In interpreted languages like Python, where the source files are plaintext, you can trivially store data in a comment

If scanners ignored comments, malware would just be written like this:

  // <Evil base64 encoded stuff here>
  payload=read_source_and_decode()
  exec(payload)