Thank you for your message, and welcome to SonarSource community.
The false-positive you are mentioning used to be a true-positive. However, the specification of the rule happened to change in the meantime; using SHA-256 should no longer be reported as sensitive as you rightfully pointed out.
We already have a ticket to fix this inconsistency but haven’t had the opportunity to address it yet. It remains in our pipe and we will tackle this false-positive as soon as possible.