SAST false positive detection

When a static application security testing (SAST) scan runs, GitLab Duo automatically analyzes each Critical and High severity SAST vulnerabilities to determine the likelihood that it’s a false positive. Detection is available for vulnerabilities from GitLab-supported SAST analyzers.

The GitLab Duo assessment includes:

• Confidence score: A numerical score indicating the likelihood that the finding is a false positive.
• Explanation: Contextual reasoning about why the finding may or may not be a true positive, based on code context and vulnerability characteristics.
• Visual indicator: A badge in the vulnerability report showing the false positive assessment.

The detection runs automatically after each security scan with no manual triggering required.

Results are based on AI analysis and should be reviewed by security professionals. The feature requires GitLab Duo with an active subscription.

Automatic detection

False positive detection runs automatically when:

• A SAST security scan completes successfully on the default branch.
• The scan detects Critical or High severity vulnerabilities.
• GitLab Duo features are enabled for the project.

The analysis happens in the background and results appear in the vulnerability report once processing is complete.

Manual trigger

You can manually trigger false positive detection for existing vulnerabilities:

1. On the top bar, select Search or go to and find your project.
2. Select Secure > Vulnerability report.
3. Select the vulnerability you want to analyze.
4. In the upper-right corner, select Check for false positive to trigger false positive detection.

The GitLab Duo analysis runs and results are displayed on the vulnerability details page.

Configuration

To use false positive detection, you must have:

• A GitLab Duo add-on subscription (GitLab Duo Core, Pro, or Enterprise).
• GitLab Duo enabled in your project or group.
• GitLab 18.7 or later.

Enable false positive detection

False positive detection is turned off by default. You can enable it for an instance, group, or project. When you enable the setting for an instance or group, the setting applies to all of its descendant groups and projects.

Recommended: You should enable the settings for the group to apply the setting to all projects in that group.

Enable for a group (recommended)

To enable false positive detection for all projects in a group:

1. On the left sidebar, select Search or go to and find your group.
2. Select Settings > GitLab Duo.
3. Select Change configuration.
4. Select the Turn on SAST false positive detection checkbox.
5. Select Save changes.

This setting applies to all descendant projects in the group. Individual projects can override this setting if they need to disable it.

Enable for a project

To enable false positive detection for a specific project:

1. On the left sidebar, select Search or go to and find your project.
2. Select Settings > General.
3. Expand GitLab Duo.
4. Turn on the Turn on SAST false positive detection toggle.
5. Select Save changes.

Enable for an instance

GitLab administrators can enable false positive detection for the entire instance:

1. On the left sidebar, select Admin Area.
2. Select Settings > General.
3. Expand GitLab Duo.
4. Select the Turn on SAST false positive detection checkbox.
5. Select Save changes.

False positive detection works automatically with your existing SAST scanners when enabled for an instance, group, or project.

Confidence scores

The confidence score estimates how likely the GitLab Duo assessment is to be correct:

• Likely false positive (80-100%): GitLab Duo is highly confident that the finding is a false positive.
• Possible false positive (60-79%): GitLab Duo has reasonable confidence that the finding may be a false positive but recommends manual review.
• Likely not a false positive (<60%): GitLab Duo is not confident that the finding is a false positive. Manual review is strongly recommended before you dismiss the vulnerability.

Dismissing false positives

When the GitLab Duo analysis identifies a vulnerability as a false positive, you have two options:

Option 1: Dismiss the vulnerability

1. On the top bar, select Search or go to and find your project.
2. Select Secure > Vulnerability report.
3. Select the vulnerability you want to dismiss.
4. Select Change status.
5. From the Status dropdown list, select Dismissed.
6. From the Set dismissal reason dropdown list, select False positive.
7. In the Add a comment input, provide context about why you’re dismissing it as a false positive.
8. Select Change status.

The vulnerability is marked as dismissed and does not appear in future scans unless it is reintroduced.

Option 2: Remove the false positive flag

If you want to remove the false positive assessment and keep the vulnerability:

1. On the top bar, select Search or go to and find your project.
2. Select Secure > Vulnerability report.
3. Locate the vulnerability with the false positive flag.
4. Hover over the false positive badge on the vulnerability.
5. Select Remove False Positive Flag.

The false positive flag is removed and the FP confidence score reverts to 0. The vulnerability remains in the report and can be re-evaluated in future scans.

Providing feedback

False positive detection is a beta feature and we welcome your feedback. If you encounter issues or have suggestions for improvement, please provide feedback in issue 583697.

Related topics

• Vulnerability details
• Vulnerability report
• SAST
• GitLab Duo