What Are False Positives?
A false positive is a violation reported by security tools that isn’t actually exploitable or doesn’t represent a real security risk.Common Causes
Validation Not Detected
Input is validated but tool doesn’t recognize the pattern
Framework Protection
Framework provides automatic protection but tool doesn’t know
Test Code
Security rules flag test/mock code
Context Misunderstood
Tool lacks context about how code is used
Examples
Framework Auto-Escaping
Input Validation
user_id validated to contain only digits. SQL injection impossible.
Identifying False Positives
Ask these questions:- Is input validated? Check if input is validated before reaching the sink
- Does framework protect? Check if framework provides automatic protection
- Is this production code? Check if code is in test/mock directories
- Is context different? Consider full execution path and infrastructure protections
AI-Powered False Positive Elimination
CodeThreat’s AI automatically analyzes violations to identify false positives.How AI Helps
1
Context Analysis
AI examines full code context, not just flagged line
2
Dataflow Tracking
AI traces data from source to sink across files
3
Framework Understanding
AI recognizes framework-specific security controls
4
Pattern Learning
AI learns your codebase patterns and improves over time
5
Automatic Marking
AI marks likely false positives with justification
Enable AI Filtering
1
Open Repository Settings
Repository → Settings → AI Features
2
Enable False Positive Elimination
Toggle False Positive Elimination to enabled
3
Configure Aggressiveness
Choose filtering level:
- Conservative: Only obvious false positives
- Balanced: Default (recommended)
- Aggressive: Filter more aggressively
4
Save and Rescan
Save settings and trigger new scan
Manual Suppression
When AI doesn’t catch a false positive, manually suppress it.How to Suppress
1
Open Violation
Click the false positive violation
2
Click Suppress
Click Suppress button
3
Provide Justification
Required: Explain why this is a false positiveGood examples:
- “Input validated on line 42 with regex
^[0-9]+$before use” - “React automatically escapes JSX expressions, not vulnerable to XSS”
- “Test code using mock credentials, not production secret”
- “False positive” (not specific)
- “This is fine” (no explanation)
- “Low priority” (not a justification)
4
Confirm
Click Suppress to save
Suppression Best Practices
- Be specific: Explain exactly why it’s a false positive
- Reference code: Mention line numbers or functions
- Provide evidence: Link to framework documentation if relevant
- Review periodically: Revisit suppressions when code changes
- Don’t suppress to hit metrics: Only suppress genuine false positives
Suppression justifications help the AI learn. Detailed explanations improve future false positive filtering.
Bulk Suppression
Suppress multiple similar false positives at once:- Filter violations to show only those you want to suppress
- Select violations using checkboxes
- Click Bulk Actions → Suppress Selected
- Provide justification
- Review count and click Suppress All
Reviewing Suppressions
Periodically review suppressions to ensure they’re still valid:- Filter by Status = Suppressed
- Sort by date suppressed (oldest first)
- Read suppression justifications
- Verify they’re still valid
- Unsuppress if code changed or justification invalid
Best Practices
- Enable AI false positive elimination
- Provide detailed suppression justifications
- Review suppressions quarterly
- Don’t suppress to game metrics
- Focus on prevention over suppression