From 3ab6f9e67366d63771854912dda5c75a32e529f4 Mon Sep 17 00:00:00 2001
From: "well-architected-sync-bot[bot]"
 <235114805+well-architected-sync-bot[bot]@users.noreply.github.com>
Date: Mon, 30 Mar 2026 19:06:44 +0000
Subject: [PATCH] Sync from github/github-well-architected-internal (main)

Source Repository: github/github-well-architected-internal

Source Branch: main

Source SHA: 9212fc583d437d014fd4f5721642198ffa0364d6
---
 content/library/scenarios/anti-patterns.md | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/content/library/scenarios/anti-patterns.md b/content/library/scenarios/anti-patterns.md
index 404fa3c..dda6ac4 100644
--- a/content/library/scenarios/anti-patterns.md
+++ b/content/library/scenarios/anti-patterns.md
@@ -251,3 +251,23 @@ Relying on human intervention for deployment.
 - Document any remaining manual processes thoroughly.
 
 By organizing anti-patterns into these clear categories and addressing their distinct aspects, teams can more systematically improve their GitHub practices.
+
+## Application Security Anti-Patterns
+
+### Detecting PII with secret scanning custom patterns
+
+Using GitHub secret scanning custom patterns to detect Personally Identifiable Information (PII) such as social security numbers, dates of birth, or government-issued identifiers in source code.
+
+**Why It's an Anti-Pattern**
+
+- Secret scanning is designed for credentials and tokens that can be revoked and rotated. PII such as social security numbers and dates of birth is permanent and cannot be rotated.
+- When secret scanning detects a value, the alert stores and displays it so reviewers can assess the finding. Alerts cannot be deleted — only dismissed. Once PII triggers an alert, the sensitive data is permanently embedded in the alert record. This creates a second, unmanageable copy of the very data the organization intended to protect.
+- Storing PII in non-deletable alert records creates compliance exposure under frameworks like GDPR (right to erasure), CCPA (right to deletion), HIPAA (disposal requirements), and PCI DSS (secure deletion mandates).
+
+**How to Avoid**
+
+- Keep secret scanning custom patterns focused on their intended purpose: detecting organization-specific credentials, API keys, and tokens that follow the detect-revoke-rotate lifecycle.
+- Use purpose-built data loss prevention (DLP) tooling to detect PII in code. DLP tools support redaction, quarantine, and deletion capabilities that align with regulatory requirements.
+- Deploy DLP tooling as pre-commit hooks to prevent PII from entering the repository in the first place.
+- Audit existing custom patterns for any PII detection rules and remove them. When deleting a custom pattern entirely, the option to delete the existing alerts is provided.
+- Document an organizational policy that explicitly defines which tools handle which data types: secret scanning for credentials, DLP tooling for PII.