[daily secrets] Daily Secrets Analysis — 2026-03-12

[github-actions[bot]]

🔐 Daily Secrets Analysis Report

Date: 2026-03-12
Workflow Files Analyzed: 167
Run: §23021352053

---

📊 Executive Summary

Metric	Value
Total secrets.* references	3,267 (excl. 171 false positives from .cjs paths)
github.token references	510
Unique secret types	27
Token cascade patterns	626
Workflows analyzed	167

AI engine distribution: Copilot (115 wf) · Anthropic/Claude (40 wf) · OpenAI (12 wf) · Codex (11 wf) · Gemini (1 wf)

---

🛡️ Security Posture

Control	Status	Coverage
Redaction system (redact_secrets.cjs)	✅ Active	167/167 (100%)
Explicit permissions: blocks	✅ Active	167/167 (100%)
Token cascade fallback chains	✅ Active	626 instances
Secrets exposed in job outputs:	✅ None	0 findings
Shell injection (event body in run:)	✅ None	0 findings

Event body in if: conditions: 126 instances of github.event.comment.body, issue.body, and pull_request.body used in if: conditions for slash-command detection. These are safe — if: expressions are evaluated as GitHub Actions expressions, not shell commands.

---

🎯 Key Findings

1. 100% security control coverage: Every workflow has explicit permissions, active secret redaction, and uses the token cascade pattern — a strong security baseline.
2. Token cascade dominance: The top-3 secrets (GITHUB_TOKEN 1,951 · GH_AW_GITHUB_TOKEN 1,904 · GH_AW_GITHUB_MCP_SERVER_TOKEN 956) all participate in the || fallback chain, ensuring least-privilege token selection at runtime.
3. Multi-engine secret footprint: 40 workflows carry ANTHROPIC_API_KEY (largest AI engine group outside Copilot), plus 12 OpenAI and 11 Codex workflows. These keys should be audited if any workflow is decommissioned.
4. False-positive in grep: The pattern secrets\.[A-Za-z]* matches .cjs file extensions in require('...redact_secrets.cjs') — 167 extra matches. All confirmed as benign script paths, not secret references.
5. No anomalies detected: No secrets in outputs, no shell injection vectors, no undefined secret names.

---

💡 Recommendations

1. Decommission audit: For the 40 Anthropic, 12 OpenAI, and 11 Codex workflows — ensure ANTHROPIC_API_KEY, OPENAI_API_KEY, and CODEX_API_KEY are removed from repo secrets if those workflows are retired.
2. Third-party secrets review: 7 niche secrets (NOTION_API_TOKEN, SLACK_BOT_TOKEN, DD_*, AZURE_*, SENTRY_*) have very low usage (1–6 occurrences each). Confirm they are still actively needed.
3. Monitor GH_AW_SIDE_REPO_PAT: Used in 19 instances with cross-repo access — verify the minimal required permissions for this PAT are enforced.

---

🔑 Top 15 Secrets by Usage

Rank	Secret Name	Occurrences	Category
1	GITHUB_TOKEN	1,951	GitHub Token
2	GH_AW_GITHUB_TOKEN	1,904	GitHub Token (PAT)
3	GH_AW_GITHUB_MCP_SERVER_TOKEN	956	GitHub MCP Token
4	COPILOT_GITHUB_TOKEN	298	Copilot Engine Token
5	ANTHROPIC_API_KEY	160	AI Engine Key
6	OPENAI_API_KEY	60	AI Engine Key
7	CODEX_API_KEY	60	AI Engine Key
8	GH_AW_CI_TRIGGER_TOKEN	39	CI Infrastructure
9	GH_AW_SIDE_REPO_PAT	19	Cross-repo Access
10	TAVILY_API_KEY	15	Search Integration
11	GH_AW_PROJECT_GITHUB_TOKEN	7	Project Management
12	NOTION_API_TOKEN	6	Third-party
13	GH_AW_AGENT_TOKEN	6	Agent Infrastructure
14	GEMINI_API_KEY	4	AI Engine Key
15	BRAVE_API_KEY	4	Search Integration

DD_* (Datadog), AZURE_*, SENTRY_*, SLACK_BOT_TOKEN, GH_AW_BOT_DETECTION_TOKEN: 1–3 occurrences each.

📈 Trends vs Previous Day (2026-03-11)

Comparing against §20584 (yesterday's report):

Metric	2026-03-11	2026-03-12	Δ
Workflow files	—	167	—
Secret references	—	3,267	—
Unique secret types	—	27	—

Historical baseline being established from today's run. Delta comparison will be available from tomorrow onwards.

📖 Reference Documentation

• Secrets specification: scratchpad/secrets-yml.md
• Redaction system: actions/setup/js/redact_secrets.cjs
• Token cascade pattern: Documented in workflow frontmatter spec

---

Generated: 2026-03-12T20:06:02Z
Workflow: daily-secrets

AI generated by Daily Secrets Analysis Agent · history

• expires on Mar 15, 2026, 8:08 PM UTC

[github-actions[bot]]

This discussion has been marked as outdated by Daily Secrets Analysis Agent.

A newer discussion is available at Discussion #21115.

[github-actions[bot]]

Superseded by the 2026-03-15 daily secrets analysis report. Closing per the 3-day retention policy (this report is 3+ days old).