GH_UsesSecret

Edge Schema

Source: GH_WorkflowStep
Destination: GH_RepoSecret, GH_OrgSecret
Traversable: ❌

General Information

The traversable GH_UsesSecret edge links a workflow step to the secret it references via a ${{ secrets.NAME }} expression. This edge reveals which secrets a step can access at runtime, enabling analysts to trace the blast radius of a compromised workflow.

Matching strategy

Edges use match_by: property with two matchers to disambiguate between secrets with the same name across repositories:

GH_RepoSecret is matched by name + repository_id.
GH_OrgSecret is matched by name + environmentid.

This means one ${{ secrets.MY_SECRET }} expression in a workflow can produce up to two GH_UsesSecret edges.

Context property

The edge carries a context property indicating where the reference was found:

with — inside a with: input block of a uses: action step
env — inside the step’s env: block
run — inline within a run: shell script

Get Started with BloodHound

Install a Data Collector

Collect Data

OpenGraph

OpenHound

Analyze Attack Path Data

Manage BloodHound

API & Integrations

Resources

Edge Schema

General Information

Matching strategy

Context property

Get Started with BloodHound

Install a Data Collector

Collect Data

OpenGraph

OpenHound

Analyze Attack Path Data

Manage BloodHound

API & Integrations

Resources

​Edge Schema

​General Information

​Matching strategy

​Context property

Edge Schema

General Information

Matching strategy

Context property