False positive: ways for environment variable specification

[ofai-austria]

One of the standard ways to avoid having secrets verbatim in code is by specifying an environment or config variable instead which holds the secret.
For example a config file or code may contain something like api_key_env = "MY_SECRET1"

It seems that all such or similar occurrences are flagged by default.

I think these should get suppressed or be made very easily suppressable becayse they are such frequent patterns of how things are done in many libraries.