Most security code scanning I am aware of does AST parsing of actual code before analysis; the comments won't even make it to the LLM. That said, embedded strings could cause this type of false denial, but even so, the errors would be raised in the pipeline for human-in-the-loop security analysis. If anything, it might get a faster reaction in some environments because it causes faults in the analysis pipeline.