SAST scans detects keys in a file which is no longer in the repo

Summary

SAST scans detects keys in a file which is no longer in the repo

Steps to reproduce

1. Create a .env file in repo and add some dummy secrets such as AWS Access Key
2. Enable SAST scanning in .gitlab-ci.yml file
3. Run CI/CD pipeline
4. Review security findings which correctly detect Keys in .env file
5. Delete .env file from repo
6. Run CI/CD pipeline
7. Review security findings which incorrectly detect Keys in .env file which is not in repo

Example Project

Gitlab.com project

What is the current bug behavior?

SAST incorrectly reports KEYS exposed in a file within repo. Even though file is no longer present.

What is the expected correct behavior?

SAST should not detect KEYS on a file which is no longer in the repo

Relevant logs and/or screenshots

May contain sensitive information. Omitted.

Output of checks

This bug happens on GitLab.com