Projects, even of the open-source variety, sometimes have secrets that need
to be maintained. They can range from things like signing keys, which are
(or should be) securely stored away from the project’s code, to credentials
and tokens for access to various web-based services, such as cloud-hosting services or the
Python Package Index (PyPI). These credentials
are sometimes
needed by instances of the running code, and some others benefit from being
stored “near” the code, but these types of credentials are not meant to
be
distributed outside of the project.
They can sometimes mistakenly be added to a public repository, however, which is
a slip that attackers are most definitely on the lookout for.
The big repository-hosting services like GitHub
and GitLab are well-placed to scan for these kinds of secrets being
committed to project repositories—and they do.

Source: LWN.net – [$] Scanning for secrets