What is a 'false positive' in the context of Code Scanning, and how should you handle it?

A false positive is a finding reported by a code scanning tool that, after review, turns out not to be a real vulnerability in your codebase. This can happen when broad or generic rules don’t account for your specific context, language quirks, library wrappers, or how data actually flows in your project. The right way to handle it is to treat the finding as something to verify, not as an assured issue. Validate the evidence, reproduce if needed, and determine whether it truly applies. If it doesn’t, suppress the finding, refine the scanning rules to reduce similar signals, or exempt the affected file or path. Suppressions keep tracking of why it was dismissed for future audits, while refining queries makes future results more accurate and reduces noise. Excluding a file or directory can be appropriate in rare cases, but should be documented and reviewed periodically. Maintaining a log of false positives and revisiting them as the code changes ensures you don’t miss real issues later.