正式なドキュメントは英語版であり、この日本語訳はAI支援翻訳により作成された参考用のものです。日本語訳の一部の内容は人間によるレビューがまだ行われていないため、翻訳のタイミングにより英語版との間に差異が生じることがあります。最新かつ正確な情報については、英語版をご参照ください。

SAST False Positive Detection

  • Tier: Ultimate
  • Add-on: GitLab Duo Core, Pro, or Enterprise
  • Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated
  • Status: Beta

When a SAST (Static Application Security Testing) scan runs, GitLab Duo automatically analyzes each Critical and High severity SAST vulnerabilities to determine the likelihood that it’s a false positive. Detection is available for vulnerabilities from GitLab-supported SAST analyzers.

The GitLab Duo assessment includes:

  • Confidence score: A numerical score indicating the likelihood that the finding is a false positive.
  • Explanation: Contextual reasoning about why the finding may or may not be a true positive, based on code context and vulnerability characteristics.
  • Visual indicator: A badge in the vulnerability report showing the false positive assessment.

The detection runs automatically after each security scan with no manual triggering required.

Results are based on AI analysis and should be reviewed by security professionals. The feature requires GitLab Duo with an active subscription.

Automatic detection

False positive detection runs automatically when:

  • A SAST security scan completes successfully on the default branch.
  • The scan detects Critical or High severity vulnerabilities.
  • GitLab Duo features are enabled for the project.

The analysis happens in the background and results appear in the vulnerability report once processing is complete.

Manual trigger

You can manually trigger false positive detection for existing vulnerabilities:

  1. On the left sidebar, select Search or go to and find your project. If you’ve turned on the new navigation, this field is on the top bar.
  2. Select Secure > Vulnerability report.
  3. Select the vulnerability you want to analyze.
  4. In the upper-right corner, select Check for false positive to trigger false positive detection.

The GitLab Duo analysis runs and results are displayed on the vulnerability details page.

Configuration

To use false positive detection, you must have:

  • A GitLab Duo add-on subscription (GitLab Duo Core, Pro, or Enterprise).
  • GitLab Duo enabled in your project or group.
  • Use Duo SAST False Positive Detection enabled for your project in Settings > General > GitLab Duo.
  • GitLab 18.7 or later.

No additional configuration is required. The feature works automatically with your existing SAST scanners.

Confidence scores

The confidence score estimates how likely the GitLab Duo assessment is to be correct:

  • Likely false positive (80-100%): GitLab Duo is highly confident that the finding is a false positive.
  • Possible false positive (60-79%): GitLab Duo has reasonable confidence that the finding may be a false positive but recommends manual review.
  • Likely not a false positive (<60%): GitLab Duo is not confident that the finding is a false positive. Manual review is strongly recommended before you dismiss the vulnerability.

Dismissing false positives

When the GitLab Duo analysis identifies a vulnerability as a false positive, you have two options:

Option 1: Dismiss the vulnerability

  1. On the top bar, select Search or go to and find your project.
  2. Select Secure > Vulnerability report.
  3. Select the vulnerability you want to dismiss.
  4. Select Change status.
  5. From the Status dropdown list, select Dismissed.
  6. From the Set dismissal reason dropdown list, select False positive.
  7. In the Add a comment input, provide context about why you’re dismissing it as a false positive.
  8. Select Change status.

The vulnerability is marked as dismissed and does not appear in future scans unless it is reintroduced.

Option 2: Remove the false positive flag

If you want to remove the false positive assessment and keep the vulnerability:

  1. On the top bar, select Search or go to and find your project.
  2. Select Secure > Vulnerability report.
  3. Locate the vulnerability with the false positive flag.
  4. Hover over the false positive badge on the vulnerability.
  5. Select Remove False Positive Flag.

The false positive flag is removed and the FP confidence score reverts to 0. The vulnerability remains in the report and can be re-evaluated in future scans.

Providing feedback

False positive detection is a beta feature and we welcome your feedback. If you encounter issues or have suggestions for improvement, please provide feedback in issue 583697.