Track secrets referenced via JEXL expressions (secrets.getValue) in Referenced By and API
K
Kelly green Deer
Secrets referenced through JEXL expressions, for example <+secrets.getValue("account.my_secret")> inside step settings, plugin configs, or shell scripts, are resolved at runtime but are not recorded as references. As a result, the Referenced By tab and the Secrets API show zero usage even when the secret is actively used by live pipelines.
Request: detect and track expression-based secret usage, surface it in the Referenced By tab, and expose it via the Secrets API so admins can perform reliable impact analysis before rotation, restriction, or decommissioning.
Example: account-level secret harness_svc_account_token is used via secrets.getValue() in plugin step settings across two active pipelines on the default branch (main), yet shows no references in the UI or API.
Log In