In fact, you can apply as a Github "secret scanning partner" to have your own secret's format (regexp) be a part of this secret scanning, with a webhook to your servers whenever they find one, so that you can do the credential-invalidation on your own backend + send the kindly-worded email from your own domain.
Mind you, your secrets need to have a distinctive format in order for this to work. Probably a distinctive prefix is enough.
An Unethical Life Pro-Tip (that the word is already out on anyway, so I don't feel too bad):
• For about $500, you can use BigQuery to extract all matches of a particular regexp, from every file, in every commit, in every public Github repo.
Whether or not Github themselves use this to power their secret scanning, arbitrary third parties (benevolent or not) certainly can use it for such. And likely already do.
Makes sense; but doesn't help the companies who aren't aware of the secret-scanning service / the ability to become a secret-scanning partner. If you have your own little API SaaS with its own API-key format, then you've probably got API keys exposed in the Github dataset; and someone's probably already found and extracted them. (It happened to us!)
Mind you, the Github dataset isn't the leak itself; the leak is the public repo that the user pushed their key to. The dataset just makes such searches scalable / cost-effective to third parties who aren't already indexing Github for some other reason.
