<a href="https://github.com/gitleaks/gitleaks"><code>gitleaks</code></a> catches secrets before they become "oh $%#!" commits.
Use <code>gitleaks detect --source . --verbose</code> to scan an entire repo, or <code>gitleaks protect --staged --verbose</code> in a pre-commit hook to scan only staged changes.
You can make it a global git hook for all repos:
<div class="remark-highlight"><pre class="language-bash"><code class="language-bash">mkdir -p ~/.githooks

# Note: this will overwrite any existing ~/.githooks/pre-commit
cat > ~/.githooks/pre-commit &#x3C;&#x3C;'EOF'
#!/usr/bin/env bash
set -euo pipefail

if command -v gitleaks >/dev/null 2>&#x26;1; then
 gitleaks protect --staged --verbose
else
 echo "gitleaks not found; skipping secret scan"
fi
EOF

chmod +x ~/.githooks/pre-commit
git config --global core.hooksPath ~/.githooks
</code></pre></div>
Insurance against those "oh $%#!" moments when you accidentally stage an API token.

Blog.

TIL: Catch "oh $%#!" commits with gitleaks