Yes and no. I'm personally not so much worried about the keys, but whatever detection they are doing to send what they "think" might be a token/key/etc. And just because a key is public, doesn't mean that it is going to be automatically sent to a third-party.
If you accidentally upload a key, but then immediately notice and force push, you're already too late since GitHub took the initiative to share that. I get that the user would be at fault here ultimately, but that doesn't mean that GitHub should be working against the user in sharing that.
What if it isn't an AWS token, but instead an encryption key or SSH key that you have blocked off to the public so you're not too worried about it but you're a warehouse worker protesting COVID-19 treatment. Now Jeff Bezos will be looking for dirt on you like you're Michael Sanchez.
If they made the detection information public then it would at least provide some transparency to see what they determine to be AWS-specific.
> And just because a key is public, doesn't mean that it is going to be automatically sent to a third-party.
In practice, it pretty much does - bad actors continuously scrape the GitHub firehose looking for AWS secrets, and then automatically spin up EC2 instances to mine cryptocurrency. GitHub's token scanning just ensures that AWS sees the tokens too.
If you don't believe me, keep this website open for a few hours - it's a realtime stream of secrets scraped from GitHub: https://shhgit.darkport.co.uk/
> SSH key that you have blocked off to the public so you're not too worried about it
How do you "block off to the public" something committed to a public GitHub repository? The OP specifically said this was for public repositories.
If GitHub weren't doing this, I imagine the AWS security people would be crawling GitHub on their own, to cut down on security incidents. This push mechanism just makes it more efficient for both GitHub and AWS.
If Amazon is looking for dirt on you, and you have public repositories, you can bet they'll be looking deeper into your repositories than a quick credential scan.
So instead of "SSH key that you have blocked off to the public", you meant "SSH key for an SSH server blocked off from the public". That makes more sense.
If you accidentally upload a key, but then immediately notice and force push, you're already too late since GitHub took the initiative to share that. I get that the user would be at fault here ultimately, but that doesn't mean that GitHub should be working against the user in sharing that.
What if it isn't an AWS token, but instead an encryption key or SSH key that you have blocked off to the public so you're not too worried about it but you're a warehouse worker protesting COVID-19 treatment. Now Jeff Bezos will be looking for dirt on you like you're Michael Sanchez.
If they made the detection information public then it would at least provide some transparency to see what they determine to be AWS-specific.