[johnlbevan2]

ps. As for what to do with the findings.

Filter for `HasEverRun=true`; if it's not run, the secrets can't have been exposed.

Review the URL; this says who you're calling. Purists would say that if you've called any endpoints there's a risk. However for most companies I'd say you can trust services provided by folk like Microsoft (they host GitHub anyway) and Snyk (if you're relying on them for security scanning, you should be able to trust them), so if you see webhooks to Azure DevOps (dev.azure.com) or to Snyk (api.snyk.io) you can assume that anything exposed there isn't a concern. You don't need to worry about proxys on egress - since this is GitHub Cloud, so calls egress from GitHub rather than through your own network. So the only concerns would be in house or third party developed endpoints where you feel those companies (/their employees who have access to their ingress logs) may be a risk.