Scan code/config/logs for leaked secrets: AWS keys, GitHub tokens, Stripe keys, API keys, private keys, DB URLs, JWTs. Algorithmic regex matching.