[Functional Requirements] AI False-Positive (FP) Filter

Problem

Formalise the functional requirements and the GraphQL schema for the Vulnerabilities AI false-positive (FP) filters.


GraphQL Schema

Argument name Values
falsePositive true / false

Schema Values

Value Meaning
true Show potential false positives: detected_as_fp
false Hide potential and likely false positives: not detected_as_fp
  • ❄️ GraphQL schema approved and frozen (argument name and values)

Filter Requirements

  • backend Include only findings explicitly flagged as false positives (false_positive == true)
  • backend Include only findings with a confidence score greater or equal to 0.6 (60%) (detected_as_fp)
  • frontend Filter selection is mutually exclusive
  • frontend Filter appears in the Gitlab Duo FP detection section, in the Activity dropdown.

UI Design

Screenshot_2026-01-15_at_10.32.33_AM


Test project


Feature flag

ai_experiment_sast_fp_detection

Questions

backend

Does the backend need to handle a “likely false positive” classification? If yes, what confidence score range represents this state?

Confidence score ranges

The confidence scores currently fall into the following ranges:

  • 0–59% — Not a false positive
  • 60–79% — Possible false positive
  • 80–100% — Likely false positive

flagStatus.status values

The flagStatus.status field currently supports the following values:

  • NOT_STARTED
  • IN_PROGRESS
  • DETECTED_AS_FP
  • DETECTED_AS_NOT_FP
  • FAILED

see #585703 (comment 3000299851).

Note: final state of DETECTED_AS_FP or DETECTED_AS_NOT_FP could be used if you are looking for a quick filter. #585703 (comment 3000432434)

Interpretation

This translates to the following behaviour:

  • Show potential false positives: confidence score ≥ 60%
  • Hide potential and likely false positives: confidence score < 60%

see #585703 (comment 3000426137)

Are non-SAST findings excluded by default?

The false positive filter should not take report types into account. It should return all records regardless of their report type.

In practice, the false positive flag is only assigned to SAST vulnerabilities, so the filter will return SAST-only vulnerabilities by design. However, this behaviour should not be hardcoded in the backend. #585703 (comment 3002029361)

frontend

Since only one value can be selected under the GitLab Duo (AI) section, should the false positive filter be moved to a different section, or is it acceptable to keep it there with that limitation?

Yes, let's move it in a dedicated section(#585703 (comment 3009456313))

Edited by Ugo Nnanna Okeadu