SSN-shaped literal in a committed data file (heuristic)
Part of Documentation, UX & Accessibility, which counts for 15% of the overall score. When this check fires it deducts 4 points from that category, once per scan, no matter how many places it turns up.
What it detects
A XXX-XX-XXXX value that survives SSA plausibility filtering (rejects all-zero groups and known placeholder numbers) was found in a non-test, non-fixture data file. Shape-based heuristic.
Why it matters
A value shaped like a Social Security Number sitting in a committed data file means real-looking identity data is in source control, where it stays in history forever even after the file is later deleted, and is visible to anyone with repository access including CI logs and forks. This check is a shape-based heuristic: it looks for the standard XXX-XX-XXXX pattern and filters out obviously fake numbers (all-zero groups, well-known placeholder SSNs), but it cannot confirm the value is a real person's number. Treat it as a prompt to check where the data came from, not a confirmed leak.
How to fix it
Replace the value with an obviously fake placeholder such as 000-00-0000 or a clearly labeled dummy string, and if this file was generated from a real data export, delete the export and confirm no real customer data was committed elsewhere in the project's history. Add data files like this to .gitignore going forward so seed data is generated locally rather than committed.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo