They at least scan GitHub for all kind of exposed tokens in public repositories, and even have partnerships with the companies where you can connect with those tokens (SaaS, PaaS...) to verify they're valid and even revoke them automatically if necessary.