Glossary

False Positive Rate

The false positive rate is the share of a scanner's findings that aren't real problems. It's the single biggest factor in whether a security tool gets used or ignored — high noise trains developers to dismiss everything, including the true positives.

A false positive is a finding the tool reports that is not actually a bug — code flagged as a SQL injection that is parameterised, a 'hardcoded secret' that is a test fixture, a path that is reachable in theory but guarded in practice. The false positive rate is how often that happens relative to total findings.

It matters more than almost any other metric because it governs trust. The first time a developer chases a flagged 'critical' and finds nothing wrong, the tool loses a little credibility. After enough of those, the team learns to bulk-dismiss findings — and that habit buries the true positives along with the noise. A noisy scanner is worse than no scanner, because it manufactures false confidence.

Lowering the rate without hiding real bugs is the hard part of detector engineering: path-aware severity (downgrade in tests), library-aware suppression (recognise safe wrappers), explicit suppression markers, and confidence scoring so the gate blocks only on high-confidence findings.

How GateTest handles it

GateTest treats false-positive control as a first-class design constraint. Detectors downgrade severity on test paths, safe-harbour known-good patterns (parameterised ORMs, decimal money libraries, retry libraries), honour inline suppression markers, and feed a confidence-calibrator that recommends severity downgrades for rules customers repeatedly dismiss.

Frequently asked questions

Why does a high false positive rate matter so much?

Because it destroys trust. Once developers learn that most findings are noise, they bulk-dismiss them — and real vulnerabilities get dismissed alongside the false ones. A noisy scanner can leave a team less safe than no scanner.

How do scanners reduce false positives?

With path-aware severity (lower severity in test code), library-aware suppression (recognising safe wrappers), explicit suppression markers, and confidence scoring so only high-confidence findings block the build. GateTest uses all four.

See False Positive Rate on your own repo

Free preview of findings. Pay per scan — no subscription. AI auto-fix PR on the Scan + Fix tier.

Related terms