How do you suppress a false positive in Code Scanning?

Suppressing a false positive in Code Scanning is best done with targeted suppression rather than changing code or turning off scanning. You can apply per-alert suppression in the UI, which hides that specific finding while keeping all others visible. You can also use CodeQL suppression rules, such as a suppression file, to codify which findings should be ignored across runs. Another useful route is adjusting the queries themselves to reduce or eliminate the false positive by refining the detection logic or adding conditions that distinguish false alarms from real issues. This approach preserves the rest of the scan output, maintains traceability, and allows you to revisit the suppression later if the context changes. Deleting the file causing the alert removes code instead of addressing the signal. Disabling Code Scanning eliminates visibility into potential real issues. Marking as resolved without remediation can hide risk and isn’t a durable suppression.