Session secret should not be included in version control
Category description: Session cookies should be http-only with the key of at least 30 characters; secret_token shouldn't be included in version control systems.
Solution: fix the issue in config/initializers/secret_token.rb or mark it as false positive.
create_with is vulnerable to strong params bypass. Upgrade to Rails 4.1.5 or patch
Category description: Unprotected model attributes give the attacker a way to rewrite them. E.g., change the admin flag to true.
Solution: fix the issue in Gemfile or mark it as false positive.