The latest Uber breach looks like it involved AWS keys in git repos.
Nobody wants that, which is why amazon provide git-secrets; a script you can use to scan a repo and its history, and add as an automated check.
Anyone can set this up, but there are a few false positives in the scan, mostly from longs and a few all-upper-case constants. These can all be added to a .gitignore file.
Also: mention git-secrets in the aws testing docs; say "use it"