ContextQMD
Back to Gitlabhq

Secret false positive detection

doc/user/application_security/vulnerabilities/secret_false_positive_detection.md

19.0.06.9 KB
Original Source

{{< details >}}

  • Tier: Ultimate
  • Add-on: GitLab Duo Core, Pro, or Enterprise
  • Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated
  • Status: Beta

{{< /details >}}

{{< history >}}

{{< /history >}}

Secret false positive detection is an opt-in feature. When you enable it, GitLab Duo analyzes each detected secret to determine the likelihood that it's a false positive. Detection is available for all secret types detected by GitLab secret detection.

[!important] When this feature is enabled, information about the vulnerability, including the code context surrounding the detected secret, is sent to large language models (LLMs) for analysis. The behavior described in the secret detection and redaction documentation does not apply to this feature. Review your organization's data policies before enabling this feature.

The GitLab Duo assessment includes information about each false positive finding:

  • Confidence score: A numerical score that indicates the likelihood that the finding is a false positive.
  • Explanation: Reasons why the finding may or may not be a true positive, based on code context and secret characteristics.
  • Visual indicator: A badge in the vulnerability report that shows the false positive assessment.

Once enabled, false positive detection runs automatically after each security scan without manual intervention.

Results are based on AI analysis and should be reviewed by security professionals. The feature requires GitLab Duo with an active subscription.

Automatic detection

False positive detection runs automatically in the following scenarios:

  • A secret detection scan completes successfully on the default branch.
  • The scan detects secrets.
  • GitLab Duo features are enabled for the project.

The analysis runs in the background and results appear in the vulnerability report once processing is complete.

Manual trigger

You can manually run false positive detection for existing vulnerabilities:

  1. In the top bar, select Search or go to and find your project.
  2. In the left sidebar, select Secure > Vulnerability report.
  3. Select the vulnerability you want to analyze.
  4. In the upper-right corner, select Check for false positive to trigger false positive detection.

The GitLab Duo analysis runs and displays the results on the vulnerability details page.

Configuration

To use false positive detection, you must have the following requirements:

Enable false positive detection

False positive detection is turned off by default and must be explicitly enabled. When enabled, information about the vulnerability, including surrounding code context, is sent to LLMs for analysis. To use this feature, you must enable the foundational flow for the group and turn on the feature for the project.

Allow foundational flow for a group

You can allow all projects in a group to use the foundational flow. Individual projects must still enable the feature in their project settings. To allow false positive detection for all projects in a group:

  1. In the left sidebar, select Search or go to and find your group.
  2. Select Settings > GitLab Duo.
  3. Under Allow foundational flows, select the Secret Detection False Positive Detection checkbox.
  4. Select Save changes.

Turn on for a project

To turn on false positive detection for a specific project:

  1. In the left sidebar, select Search or go to and find your project.
  2. Select Settings > General.
  3. Expand GitLab Duo.
  4. Turn on the Turn on secret detection false positive detection toggle.
  5. Select Save changes.

When you allow false positive detection for the group and turn it on for the project, the feature works automatically with your existing secret detection scanners.

Confidence scores

The confidence score estimates how likely the GitLab Duo assessment is to be correct:

  • Likely false positive (80-100%): GitLab Duo is highly confident that the finding is a false positive.
  • Possible false positive (60-79%): GitLab Duo has reasonable confidence that the finding may be a false positive but recommends manual review.
  • Likely not a false positive (<60%): GitLab Duo is not confident that the finding is a false positive. Manual review is strongly recommended before you dismiss the vulnerability.

Dismissing false positives

When the GitLab Duo analysis identifies a vulnerability as a false positive, you have the following options:

  • Dismiss the vulnerability
  • Remove the false positive flag

Dismiss the vulnerability

  1. In the top bar, select Search or go to and find your project.
  2. In the left sidebar, select Secure > Vulnerability report.
  3. Select the vulnerability you want to dismiss.
  4. Select Change status.
  5. From the Status dropdown list, select Dismissed.
  6. From the Set dismissal reason dropdown list, select False positive.
  7. In the Add a comment input, provide context about why you're dismissing it as a false positive.
  8. Select Change status.

The vulnerability is marked as dismissed and does not appear in future scans unless it is reintroduced.

Remove the false positive flag

If you want to remove the false positive assessment and keep the vulnerability:

  1. In the top bar, select Search or go to and find your project.
  2. In the left sidebar, select Secure > Vulnerability report.
  3. Locate the vulnerability with the false positive flag.
  4. Hover over the false positive badge on the vulnerability.
  5. Select Remove False Positive Flag.

The false positive flag is removed and the FP confidence score reverts to 0. The vulnerability remains in the report and can be re-evaluated in future scans.

Providing feedback

False positive detection is a beta feature and we welcome your feedback. If you encounter issues or have suggestions for improvement, please provide feedback in issue 592861.