Bitbucket Data Center has a secret scanner that scans commits for secrets (passwords, access tokens, etc) as a post-receive hook. Secret scanner works like this so that it doesn't impact performance of git, and doesn't block developers in case of false positive detections. However, it would be great to add a pre-receive hook, so that commits containing secrets can be rejected without getting into a repository.