We recently audited Akraino's repos, and found quite a few places where DCOs had been missed during a period where enforcement was disabled. The way the DCO check currently works, once these are fixed with external files, it will still show these SHAs as unsigned. The scan should include files that certify commits after the fact.