This research should consider the entire flow of Github Code Scanning.

• When are we identifying the secret in the first place? In a PR?
• How does a finding in a PR become to be a Code Scanning issue (in the Security tab)?
• How to dismiss a finding? What if the user deleted it in a commit, but didn't remove it from the history? Is it will still be considered a Code Scanning issue?

for example

Originally posted by @jossef in #128 (comment)

Check the possibility of uploading a report to mark the secret on the code, like in Kics.

See why gitleaks not using Github Code Scanning.

But we can do annotations like in Kics.

Originally posted by @baruchiro in #39 (comment)