What can Secret Scanning do in Git history?

Secret scanning is capable of finding secrets that exist in the repository’s history, not just in the latest snapshot. That means if a credential or API key was ever committed, it can come up as a potential leak. When that happens, the proper response is to purge the repository’s history to remove the secret from all past commits and to rotate the credentials so the exposed secret can no longer be used. Purging history involves rewriting commits and then coordinating a force push to update the shared repo, since the history changes affect everyone’s work. After removal, you must revoke the leaked secret and generate new credentials, updating any configuration to use the new values. Secret scanning doesn’t automatically fix code for you, it isn’t limited to the most recent commit, and it doesn’t by itself block pushes without additional policies or reviews.