SAST isn’t picking up secrets that have been committed to a repository

Summary

When committing a file that contains a potential secret to a repository setup with SAST, the SAST report displayed on the pipeline does not mention anything about a secret being committed.

Steps to reproduce

See the example project for more details but I was able to reproduce this with a file that had a constant named API_KEY.

Example Project

https://gitlab.com/anazir/sast

The report here mentions no vulnerabilities.

What is the current bug behavior?

The SAST report does not mention the fact that I've committed a secret to the repo.

What is the expected correct behavior?

The SAST report should mention that a secret has been committed to the repo.