# Your GitHub Actions Logs Are Leaking LLM Keys and Your SIEM Isn't Catching It

> Source: <https://dev.to/teycir/your-github-actions-logs-are-leaking-llm-keys-and-your-siem-isnt-catching-it-40i0>
> Published: 2026-05-26 00:57:35+00:00

You've locked down your AWS credentials. You've got secret scanning on your repos. You rotate your database passwords.

But LLM API keys? Those are sitting in plaintext in your pipeline — and nobody's rotating them.

LLM API keys exploded in the last two years. Every team has them now: OpenAI for the chatbot, Anthropic for the internal tool, Groq because someone read a benchmark. They get pasted into CI/CD workflows, hardcoded into Dockerfiles, committed in `.env.example`

with real values, echoed in build logs.

The usual secrets scanning tools weren't built for them. GitLeaks and TruffleHog have patterns for AWS and Stripe, but coverage for `sk-ant-api03-...`

or `gsk_...`

is inconsistent. And unlike a database password, a leaked LLM key doesn't crash your app — it just silently drains your quota and potentially exposes your prompts.

During a recent audit of a client's GitHub Actions setup, I found three LLM API keys across two workflows:

`.env.staging`

file committed "temporarily"All three were still live.

The hard part wasn't finding them — it was quickly assessing blast radius before writing the report. Which models do these keys unlock? Are they on a paid plan? What rate limits are attached? Writing provider-specific curl scripts for each one wastes time you don't have during an engagement.

I've been using [CheckAPIs](https://checkapis.pages.dev) for this step. Paste the keys, get back:

Supports 12+ providers: OpenAI, Anthropic, Google Gemini, Groq, Mistral, Cohere, HuggingFace, Replicate, Together AI, Perplexity, Azure, AWS Bedrock.

The important part for client work: **everything runs client-side**. The validation calls go directly from your browser to the provider's API — no proxy, no logging, no third party ever sees the key.

```
# Or use the API for automation
curl -X POST https://checkapis.pages.dev/api/check \
  -H "Content-Type: application/json" \
  -d '{"keys": ["sk-proj-...", "sk-ant-api03-..."]}'
```

Finding the key is step one. Here's the remediation checklist I hand off:

**Immediate**

**Pipeline hardening**

`set +x`

before any step that uses them**Detection**

LLM keys are credentials. They have blast radius: financial (quota drain), data (prompt/completion logs on the provider side), and reputational (your key used for abuse). Treat them exactly like you'd treat an AWS access key.

The tooling hasn't caught up yet — which means right now, in most orgs, they're the path of least resistance.

*CheckAPIs is open source — github.com/Teycir/CheckAPI*