false-positives
Safeguard articles tagged "false-positives" — guides, analysis, and best practices for software supply chain and application security.
22 articles
Reducing false positives in SAST and SCA tools
NIST benchmark data puts some SAST false-positive rates near 78%. Reachability analysis and contextual triage are how teams cut that noise without missing real risk.
Where AI actually helps AppSec — and where it quietly makes things worse
One 2025 benchmark found an LLM filter cut Semgrep's false positives by 88.6% — while a separate study found GPT-4 alone flagging vulnerabilities was wrong more often than right.
A vendor-neutral framework for evaluating SAST tools
OWASP's Benchmark suite has run 2,740 fixed Java test cases since 2016, yet most SAST comparisons still amount to a vendor's self-reported false-positive number.
What Is Reachability Analysis in Security?
Reachability analysis determines whether a vulnerable piece of code can actually be executed from your application — cutting through the noise of vulnerabilities that exist but can never be triggered. Here's how it slashes false positives.
False Positives in Security Scanning FAQ
Why security scanners produce so many false positives, what actually counts as one, and how reachability analysis and context reduce the noise. A practical FAQ.
False Positives vs False Negatives: What's the Difference?
A false positive flags something safe as dangerous. A false negative misses something dangerous entirely. One wastes your time; the other gets you breached.
Reachability Analysis FAQ: What It Is and Why It Cuts Noise
Reachability analysis decides whether a vulnerable function in a dependency is actually called by your code. Here are the common questions, answered plainly.
What Is VEX (Vulnerability Exploitability eXchange)?
VEX is a machine-readable advisory that states whether a product is actually affected by a known vulnerability. Here's how its status values work and why it cuts SBOM-driven false positives.
Reducing false positives in secret scanning with context-...
Regex-based secret scanners like GitHub Advanced Security flood teams with false positives. Here's how context-aware LLM reasoning cuts the noise without missing real leaked credentials.
Reducing false positives in security scanning
Most security scan findings never warrant action. Here's why scanners over-alert, what it costs teams, how Aikido's consolidation approach compares, and what actually cuts false positives.
Customer story pattern: cutting false-positive noise with...
How one team cut AppSec findings 92% and MTTR from 11 days to 36 hours by consolidating scanners — a reduce security tool noise false positives case study.
Solve SCA False Positive Overload With Reachability Analysis
SCA tools produce more findings than any team can review. Reachability analysis is the filter that turns the haystack into a queue your engineers will actually finish.