SAST false positive detection

{{< details >}}

• Tier: Ultimate
• Add-on: GitLab Duo Core, Pro, or Enterprise
• Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated

{{< /details >}}

{{< history >}}

• Introduced in GitLab 18.7 as a beta with feature flags named enable_vulnerability_fp_detection and ai_experiment_sast_fp_detection. Enabled by default.
• Generally available in GitLab 18.10.

{{< /history >}}

When a static application security testing (SAST) scan runs, GitLab Duo automatically analyzes each Critical and High severity SAST vulnerabilities to determine the likelihood that it's a false positive. Detection is available for vulnerabilities from GitLab-supported SAST analyzers.

The GitLab Duo assessment includes:

• Confidence score: A numerical score indicating the likelihood that the finding is a false positive.
• Explanation: Contextual reasoning about why the finding may or may not be a true positive, based on code context and vulnerability characteristics.
• Visual indicator: A badge in the vulnerability report showing the false positive assessment.

The detection runs automatically after each security scan with no manual triggering required.

Results are based on AI analysis and should be reviewed by security professionals. The feature requires GitLab Duo with an active subscription.

<i class="fa-youtube-play" aria-hidden="true"></i> For an overview, see GitLab AI-Powered SAST False Positive Detection and Remediation.

<!-- Video published on 2026-03-20 -->

For a click-through demo, see SAST False Positive Detection Flow.

<!-- Demo published on 2026-02-17 -->

Automatic detection

False positive detection runs automatically when:

• A SAST security scan completes successfully on the default branch.
• The scan detects Critical or High severity vulnerabilities.
• GitLab Duo features are enabled for the project.

The analysis happens in the background and results appear in the vulnerability report once processing is complete.

Manual trigger

You can manually trigger false positive detection for existing vulnerabilities:

1. In the top bar, select Search or go to and find your project.
2. Select Secure > Vulnerability report.
3. Select the vulnerability you want to analyze.
4. In the upper-right corner, select Check for false positive to trigger false positive detection.

The GitLab Duo analysis runs and results are displayed on the vulnerability details page.

Configuration

To use false positive detection, you must have:

• A GitLab Duo add-on subscription (GitLab Duo Core, Pro, or Enterprise).
• GitLab Duo enabled in your project or group.
• A default GitLab Duo namespace set in your user preferences.
• GitLab 18.7 or later.

Enable false positive detection

False positive detection is turned off by default. To use this feature, you must enable the foundational flow for the group and turn on the feature for the project.

Allow foundational flow for a group

You can allow all projects in a group to use the foundational flow. Individual projects must still enable the feature in their project settings. To allow false positive detection for all projects in a group:

1. In the left sidebar, select Search or go to and find your group.
2. Select Settings > GitLab Duo.
3. Under Allow foundational flows, select the SAST False Positive Detection checkbox.
4. Select Save changes.

Turn on for a project

To turn on false positive detection for a specific project:

1. In the left sidebar, select Search or go to and find your project.
2. Select Settings > General.
3. Expand GitLab Duo.
4. Turn on the Turn on SAST false positive detection toggle.
5. Select Save changes.

When you allow false positive detection for the group and turn it on for the project, the feature work works automatically with your existing SAST scanners.

Confidence scores

The confidence score estimates how likely the GitLab Duo assessment is to be correct:

• Likely false positive (80-100%): GitLab Duo is highly confident that the finding is a false positive.
• Possible false positive (60-79%): GitLab Duo has reasonable confidence that the finding may be a false positive but recommends manual review.
• Likely not a false positive (<60%): GitLab Duo is not confident that the finding is a false positive. Manual review is strongly recommended before you dismiss the vulnerability.

Dismissing false positives

When the GitLab Duo analysis identifies a vulnerability as a false positive, you have the following options:

• Dismiss the vulnerability
• Remove the false positive flag

Dismiss the vulnerability

1. In the top bar, select Search or go to and find your project.
2. Select Secure > Vulnerability report.
3. Select the vulnerability you want to dismiss.
4. Select Change status.
5. From the Status dropdown list, select Dismissed.
6. From the Set dismissal reason dropdown list, select False positive.
7. In the Add a comment input, provide context about why you're dismissing it as a false positive.
8. Select Change status.

The vulnerability is marked as dismissed and does not appear in future scans unless it is reintroduced.

Remove the false positive flag

If you want to remove the false positive assessment and keep the vulnerability:

1. In the top bar, select Search or go to and find your project.
2. Select Secure > Vulnerability report.
3. Locate the vulnerability with the false positive flag.
4. Hover over the false positive badge on the vulnerability.
5. Select Remove False Positive Flag.

The false positive flag is removed and the FP confidence score reverts to 0. The vulnerability remains in the report and can be re-evaluated in future scans.

Providing feedback

Share your feedback in issue 583697.

Related topics

• Vulnerability details
• Vulnerability report
• SAST
• GitLab Duo