Feedback issue: Manage SAST False Positives with AI (Beta)

Welcome to the Beta for Manage SAST False Positives with AI!

The purpose of this feedback issue is to collect your experiences with the AI-powered false positive detection feature for SAST vulnerabilities. Our goal is to understand how this feature is helping (or hindering) your security workflows, identify bugs and improvement areas, and prioritize enhancements based on real usage. Your feedback will directly influence how we evolve this feature from Beta to GA.

Limited Beta Availability

• Available in SaaS, Self-managed and Dedicated in 18.7
• Accessible via Vulnerability Report and Security Configuration Page
• Requires Ultimate tier with GitLab Duo add-on subscription

What is the SAST False Positive Detection Feature?

The SAST False Positive Detection feature is an GitLab Duo-powered capability that helps security teams identify and manage false positives in SAST (Static Application Security Testing) vulnerabilities. It analyzes vulnerabilities and provides intelligent recommendations on which ones might be false positives, enabling faster triage and more efficient vulnerability management.

Current Beta capabilities (18.7)

Current Beta capabilities

✅ What the feature CAN do:

False Positive Analysis

• Analyze SAST vulnerabilities for potential false positives
• Provide AI-powered recommendations on false positive likelihood
• Display false positive information on vulnerability details
• Show false positive badges in the vulnerability report

Reporting & Visibility

• Export false positive information in vulnerability report exports
• View false positive metrics and trends
• Monitor false positive detection workflow

⚠️ Beta Limitations:

• Limited to Ultimate tier with Duo add-on subscription
• False positive detection focuses on High and Critical severity SAST vulnerabilities

Feedback we're especially interested in

1. Accuracy: Does the AI correctly identify false positives?
2. Usefulness: Does the feature save you time in vulnerability triage?
3. User Experience: How intuitive is the interface for managing false positives?
4. Integration: How well does this fit into your existing security workflows?
5. Missing capabilities: What false positive management tasks can't you accomplish?
6. Performance: Are there any performance issues with the feature?
7. Recommendations Quality: Are the AI recommendations helpful and trustworthy?

How to give feedback

1. Check existing feedback: Review threads below to see if your issue is already reported. Add a 👍 or comment to show support.
2. Start a new thread: Use a descriptive title like "False positive detection misses SQL injection" or "UI is confusing for dismissing multiple vulnerabilities"
3. Include context:
   • What you were trying to do
   • The response or behavior you received
   • What you expected vs. what happened
   • URLs or screenshots (sanitized as needed)
   • Vulnerability IDs or project information
4. Rate the response: On a scale of 1-5, how useful was it?

Example feedback format

• Title: AI incorrectly identifies SQL injection as false positive
• Context: Analyzed SAST vulnerabilities in my project
• What happened: Feature marked a genuine SQL injection vulnerability as likely false positive
• Expected: Should correctly identify actual vulnerabilities vs. false positives
• Usefulness: 2/5 - Had to manually review and override the recommendation
• Screenshots: [If applicable]

What you can expect from us

1. We will read all feedback during the Beta period
2. We will prioritize fixes for GA based on feedback patterns
3. We will create issues for reproducible problems
4. We may reach out for clarification on complex security issues

Known Beta Issues

---

🛡️ 🤖 🔍 Thank you for helping us make the SAST False Positive Detection feature an indispensable part of your security workflow! Your feedback during this Beta period is crucial for delivering a GA release that truly transforms vulnerability management through AI-powered automation.