As mentioned in the design considerations
If user uses the Security app to find a secret that was accidentally committed and then fixes the error by rewriting history, the secret should be gone entirely. We shouldn’t cache a copy of the offending secret in our own data structures, otherwise the secret would still be available to an attacker via our scan reports.
Unfortunately, we're currently caching the matched secrets inside InvalidLine.getLine This is used when displaying the failures in the "Security Scan" page.
Instead of displaying the actual found secrets, we should just have a link to the corresponding filename and line number at the right commit sha1. The current UI has links to the files, but it uses the branch name instead of the actual commit hash – we should use the actual commit.