https://docs.github.com/en/code-security/secret-scanning/sec... is one option

Neat. Thanks!

Well 1 option is the service from TFA.

https://www.gitguardian.com/monitor-internal-repositories-fo...

This was on public GitHub, which anyone can scan for anything. Their API is a firehose you can consume: https://api.github.com/events

GitGuardian's public report on secrets sprawl talks about their methodology of scanning any commit https://www.gitguardian.com/state-of-secrets-sprawl-report-2...

The company I work for does this. I recently pushed an update to a personal repo that just contained a keyword match (the push included a dictionary.txt file which happened to include the company name) which flagged a review.