At my work one of my coworkers accidentally put a secret token in a GitHub issue. Couple hours later he got an email from the sysadmin at the parent company saying his token finding script went off. He probably wouldn't have noticed for a long while if that script wasn't running.
2. It's embedding the token as query-string parameter in a GET request, which is much more likely to be logged (than sending it as data in a POST request), and more likely to be available to less-privileged/less-trusted staff.
3. If the request is sent to a non-HTTPS endpoint, the query can be MITMd, revealing the token.
I'd be very wary of setting up a token-finding script, it feels like it adds more risk than it saves.
You can scrape the issues without exposing the token. You could probably do it by just subscribing to all of them and parsing emails. No one(especially in security) should be using a third party search to match sensitive data. It's like searching Google for your social security number.
Maybe they search the tokens public key and not the token itself. Then if the public key is found, then they download the repo and do scanning for the private key.
A group at BigCorp Inc. was sharing a tool they'd written to ThirdParty Ltd. As part of this, they transferred documentation, including how to configure the tool. Including an example. With a real AWS key. For a dev too, so the key had no restrictions.
And this would be a cool feature from github too. A link mentioning "we found something in your code that looks like a secret, please know people will use it."
They do this for all of their own API keys already. They not only notify you but instantly invalidate a key pushed to a public repo.
Annoyingly there is no way to turn it off even when you explicitly want to share an API key knowingly. But i'm more than fine with needing to "obfuscate" an API key or manage secrets correctly knowing it saves TONS of people.
It's been a while, but IIRC it was a key with no permissions used on a CI server to get around github's API usage limits.
It probably wasn't the best idea, but it was the only "secret" needed in the whole project and I didn't want to maintain a way of managing secrets in a public project for a pointless key.
In the end I did just that, and looking back it was the better choice, but at the time it was annoying.