The short answer
- Secret scanning for partners is on by default and cannot be disabled
- Secret scanning for users can be enabled/disabled. This lets you see, prevent, and get alerted on secrets that GitHub finds—including those sent to partners—and take action as you see fit
More details
You've mentioned that you've disabled secret scanning, but you're still seeing authentication events from AWS. This is because secret scanning for partners is always enabled for public repositories, even if you've disabled secret scanning for your own repository.
Secret scanning for partners is a security feature that helps to protect your open source community and partners' services from abuse. When you push a hardcoded secret to a public repository, GitHub scans the repository for known secret formats and sends any findings to partners. Partners can then revoke the secret or take other appropriate action.
While you can't disable secret scanning for partners for public repositories, you can enable or disable user-facing secret scanning alerts for your own repository. This will not change how the partner program works, but it will allow you to see what secrets are discovered in your repository and take action on those. For example, not all partners will revoke secrets, so enabling secret scanning for your repository will give you the chance to take action on those secrets as you see fit.
You can also use secret scanning for push protection to block your secret-containing pushes from entering your public repository in the first place. If you enable push protection, GitHub will not send secrets to partners if you push a secret to your repository.
