Eduardo Pivaral does some work:
Healthy code should not include passwords, keys, or secrets in the source code. Sometimes, developers hard-code sensitive information while testing new features but forget to remove it afterward.
How can we validate code without including sensitive information so we can take action before we publish or share code?
Click through for a couple of options. If you do have GitHub Advanced Security (part of GitHub Enterprise Cloud), you can also create a custom pattern for secret scanning that can include passwords, database connection strings, and the like.