My team has faced issues like this and other than ensuring any secrets are removed from your code and stored in a .gitignore'd config file (if you really need them to live so close to the codebase in the first place), you need to prioritize that everything goes through proper PRs, privacy/access is properly configured, and any compromised secrets are rotated immediately. We have some tools like Snyk and Trufflehog but even those don't catch a lot of things - human review is best.