Entire secrets context exposed
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.
What it detects
The workflow serializes the whole secrets context with toJSON(secrets), or references ${{ secrets }} directly, exposing every repository and organization secret at once through one environment variable, output, or log line.
Why it matters
toJSON(secrets), or a bare ${{ secrets }} reference, serializes every secret the workflow can see into one value. That single environment variable, output, or log line then carries all of your repository and organization secrets at once, so any leak or any action that reads it gets everything rather than one credential.
How to fix it
Never pass the whole secrets context anywhere. Reference each secret you actually need by name (${{ secrets.SPECIFIC_KEY }}) and pass it to the one step that uses it. If you were iterating over secrets dynamically, restructure to an explicit allowlist of named secrets.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo