I don’t understand how this is possible - do they not pre-scan commits for secrets? Our Azure devops repos reject any push with anything that looks like a credential.
The key was probably encoded in some way that made it hard to detect, for example, as a VM disk snapshot or a .tar.gz archive of a home directory.
Something like that must have happened anyway, since it's highly unlikely a private key is just lying around as a plain text file on an engineers workstation to be accidentally included in a push.
