Never store credentials as code/config in Azure Repos` There are great tools available to statically analyze commits for sensitive information, such as git-secrets and CredScan, which can reject pushes with passwords or sensitive data and detect credentials introduced into pull requests. Having team-wide rules to prevent storing credentials as code is also effective, while using secure variable storage like Azure KeyVault and regularly auditing repositories with tools like GitRob or truffleHog can help avoid accidentally introducing sensitive information.