Safeguard
Application Security

False positives vs. false negatives in security scanning

False positives waste engineering time; false negatives cause breaches. A verifiable, metrics-based look at how Safeguard and Checkmarx approach scan accuracy.

Aman Khan
AppSec Engineer
7 min read

Every security team eventually runs into the same wall: a scanner that cries wolf so often that engineers start ignoring it, or a scanner that stays quiet right up until a real vulnerability ships to production. Both failure modes carry a cost, but they show up differently on a P&L. False positives burn engineering hours on triage and erode trust in the tool until developers route around it entirely. False negatives are invisible until they're an incident report. For teams evaluating Checkmarx or comparing it against Safeguard, the real question isn't "which tool finds more issues" — it's which tool gets the balance right for how modern software actually gets built, tested, and shipped. This post breaks down where the false positive/false negative tradeoff actually comes from, how detection methodology shapes it, and what to look for when you're the one signing the contract.

Why False Positives and False Negatives Are Two Sides of the Same Problem

Every scanner sits somewhere on a precision/recall curve. Tune a rule engine to catch every possible instance of a vulnerability pattern (say, any use of a string-concatenation function near a SQL call), and you'll also catch every safe, parameterized, already-sanitized instance of that same pattern. Tune it tighter to cut noise, and you risk missing the one case that's actually exploitable. This isn't a bug you can code away — it's a structural property of how a detection engine reasons about code.

The variable that actually moves the needle is context. A tool that only looks at a single file or function in isolation has to guess at exploitability. A tool that can trace whether tainted input actually reaches a dangerous sink, whether the vulnerable code path is reachable at runtime, and whether the dependency carrying the flaw is even loaded, has real signal to work with. That's why "false positive rate" isn't really a single number vendors can quote — it's a function of how much context the underlying engine has access to, and how much of the software delivery pipeline it can see.

How Checkmarx Approaches Detection Accuracy

Checkmarx built its reputation as a SAST platform: a query-based static analysis engine (originally CxSAST, now consolidated under CxOne) that scans source code against a large library of vulnerability queries across many languages, plus SCA for open-source dependency scanning. That's a well-established, verifiable position in the market — Checkmarx is fundamentally a code-and-dependency scanning platform, and it has invested in prioritization features to help teams cut through query results.

Two things worth verifying directly with Checkmarx if you're evaluating it: first, how much of its risk scoring is based on static reachability analysis within a single repo versus signals from how that code is actually built, packaged, and deployed. Static analysis products, by design, primarily reason about code as text and structure — they generally do not have native visibility into your CI/CD pipeline's build provenance, artifact signing status, or which third-party binaries and container layers actually ship in production. Second, ask what happens to findings once they leave the scanner: does prioritization data flow into your ticketing and CI gates automatically, or does it require manual export and rule-tuning per project? Those two questions matter more than any aggregate accuracy claim, because they determine whether your team spends its time on triage or on fixes.

How Safeguard Approaches Detection Accuracy

Safeguard is built around the software supply chain rather than the codebase in isolation. That distinction changes what "false positive" even means. Instead of asking only "does this code pattern look risky," Safeguard correlates findings across the full path a piece of software takes: source, dependencies, build pipeline, artifact registry, and runtime deployment. Concretely, that means:

  • SBOM-driven dependency context. Safeguard generates and tracks software bills of materials so a vulnerable package is flagged with knowledge of whether it's actually included in a shipped artifact — not just referenced somewhere in a manifest file.
  • Build provenance and artifact integrity checks. Findings are tied to verifiable build attestations, so a scan result carries information about where the artifact came from and whether it matches what was reviewed, which reduces the number of "this was already fixed upstream" false alarms that plague dependency-only scanners.
  • Pipeline-native gating. Policies run at the CI/CD stage where the artifact is produced, so teams control severity thresholds and exception rules in the same place engineers already work, rather than in a separate portal.

None of this claims Safeguard produces zero false positives — no scanner can honestly claim that. What it does mean is that Safeguard's precision improvements come from adding supply-chain-level signal (what's actually built and shipped) on top of code-level detection, rather than from tuning a single static analysis engine in isolation.

Which Metrics Should You Actually Ask Vendors For?

If you're comparing Safeguard and Checkmarx — or any two scanners — insist on numbers you can verify in a proof-of-concept rather than numbers from a slide deck:

  1. Findings-to-fix ratio. Run both tools against the same repository and count how many findings actually resulted in a code or dependency change versus how many were dismissed as won't-fix or false positive after triage.
  2. Time-to-triage per finding. Measure how long an engineer spends confirming or dismissing a single finding. This is often the biggest hidden cost of a noisy scanner and rarely shows up in vendor benchmarks.
  3. Reachability and runtime correlation. Ask whether flagged vulnerabilities are cross-checked against what's actually loaded or executed, not just what's present in a lockfile.
  4. Provenance coverage. Ask what percentage of your build artifacts can be traced back to a verified source commit and build step. This directly affects whether "vulnerable dependency" findings are even trustworthy.
  5. Suppression and exception audit trail. Every scanner accumulates suppressed findings over time. Ask how each platform tracks who suppressed what, when, and why — this is also a control auditors will ask about directly.

Run the same repository, same time window, and same severity thresholds through both platforms before making a decision. Aggregate "accuracy" percentages from marketing materials are not a substitute for a controlled comparison against your own codebase.

How Safeguard Helps

Safeguard's approach to the false positive/false negative tradeoff is to widen the aperture: instead of relying solely on static code analysis to guess at exploitability, findings are enriched with SBOM data, build provenance, and deployment context before they ever reach an engineer's queue. In practice this means:

  • Vulnerability findings are tied to whether the affected component is actually present in a built, shipped artifact — cutting down on alerts for code paths and dependencies that never make it to production.
  • Build attestations and provenance verification reduce false alarms caused by stale or mismatched version data, a common source of noise in dependency-only scanning.
  • Policy gates run directly in CI/CD, so teams can tune severity thresholds and exception handling where the build actually happens, with a full audit trail for every suppression — useful both for engineering hygiene and for SOC 2 / compliance evidence.
  • Supply chain visibility extends beyond source code to cover the artifacts, containers, and third-party components that traditional SAST and SCA tools were not designed to see end-to-end.

The goal isn't to promise a perfect scanner — that doesn't exist. It's to make sure the findings your team does see are the ones worth acting on, and that the ones you don't see aren't hiding in a blind spot between your code repo and your production environment. If you're currently weighing Checkmarx against a supply-chain-first approach, the best next step is the same one recommended above: run a real proof-of-concept against your own repositories and measure findings-to-fix ratio and time-to-triage directly, rather than relying on either vendor's claimed accuracy numbers.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.