive Summary

Analysis of all 166 compiled workflow files (.lock.yml) shows a stable security posture with virtually no change from yesterday. One additional secrets.* reference line was detected (+1), while all security controls remain fully intact. All 166 workflows maintain 100% permission coverage and comprehensive token cascade fallback chains.

Metric	Today	Yesterday	Change
Workflow files	166	166	—
Secret reference lines	3,416	3,415	+1
GitHub token refs	508	508	—
Unique secret types	27	27	—
Safe-outputs coverage	159/166 (95.8%)	159/166 (95.8%)	—
Permission blocks	166/166 (100%)	166/166 (100%)	—

🛡️ Security Posture

✅ Permission Controls: 166/166 workflows (100%) have explicit permissions: blocks
✅ Redaction System: 166/166 workflows include redact_secrets step via actions/setup
✅ Safe-Outputs Coverage: 159/166 workflows (95.8%) use structured safe-output steps
✅ Token Cascades: 622 fallback chain instances across workflows
✅ No Secrets in Job Outputs: 0 occurrences detected
✅ No Template Injection in run: blocks: All github.event.* usages are safely scoped to env: blocks, if: conditions, and concurrency groups

🎯 Key Findings

1. Stable Baseline: Secret usage is nearly identical to the prior day. The +1 line delta is within normal variance and does not indicate a new integration or security concern.
2. Universal Token Cascades: All workflows use the 3-tier fallback GH_AW_GITHUB_MCP_SERVER_TOKEN || GH_AW_GITHUB_TOKEN || GITHUB_TOKEN, providing resilient authentication.
3. Step-Level Scoping: All secret references are scoped to individual steps (not job-level), following GitHub's least-privilege recommendations.
4. Safe-Outputs Gap: 7 workflows lack a structured safe-outputs step — these are likely utility or testing workflows. No new additions to this group.

🔑 Top 10 Secrets by Usage

Rank	Secret Name	Occurrences	Category
1	GITHUB_TOKEN	1,939	GitHub Auth (built-in)
2	GH_AW_GITHUB_TOKEN	1,893	GitHub Auth (custom PAT)
3	GH_AW_GITHUB_MCP_SERVER_TOKEN	950	GitHub Auth (MCP server)
4	COPILOT_GITHUB_TOKEN	294	GitHub Auth (Copilot)
5	ANTHROPIC_API_KEY	160	AI API (Claude)
6	OPENAI_API_KEY	60	AI API (GPT)
7	CODEX_API_KEY	60	AI API (Codex)
8	GH_AW_CI_TRIGGER_TOKEN	39	GitHub Auth (CI)
9	GH_AW_SIDE_REPO_PAT	19	GitHub Auth (cross-repo)
10	TAVILY_API_KEY	15	API (web search)

Remaining 17 secrets (131 combined occurrences): GH_AW_PROJECT_GITHUB_TOKEN, NOTION_API_TOKEN, GH_AW_AGENT_TOKEN, GEMINI_API_KEY, BRAVE_API_KEY, DD_SITE, DD_APPLICATION_KEY, DD_API_KEY, SENTRY_OPENAI_API_KEY, SENTRY_ACCESS_TOKEN, CONTEXT, AZURE_TENANT_ID, AZURE_CLIENT_SECRET, AZURE_CLIENT_ID, SLACK_BOT_TOKEN, GH_AW_BOT_DETECTION_TOKEN

Category Breakdown:

• GitHub Auth tokens: ~5,175 refs (91.6%)
• AI model API keys: 284 refs (5.0%)
• Specialized integrations (Datadog, Sentry, Slack, Notion, Azure, Brave, Tavily): 131 refs (2.3%)
• Other: 56 refs (1.0%)

📈 Trends (vs 2026-03-09)

• Secret reference lines: 3,415 → 3,416 (+1)
• GitHub token references: 508 → 508 (no change)
• Unique secret types: 27 → 27 (no change)
• New secret types: none
• Removed secret types: none
• Workflow count: 166 → 166 (no change)

Interpretation: The codebase is in a stable state. The +1 reference line is within normal compilation variance. No new secrets were introduced, no secrets were removed.

📖 Reference Documentation

• Specification: scratchpad/secrets-yml.md
• Redaction System: actions/setup/js/redact_secrets.cjs
• GitHub Docs: Encrypted Secrets

💡 Recommendations

1. Audit 7 workflows without safe-outputs: Confirm the 7 remaining workflows without structured safe-output steps are intentionally excluded (utility/testing workflows).
2. Document token hierarchy: Create guidance clarifying when to use each GitHub token type (GH_AW_GITHUB_MCP_SERVER_TOKEN vs GH_AW_GITHUB_TOKEN vs GITHUB_TOKEN).
3. Review GH_AW_CI_TRIGGER_TOKEN rotation: 39 workflows depend on this token; ensure a rotation policy is in place.

---

Generated: 2026-03-10T20:03:27Z
Workflow: Daily Secrets Monitor

References:

• §22921825804 — This workflow run
• §22872273414 — Yesterday's run

AI generated by Daily Secrets Analysis Agent · history

• expires on Mar 13, 2026, 8:07 PM UTC

[github-actions[bot]]

Closing this report from 2026-03-10 as it has been superseded by the 2026-03-12 daily secrets analysis report. See the latest report for current secret usage statistics and security posture.