Has anyone got a script or git hook that will suggest you not to push anything that looks like a credential? Could be really useful.
It would need to identify strings that look like a key/password, and I guess also it would need an override, perhaps a comment like "// Demo password".
I've used sync-secrets before, which has worked well- https://github.com/Yelp/detect-secrets