How do you prevent secrets from being committed to repos, and what must happen when one leaks?

Prevent with layered scanning: client-side pre-commit hooks (gitleaks, git-secrets) to block before the commit, CI scanning on every push/PR, and server-side push protection / org-wide secret scanning (e.g. GitHub) as the backstop — defense-in-depth because any single layer can be bypassed. Reduce the blast radius up front by using short-lived/dynamic secrets and a secrets manager so there's less static material to leak. On a leak, scanning the file out of the latest commit is not enough — the secret is in git history and likely already harvested by bots. You must rotate/revoke the credential immediately (treat it as compromised), investigate for misuse via audit logs, then optionally purge history. Rotation is the only real remediation; cleanup is hygiene.