What is the difference between 'secret scanning' and 'secret detection' in GitHub Advanced Security?

Secret scanning is the ongoing process that looks for exposed credentials across a repository, including in its history. It doesn’t just check current code but also past commits, so secrets that were committed earlier can be detected. When a potential secret is found, alerts are generated so maintainers can rotate keys and remove secrets from history, helping prevent misuse. This focus on monitoring, detecting, and alerting clearly distinguishes it from other phrasing that would imply hiding secrets, limiting detection to production secrets, or treating detection as a separate product. The idea that secrets are only in production is too narrow, and the notion of hiding secrets from history or calling detection a separate product isn’t how GitHub Advanced Security structures these capabilities.