A false positive is a finding the tool reports that is not actually a bug — code flagged as a SQL injection that is parameterised, a 'hardcoded secret' that is a test fixture, a path that is reachable in theory but guarded in practice. The false positive rate is how often that happens relative to total findings.
It matters more than almost any other metric because it governs trust. The first time a developer chases a flagged 'critical' and finds nothing wrong, the tool loses a little credibility. After enough of those, the team learns to bulk-dismiss findings — and that habit buries the true positives along with the noise. A noisy scanner is worse than no scanner, because it manufactures false confidence.
Lowering the rate without hiding real bugs is the hard part of detector engineering: path-aware severity (downgrade in tests), library-aware suppression (recognise safe wrappers), explicit suppression markers, and confidence scoring so the gate blocks only on high-confidence findings.