Yeah, what if gitmonkey accidentally reveal a secret key? Now somebody has a curated list of everyone's git's secret keys - even the ones in private repos!
If GitMonkey has your key on record - it means we're not the only ones having it. You should revoke it immediately. So even if our db is breached, it should only contain a list of useless revoked keys.
I am also really scared by the suggestion that they might 'take a leap' and check if it's valid... Then they have a list of keys and whether they work or not
If you signed up for a service specifically to detect when you compromise your secrets, and the service tells you about it, and you don't change the secret... Why are you then worried that the other party gets compromised?
No, if I want to do my job correctly I'll encourage best practices and address careless deviations. I won't encourage bad behaviour by outsourcing simple workflow tooling to a third party that doesn't have any accountability if they drop the ball.
Whether you realize it or not, you're advocating for increasing surface area and risk. You're offering a service to people with bad opsec while simultaneously asking them to trust your opsec; none of which is a good solution to the actual problem.
Github does this actually but only from github access tokens generated from their API... if you generate an oauth access token and commit it, they will automatically revoke it.