Does cloudflare protect against BREACH attacks?
Vulnerability scanners can be wrong. They often detect only the circumstances around a vulnerability, like compression, without actually testing to see if that circumstance is vulnerable. It's up to you to verify the validity of each detection presented by your scanner. To do this, you would have to launch a BREACH attack against CloudFlare. Please do not do this without clearing it with their security team first. You would be seen as a real threat if you performed penetration testing without permission. This is illegal in most jurisdictions.
This question can only be answered by their support team. In this case, you already have their answer. They have implemented a mitigation and they have verified it internally.
Cloudflare has patched all servers against these vulnerabilities. Also, the Cloudflare WAF has rules to mitigate several of these vulnerabilities including Heartbleed and ShellShock.
Close this item in your scanner as a False Positive.