When I started programming, no one would ever put secrets in their code, such as passwords, credentials, keys, and access tokens. Then, with https://thenewstack.io/intel-to-continue-buying-spree-of-saas-vendors/ and https://thenewstack.io/investigating-the-next-generation-of-infrastructure-as-a-service/, we’d often insert tokens to invoke other services into our code.
For secret matches found in public repositories, create a secret alert service that accepts webhooks from GitHub that contain the secret scanning message payload.
Specifically, once-secret scanning alerts are available on your repository, you can watch them via your repository’s settings under “Code security and analysis” settings.
GitHub’s secret scanning push protection stops me before a secret is pushed into the code base, saving me tons of time.