> ## Documentation Index
> Fetch the complete documentation index at: https://bloodhound.specterops.io/llms.txt
> Use this file to discover all available pages before exploring further.

# GH_UsesSecret

> [Workflow] Step references a secret by name — GH_WorkflowStep → GH_RepoSecret / GH_OrgSecret (name match)

<img noZoom src="https://mintcdn.com/specterops/tTIczgde9H07oLXf/assets/enterprise-AND-community-edition-pill-tag.svg?fit=max&auto=format&n=tTIczgde9H07oLXf&q=85&s=ad49a576589f4d2a8081df77d07fdf56" alt="Applies to BloodHound Enterprise and CE" width="482" height="45" data-path="assets/enterprise-AND-community-edition-pill-tag.svg" />

## Edge Schema

* Source: [GH\_WorkflowStep](/opengraph/extensions/github/nodes/gh_workflowstep)
* Destination: [GH\_RepoSecret](/opengraph/extensions/github/nodes/gh_reposecret), [GH\_OrgSecret](/opengraph/extensions/github/nodes/gh_orgsecret)
* Traversable: ❌

## General Information

The traversable GH\_UsesSecret edge links a workflow step to the secret it references via a `${{ secrets.NAME }}` expression. This edge reveals which secrets a step can access at runtime, enabling analysts to trace the blast radius of a compromised workflow.

### Matching strategy

Edges use `match_by: property` with two matchers to disambiguate between secrets with the same name across repositories:

* **[GH\_RepoSecret](/opengraph/extensions/github/nodes/gh_reposecret)** is matched by `name` + `repository_id`.
* **[GH\_OrgSecret](/opengraph/extensions/github/nodes/gh_orgsecret)** is matched by `name` + `environmentid`.

This means one `${{ secrets.MY_SECRET }}` expression in a workflow can produce up to two GH\_UsesSecret edges.

### Context property

The edge carries a `context` property indicating where the reference was found:

* `with` — inside a `with:` input block of a `uses:` action step
* `env` — inside the step's `env:` block
* `run` — inline within a `run:` shell script