False Positives

Our Philosophy

At GuardRails, we focus on security that doesn't get in your way. That also means eliminating noise such as irrelevant security issues, and false alerts. We want to ensure that you, your software developers, and your security engineers don't have to waste time looking at a long list of possible issues.

GuardRails has an ever improving false positive detection logic, that benefits from everyone that is marking issues as false positives or not false positive in the dashboard, or simply reaching out to us with incorrect findings.

We are already exploring how machine learning can further improve this detection, so stay tuned for news on that front.

Reporting False Positives

There are three ways in which you can report false positives:

1. Via the Dashboard

You can update the status of vulnerabilities in the dashboard, either for a single vulnerability, or bulk for several vulnerabilities. You can update the status to either Fixed, False Positive, or Won't Fix.

Bulk update all vulnerabilities in the same category

To increase the efficiency when operating on the GuardRails dashboard, the bulk update function allows you to update all vulnerabilities in the same category at once.

Notes

• This feature only appears on the category which has more than 10 items (vulnerabilities/findings)

2. Via PR/MR Comment

In the PR/MR comments you have the link to a feedback form. Just answer the questions and mention the false positives in section 4.

3. Via Email

Just send us an email to [email protected] and tell us what is wrong.

Please include the name of the repository, the finding category, filename and line number and if possible a brief description on why this is a false positive.

4. Via Code

You can also add a comment to the affected line with the content guardrails-disable-line.

More information can be found here.