Developers leak secrets constantly: an AWS key pasted into a config to test something, a Stripe token hardcoded 'temporarily', a private key checked in by an over-eager `git add .`. Secret scanning finds those credentials by matching known patterns (AKIA-prefixed AWS keys, GitHub PATs, JWT shapes, PEM blocks) and high-entropy strings.
The critical thing to understand is that git history is permanent. The moment a secret is pushed, it must be treated as compromised — deleting it in a later commit does nothing, because the value still sits in the history and on every clone and fork. The only real remediation is to rotate the credential, then purge history if needed.
That's why secret scanning belongs at the gate, before the push lands: catching the key in a pre-push hook or a pull-request check is the difference between 'don't commit that' and an incident-response exercise.