Glad nothing serious turned up
I'm still working on the best way to flag issues as false positives or do-not-report, but hopefully that will be a solved problem soon. In the meantime, Config issues are fortunately pretty easy to ignore without unintended consequences:
$ mix sobelow -i Config.HTTPS
I believe that is a warning from your project, which is getting dumped into the scan output. It can be a fairly annoying issue on projects that generate a large number of warnings, so it's at the top of my list of things to try and mitigate.
It doesn't seem to be a major issue for you, since you don't have a large number of warnings or findings, but something I've done is
> findings into a gitignored file, which shouldn't contain any of the warnings.
I don't want to recommend this practice generally since a small mistake could mean commiting a list of vulnerabilities or otherwise private information, but that's what I've been doing until I figure out a better solution.