Use case:

• Action: Security team compose rules to detect new types of secret leakage and apply them globally.
• Problem: Any newly leaked secrets will be detected, but any previously leaked secrets might remain undetected in the codebase. It's common for secrets to never be touched again after initially being committed to a repository.
• Solution: After deploying a new security rule, security team initiate a background task to re-scan. An administrative user might click a button in the global secrets scanning admin pages, or use an API to initiate this process. The background process should inspect all files across all refs of all repos, and apply all security scanning rules to each.

This would be similar in nature to triggering a background reindexing of files for code search, which also has to inspect all files across all repos. If inspecting all refs is too hard, at least scanning the default branch would be better than nothing, since this branch most likely sees regular activity including as part of any software release processes.