That particular message in Brakeman was silenced for me when I put secret information into ENV
variables, as you mentioned. Personally, I like to use the Figaro gem for this, but I think dotenv is popular as well.
Some other resources that may be of interest to you regarding this are:
- Code Climate blog entry: Rails Insecure Defaults blog entry on Code Climate
- StackOverflow thread: What should be removed from public source control in Ruby on Rails?