Enterprise Secrets Audit

Advanced15 min

Audit and manage repository and organization secrets used in GitHub Actions to ensure security and compliance.

Prerequisites

-GitHub CLI (gh) installed and authenticated
-Repository or organization admin access

Steps

List repository secrets

View all secrets configured for the current repository.

$ gh secret list

List organization secrets

View secrets available at the organization level.

$ gh secret list --org <org-name>

Set a new repository secret

Create or update a secret for GitHub Actions.

$ gh secret set API_KEY --body 'your-secret-value'

For multi-line secrets or files, use: gh secret set KEY < secret-file.txt

Secret values are write-only. You cannot read them back after setting them.

List environment-scoped secrets

View secrets scoped to a specific deployment environment.

$ gh secret list --env production

Remove a secret

Delete a secret that is no longer needed.

$ gh secret delete OLD_API_KEY

Full Script

full-script.sh

#!/bin/bash
# Enterprise Secrets Audit
set -euo pipefail

echo "=== Repository Secrets ==="
gh secret list 2>/dev/null || echo "No repository secrets or insufficient permissions"

echo ""
echo "=== Environment Secrets ==="
for env in production staging development; do
  echo "--- $env ---"
  gh secret list --env "$env" 2>/dev/null || echo "No secrets or environment not found"
done

echo ""
echo "=== Secret Management Commands ==="
echo "Set:    gh secret set KEY --body 'value'"
echo "File:   gh secret set KEY < file.txt"
echo "Delete: gh secret delete KEY"
echo "Env:    gh secret set KEY --env production --body 'value'"
echo "Org:    gh secret set KEY --org <org> --body 'value'"

FAQ

Discussion

Loading comments...

#!/bin/bash # Enterprise Secrets Audit set -euo pipefail echo "=== Repository Secrets ===" gh secret list 2>/dev/null || echo "No repository secrets or insufficient permissions" echo "" echo "=== Environment Secrets ===" for env in production staging development; do echo "--- $env ---" gh secret list --env "$env" 2>/dev/null || echo "No secrets or environment not found" done echo "" echo "=== Secret Management Commands ===" echo "Set: gh secret set KEY --body 'value'" echo "File: gh secret set KEY < file.txt" echo "Delete: gh secret delete KEY" echo "Env: gh secret set KEY --env production --body 'value'" echo "Org: gh secret set KEY --org <org> --body 'value'"