Most of these (even sometimes expensive) tools only look at repos and users who are associated with the company’s GitHub org, which barely solves the problem. The much harder problem is the number of corporate secrets that are on random repositories (personal dotfiles, automations, data science scripts, etc.) across GitHub with no strong relationship to the organization. Try using GitHub Code Search to find all the Fastly API tokens that have been leaked, for example, and I bet you’d find some wild stuff.
Readit NewsI'm one of the engineers at GitHub that built this - happy to answer questions (or fast-track your access into the preview!)
Hey, I’m the developer of a popular tool for searching all of public GitHub for sensitive information (GitHub.com/tillson/git-hound) … would love to get access to play with it and see how it can improve secret detection. github.com/tillson
Deleted Comment
id is static while email can be changed.