A red team might well notice that the build process doesn't check for accidentally committed secrets.

Storing a bunch of passwords in a plain-text list that an individual can access violates zero-trust AND least-privilege which I think a red team might have some opinions on.

At my job the commits wouldn’t have even made it to our private GitHub repo. The scanners would’ve rejected it when you tried to push a commit.

They find keys and tokens all the time.

And yet, here we are.