{"slug": "your-github-actions-logs-are-leaking-llm-keys-and-your-siem-isn-t-catching-it", "title": "Your GitHub Actions Logs Are Leaking LLM Keys and Your SIEM Isn't Catching It", "summary": "A security audit of a client's GitHub Actions workflows uncovered three live LLM API keys, including one in a committed `.env.staging` file, that had been leaking in plaintext through CI/CD pipelines. The keys, which remained active and unrotated, exposed the organization to potential quota drain and prompt data exposure. The developer used CheckAPIs, a client-side validation tool, to quickly assess the blast radius across 12+ providers before reporting the findings.", "body_md": "You've locked down your AWS credentials. You've got secret scanning on your repos. You rotate your database passwords.\n\nBut LLM API keys? Those are sitting in plaintext in your pipeline — and nobody's rotating them.\n\nLLM API keys exploded in the last two years. Every team has them now: OpenAI for the chatbot, Anthropic for the internal tool, Groq because someone read a benchmark. They get pasted into CI/CD workflows, hardcoded into Dockerfiles, committed in `.env.example`\n\nwith real values, echoed in build logs.\n\nThe usual secrets scanning tools weren't built for them. GitLeaks and TruffleHog have patterns for AWS and Stripe, but coverage for `sk-ant-api03-...`\n\nor `gsk_...`\n\nis inconsistent. And unlike a database password, a leaked LLM key doesn't crash your app — it just silently drains your quota and potentially exposes your prompts.\n\nDuring a recent audit of a client's GitHub Actions setup, I found three LLM API keys across two workflows:\n\n`.env.staging`\n\nfile committed \"temporarily\"All three were still live.\n\nThe hard part wasn't finding them — it was quickly assessing blast radius before writing the report. Which models do these keys unlock? Are they on a paid plan? What rate limits are attached? Writing provider-specific curl scripts for each one wastes time you don't have during an engagement.\n\nI've been using [CheckAPIs](https://checkapis.pages.dev) for this step. Paste the keys, get back:\n\nSupports 12+ providers: OpenAI, Anthropic, Google Gemini, Groq, Mistral, Cohere, HuggingFace, Replicate, Together AI, Perplexity, Azure, AWS Bedrock.\n\nThe important part for client work: **everything runs client-side**. The validation calls go directly from your browser to the provider's API — no proxy, no logging, no third party ever sees the key.\n\n```\n# Or use the API for automation\ncurl -X POST https://checkapis.pages.dev/api/check \\\n  -H \"Content-Type: application/json\" \\\n  -d '{\"keys\": [\"sk-proj-...\", \"sk-ant-api03-...\"]}'\n```\n\nFinding the key is step one. Here's the remediation checklist I hand off:\n\n**Immediate**\n\n**Pipeline hardening**\n\n`set +x`\n\nbefore any step that uses them**Detection**\n\nLLM keys are credentials. They have blast radius: financial (quota drain), data (prompt/completion logs on the provider side), and reputational (your key used for abuse). Treat them exactly like you'd treat an AWS access key.\n\nThe tooling hasn't caught up yet — which means right now, in most orgs, they're the path of least resistance.\n\n*CheckAPIs is open source — github.com/Teycir/CheckAPI*", "url": "https://wpnews.pro/news/your-github-actions-logs-are-leaking-llm-keys-and-your-siem-isn-t-catching-it", "canonical_source": "https://dev.to/teycir/your-github-actions-logs-are-leaking-llm-keys-and-your-siem-isnt-catching-it-40i0", "published_at": "2026-05-26 00:57:35+00:00", "updated_at": "2026-05-26 02:33:57.775428+00:00", "lang": "en", "topics": ["ai-safety", "ai-tools", "mlops", "ai-infrastructure", "ai-products"], "entities": ["GitHub Actions", "OpenAI", "Anthropic", "Groq", "GitLeaks", "TruffleHog", "CheckAPIs", "Google Gemini"], "alternates": {"html": "https://wpnews.pro/news/your-github-actions-logs-are-leaking-llm-keys-and-your-siem-isn-t-catching-it", "markdown": "https://wpnews.pro/news/your-github-actions-logs-are-leaking-llm-keys-and-your-siem-isn-t-catching-it.md", "text": "https://wpnews.pro/news/your-github-actions-logs-are-leaking-llm-keys-and-your-siem-isn-t-catching-it.txt", "jsonld": "https://wpnews.pro/news/your-github-actions-logs-are-leaking-llm-keys-and-your-siem-isn-t-catching-it.jsonld"}}