wp-config.php already contains your database credentials, so I hope people aren’t checking that into public repos, but I guess you never know. ¯\_(ツ)_/¯
In my other (non-WP) applications, I use a .env file for sensitive info that doesn’t get checked into version control. I wish WP supported it natively, but here’s a quick tutorial on how to use it: https://m.dotdev.co/secure-your-wordpress-config-with-dotenv-d939fcb06e24
Easy enough if you control the server and can use Composer, otherwise probably not an option.