This is very cool, but I have a thought - I see this as a last line of defense, and I am concerned that this would this give a false sense of security leading people to be more reckless with secrets.
You could make the same argument for any tool that does not provide high security. In fact security is layered, and no single tool should be relied upon to be your one security tool. You said as much yourself: "I see this as a last line of defense," but I don't see how you conclude that this would inherently cause people to be more reckless with secrets.
The pie in the sky goal for any security org is to have a cred rotation process that is so smooth that you’re able to not worry about leaked creds because it’s so fast and easy to rotate them. If the rotation is automated and if it’s cheap and frictionless to do so, heck why not just rotate them multiple times a day.
Ehhh considering how low the security bar is, I think it is better than nothing. If you inherit a code base, make it a quick initial action to see how much pain you can expect. In practice, I expect a tool like this has so many false positives you cannot keep it as an always running action. More a manual review you run occasionally.
I hope that more secrets adopt a GitHub like convention where they are prefaced with an identifier string so that you do not require heuristics to detect them.
