GitHub already scans for and automatically revokes API tokens that get pushed to repositories. However, GHSA-67f2-674w-6g63 involved a GitHub PAT in an unencrypted Base64‐in‐YAML Kubernetes Secret file format leaked in a Codeberg repository, which went undetected.
I don’t know what the options here look like, but names I’ve seen mentioned include GitGuardian (SaaS), TruffleHog, and Gitleaks. I don’t know if any of those would be able to scan public repositories across different hosts, but it seems worth investigating. Possibly this is something that might require coordination across repository hosts.
GitHub already scans for and automatically revokes API tokens that get pushed to repositories. However, GHSA-67f2-674w-6g63 involved a GitHub PAT in an unencrypted Base64‐in‐YAML Kubernetes Secret file format leaked in a Codeberg repository, which went undetected.
I don’t know what the options here look like, but names I’ve seen mentioned include GitGuardian (SaaS), TruffleHog, and Gitleaks. I don’t know if any of those would be able to scan public repositories across different hosts, but it seems worth investigating. Possibly this is something that might require coordination across repository hosts.