SAST False Positive Detection

SAST false positive detection automatically analyzes critical and high severity SAST vulnerabilities to identify potential false positives. This reduces noise in your vulnerability report by flagging vulnerabilities that are likely not actual security risks.

When a SAST security scan runs, GitLab Duo automatically analyzes each vulnerability to determine the likelihood that it’s a false positive. Detection is available for vulnerabilities from GitLab-supported SAST analyzers.

The GitLab Duo assessment includes:

• Confidence score: A numerical score indicating the likelihood that the finding is a false positive.
• Explanation: Contextual reasoning about why the finding may or may not be a true positive.
• Visual indicator: A badge in the vulnerability report showing the assessment.

Results are based on AI analysis and should be reviewed by security professionals. This feature requires GitLab Duo with an active subscription.

Running SAST false positive detection

The flow runs automatically when:

• A SAST security scan completes successfully on the default branch.
• The scan detects Critical or High severity vulnerabilities.
• GitLab Duo features are enabled for the project or group.

You can also manually trigger analysis for existing vulnerabilities:

1. On the left sidebar, select Search or go to and find your project.
2. Select Secure > Vulnerability report.
3. Select the vulnerability you want to analyze.
4. In the upper-right corner, select Check for false positive.

Related links

• SAST false positive detection.
• Vulnerability report.
• SAST.