There is a false positive trigger on Blob Storage Emulator storage account key. Our unit testing code hard codes in the blob storage emulator account key, but these are publicly available credentials that are used to connect to a locally running emulator so it is not a security threat. I would suggest putting in an exception to the rule for this specific account key so that it doesn’t trigger the vulnerability scanner.
It also might be worth noting that I can’t actually override the policy or mark it as a false positive on our scan, which is frustrating. I don’t know if this is just how our SonarQube instance is setup, I lack the permissions, or if it is something specific to this policy.