SAST isn’t picking up secrets that have been committed to a repository
When committing a file that contains a potential secret to a repository setup with SAST, the SAST report displayed on the pipeline does not mention anything about a secret being committed.
Steps to reproduce
See the example project for more details but I was able to reproduce this with a file that had a constant named
The report here mentions no vulnerabilities.
What is the current bug behavior?
The SAST report does not mention the fact that I've committed a secret to the repo.
What is the expected correct behavior?
The SAST report should mention that a secret has been committed to the repo.