@David Thanks. I suspected it might be a false positive. What I was trying to illustrate is that the Github login appears to have CSRF protection, while the local login does not. I do not see any csrf_detected notifications in the log when using the local login.
I need to prove to the security team that the /login page is actually protected.