The GENERIC_PASSWORD rule is off by default because it’s a bit different than the other rules – rather than matching a very specific key type, with minimal false positives, it searches for general occurrences and variations of the term “password”. This rule is meant to catch the unintentional use of passwords in code or documentation.

However, due to its broad nature, this rule generates many false positives; to enable it would require your organization to set up a process to review and disposition them. We feel that you would better know if your organization would have the resources available for such a process.