you should include seed phrase and private key detection. a few crypto protocols that offer public docker images have been drained from accidentally committing keys to docker hub.
I think Trivy does that already [1]. I personally use trufflehog [2] to find secrets of all kinds. Unfortunately, these sorts of tools have false positives
[1] https://aquasecurity.github.io/trivy/v0.27.1/docs/secret/sca...
[2] https://github.com/trufflesecurity/trufflehog