search
Ctrlk
Book a demo

Reporting False Positives

The Report False Positive action lets you flag an issue as a false positive, optionally adding an exclusion so the same finding is not reported again. It is available as an action on the issue details page.

Use this action when an issue is incorrectly detected. For example, when the value is a known test secret, the resource is a sandbox, or the rule does not apply in your environment.

In OX, false positives can be defined at two levels:

  • Issue level: Marks the entire issue as a false positive. Tracks who reported or canceled it, along with the full comment history.

  • Aggregation level: Marks individual aggregations within an issue separately. Each aggregation can have its own false positive status, comment, and attribution.

This gives you fine-grained control: you can dismiss a specific occurrence without affecting the rest of the issue, or mark the whole thing at once.

The second option will turn into cancel false positive report if you reported a few aggregations as false positive

To report false positives:

  1. From the action bar at the bottom of the Issue Details dialog, select the Report False Positive icon.

  1. Select Report False Positive.

Field
What it shows

Issue summary

The identifier of the issue being reported, including issue type, exposure context, encoding, and cloud provider (for example, S3 • Base64 GitHub Fine-Grained Personal Access Token • Internet Exposure • Base64 Encoded • AWS).

Scope

The specific connection or account the report is scoped to (for example, *AWS-Ox-security-demo-Cloud).

Aggregation note

A note that the action will apply to all aggregations of the issue, as all the aggregations are selected. In case only a part of the aggregations is selected, the note will state clearly how many aggregations this action applies to.

Comment

Free-text field to explain why the issue is a false positive.

  1. Select one of the following actions.

Button
What it does

Cancel

Closes the dialog without reporting anything.

Report FP Only

Marks the issue as a false positive without creating an exclusion rule.

Report FP and Exclude

Marks the issue as a false positive and adds an exclusion so the same finding is not reported in future scans.

Last updated