I skimmed the report pdf and saw no mention of validating the data. So I assume pushing an example env file would be flagged as a leak? I understand that it's tricky to validate and even more so when having millions of data points but the method seems shaky. It's like all those automatic error analysers that repo authors tend to hate due to all false positives.
Definitely tricky to validate. Most tools out there offer multiple methods of excluding certain data-points whether it be by adding a comment by it to indicate intentionality, a file containing specs to exclude like values or matching patterns, or a UI that you can use "post-leak" to dismiss it as false positive.
I definitely resonate with your point though on the automatic errors due to false positives. There is a lot of room for improvement.
