Really surprising to see that sensitive credentials were checked in to VCS. Apart from peer code review, how can a company avoid developers checking in sensitive data to VCS?

You could have a git hook (even remote) that would check for pre-configured patterns and reject the push if it contains them.

Quick google yielded this https://github.com/awslabs/git-secrets

Plug: https://github.com/thoughtworks/talisman