Results such as the following aren't necessarily warnings, they may reflect proper security applied to an API key. Generally, it's best not to expose a key but this can be difficult in some web site scenarios or when embedding a key in a mobile app (even in this latter case, though, Google recommends encrypting or obfuscating).
For these use cases, an API key should be restricted, for example, by applying a referer filter or enforcing a check against the mobile app identity. When our validator detects these conditions today, we fire warnings but arguably, these are 'pass' conditions! :)
e:\repros\test.txt(3,1-40): warning SEC101/003: 'test.txt' contains an apparent Google API key, the validity of which could not be determined by runtime analysis (an unexpected exception was caught attempting to validate api key: RequestDenied: API keys with referer restrictions cannot be used with this API).
e:\repros\test.txt(6,1-40): warning SEC101/003: 'test.txt' contains an apparent Google API key, the validity of which could not be determined by runtime analysis (an unexpected exception was caught attempting to validate api key: RequestDenied: This IP, site or mobile application is not authorized to use this API key. Request received from IP address 2601:600:877f:8c60:3033:d967:d038:6ee3, with empty referer).