Why does GitHub not detect secrets in my repository

Question

The SAST scan has identified hardcoded passwords in my configuration and/or code files. Why does GitHub’s Secret Scanning tool not detect them as well?

Answer

GitHub’s Secret Scanning tool and SAST tools such as Fortify and CodeQL look for passwords and other credentials using different mechanisms.

A static analysis tool may look for a value being assigned to a variable or configuration directive with, for example, “password” or “key” in its name.

GitHub’s Secret Scanning tool, however, looks for values with patterns known to be secrets. This limits its ability to detect secrets to those that have a defined pattern that can be specified by a regular expression. For example a GitHub token:

GitHub’s secret scanning tool is expanding to more generic credentials, but at the time of this writing, it is not enabled on VA repositories.