Safeguard
Tag

false-positives

Safeguard articles tagged "false-positives" — guides, analysis, and best practices for software supply chain and application security.

22 articles

Application Security

Reducing false positives in SAST and SCA tools

NIST benchmark data puts some SAST false-positive rates near 78%. Reachability analysis and contextual triage are how teams cut that noise without missing real risk.

Jul 9, 20266 min read
AI Security

Where AI actually helps AppSec — and where it quietly makes things worse

One 2025 benchmark found an LLM filter cut Semgrep's false positives by 88.6% — while a separate study found GPT-4 alone flagging vulnerabilities was wrong more often than right.

Jul 8, 20267 min read
Application Security

A vendor-neutral framework for evaluating SAST tools

OWASP's Benchmark suite has run 2,740 fixed Java test cases since 2016, yet most SAST comparisons still amount to a vendor's self-reported false-positive number.

Jul 8, 20266 min read
Concepts

What Is Reachability Analysis in Security?

Reachability analysis determines whether a vulnerable piece of code can actually be executed from your application — cutting through the noise of vulnerabilities that exist but can never be triggered. Here's how it slashes false positives.

Jul 7, 20267 min read
FAQ

False Positives in Security Scanning FAQ

Why security scanners produce so many false positives, what actually counts as one, and how reachability analysis and context reduce the noise. A practical FAQ.

Jul 6, 20266 min read
Concepts

False Positives vs False Negatives: What's the Difference?

A false positive flags something safe as dangerous. A false negative misses something dangerous entirely. One wastes your time; the other gets you breached.

Jul 5, 20266 min read
FAQ

Reachability Analysis FAQ: What It Is and Why It Cuts Noise

Reachability analysis decides whether a vulnerable function in a dependency is actually called by your code. Here are the common questions, answered plainly.

Jul 4, 20266 min read
Concepts

What Is VEX (Vulnerability Exploitability eXchange)?

VEX is a machine-readable advisory that states whether a product is actually affected by a known vulnerability. Here's how its status values work and why it cuts SBOM-driven false positives.

Jul 2, 20266 min read
Application Security

Reducing false positives in secret scanning with context-...

Regex-based secret scanners like GitHub Advanced Security flood teams with false positives. Here's how context-aware LLM reasoning cuts the noise without missing real leaked credentials.

Jul 1, 20267 min read
Best Practices

Reducing false positives in security scanning

Most security scan findings never warrant action. Here's why scanners over-alert, what it costs teams, how Aikido's consolidation approach compares, and what actually cuts false positives.

May 4, 20267 min read
Case Studies

Customer story pattern: cutting false-positive noise with...

How one team cut AppSec findings 92% and MTTR from 11 days to 36 hours by consolidating scanners — a reduce security tool noise false positives case study.

May 2, 20267 min read
Vulnerability Management

Solve SCA False Positive Overload With Reachability Analysis

SCA tools produce more findings than any team can review. Reachability analysis is the filter that turns the haystack into a queue your engineers will actually finish.

Apr 12, 20264 min read
false-positives — Safeguard Blog