Skip to main content
CodeThreat’s AI automatically analyzes violations to identify and filter false positives, reducing alert fatigue and allowing you to focus on real security issues.

How False Positive Elimination Works

False Positive Elimination is the only agentic feature that works after deterministic SAST analysis. It processes deterministic SAST findings: Note: False Positive Elimination only works on deterministic SAST results. SCA, Secrets Detection, and IaC Security findings use deterministic CVE matching and pattern detection, so they don’t need filtering. Other agentic features (Agentic SAST, PR Reviews) are separate capabilities that don’t depend on deterministic scanning.

Enable False Positive Elimination

1

Open Repository Settings

Repository SettingsAI Features
2

Enable FP Elimination

Toggle False Positive Elimination to enabled
3

Choose Filtering Level

Select aggressiveness:
  • Conservative: Only filter obvious false positives
  • Balanced: Recommended default setting
  • Aggressive: More aggressive filtering
4

Save and Rescan

Save settings and trigger new scan

Filtering Levels

Conservative

Filters only extremely obvious false positives. Use when you want maximum sensitivity. Filters false positives with high confidence. Optimal for most teams.

Aggressive

Filters any violation the AI suspects might be a false positive. Use when overwhelmed with findings.
Start with Balanced. If still seeing too many false positives, increase to Aggressive. If concerned about missing issues, decrease to Conservative.

What the AI Checks

Input Validation

AI looks for type checking, regex validation, whitelists, range validation, and length limits.

Framework Protections

AI recognizes Django ORM, React JSX escaping, Rails sanitization, Spring Security, and more.

Dataflow Analysis

AI tracks where data comes from, what transformations are applied, and whether sanitization occurs.

Dead Code Detection

AI identifies unreachable code and test-only code paths.

AI Learning

The AI learns from your codebase:
  • Pattern recognition: Identifies your validation patterns
  • Framework usage: Understands how you use frameworks
  • False positive patterns: Learns what you consider false positives
  • Continuous improvement: Gets better with each scan

Results

After AI analysis, violations are marked:
  • Reviewed by AI: AI examined and determined it’s real
  • ⚠️ Likely False Positive: AI thinks this isn’t exploitable
  • 🔍 Needs Human Review: AI couldn’t determine automatically

Best Practices

  • Enable false positive elimination for all repositories
  • Start with Balanced filtering level
  • Review AI-filtered items periodically
  • Provide feedback on AI decisions
  • Monitor false positive rate over time

Next Steps

Managing Violations

Complete violation workflow

False Positives

Manual false positive management