Safeguard
FAQ

False Positives in Security Scanning FAQ

Why security scanners produce so many false positives, what actually counts as one, and how reachability analysis and context reduce the noise. A practical FAQ.

Safeguard Team
Product & Security
6 min read

A false positive in security scanning is a finding that is reported as a risk but is not actually exploitable or actionable in your context. In software composition analysis, the classic example is a scanner flagging a dependency because its version matches a CVE, even though your application never calls the vulnerable function. These findings are not wrong in a strict sense — the vulnerable version really is present — but they are noise, because acting on them reduces no real risk. The distinction between "technically present" and "actually exploitable" is the heart of the false-positive problem, and it is why context matters more than raw detection.

Frequently Asked Questions

What counts as a false positive in security scanning? A false positive is any finding that does not represent real, actionable risk in your environment, even if the underlying detail is technically accurate. In SCA it usually means a vulnerable version is present but the vulnerable code path is never reached. In SAST it often means a flagged pattern that is safe because of validation or sanitization the tool did not model. The common thread is a gap between what the scanner can see and how the code actually behaves.

Why do SCA tools produce so many false positives? Because most operate purely by version matching. They compare your components against a vulnerability database and report every match, with no knowledge of whether your code invokes the affected function. Since a single CVE often affects one specific method in a large library, most matches are for code you never call. This is efficient to compute but produces a queue dominated by non-exploitable findings.

Are these findings truly "wrong"? Usually not in a literal sense, which is why the term is contested. The vulnerable version genuinely exists in your dependency tree, so the detection is accurate; what is misleading is the implied urgency. A more precise framing is "not exploitable in context" or "not reachable" rather than "false." The practical effect is the same either way: it should not sit at the top of your remediation queue.

How does reachability analysis reduce false positives? Reachability traces the call graph from your code into your dependencies to check whether the vulnerable function is actually invoked. If no path reaches it, the finding is marked non-reachable and can be deprioritized. This directly attacks the largest source of SCA noise. Safeguard applies reachability on top of software composition analysis so the ranked list reflects what your code can actually trigger.

What is the difference between a false positive and a non-reachable finding? A non-reachable finding is a specific, well-defined category: the vulnerable code exists but is not called. A false positive is a broader label people apply to any finding they consider noise, which can include misidentified components, wrong version detection, or safe-by-configuration cases. Treating "non-reachable" as its own state is more honest than lumping everything under "false positive," because a non-reachable finding can become reachable after a code change.

Why are false positives so damaging beyond wasted time? Because they cause alert fatigue, and alert fatigue causes teams to ignore everything, including the real threats. When a queue is 80 percent noise, developers learn to distrust the tool and start dismissing findings in bulk. The genuinely critical vulnerability then gets swept away with the rest. The cost of false positives is not only the hours spent triaging them; it is the credibility of the whole security signal.

Do dynamic and runtime tools have false positives too? Yes, though of a different kind. Dynamic testing exercises a running application, so it tends to produce fewer non-exploitable findings, but it can still misreport based on environment quirks, error handling, or unstable endpoints. Safeguard's dynamic testing engine confirms behavior against live endpoints, which complements static reachability: static analysis narrows the list, and dynamic testing validates what actually happens at runtime.

Can I just suppress the findings I think are false? You can, but do it as tracked suppression, not deletion. Blanket suppression by developers with no record is how real vulnerabilities get silently buried. A good workflow suppresses a finding with a reason and a review date, keeps it visible in the system, and re-evaluates it on future scans. The goal is to remove it from the urgent queue without losing the ability to notice if it becomes reachable later.

How do false positives affect compliance and audits? They inflate metrics and obscure real posture, which auditors increasingly notice. A report showing thousands of open "critical" findings that are mostly non-reachable tells an auditor little about actual risk. Context-aware findings — annotated with reachability, EPSS, and KEV status — give a far more defensible picture of what you have decided to fix, defer, or accept, and why. Documented, reasoned triage beats a raw count every time.

Does prioritization by EPSS and KEV help with false positives? It helps with a related problem: even among genuinely present vulnerabilities, most will never be exploited. EPSS estimates exploitation likelihood and CISA KEV lists what is actively exploited, so pairing them with reachability separates "present but harmless" from "present and dangerous." A finding that is non-reachable, has near-zero EPSS, and is not on KEV is about as low-priority as it gets. Combining the signals is more reliable than any one of them.

How does AI help distinguish real findings from noise? AI is well suited to the explanation and triage layer, where it can articulate why a specific finding is or is not exploitable in your code and draft the fix if it is. This turns a raw match into a reasoned decision a developer can trust or override. Safeguard's Griffin AI provides that explanation alongside each finding, with a human making the final call rather than the model auto-dismissing anything.

How much can these techniques actually cut the queue? Reachability alone commonly removes a large majority of version-matched findings, with reported reductions frequently in the 70 to 90 percent range depending on ecosystem and coding style; treat any single figure cautiously. Layering EPSS and KEV on top narrows it further. Teams switching from a version-matching-only scanner often see the starkest change; our Snyk comparison shows where context-aware triage changes the results.


Want to see how much of your queue is actually noise? Start free or read the false-positive reduction guide in the Safeguard docs.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.