SRC011 — https://www.pixee.ai/blog/sast-false-positives-reduction¶
Contents¶
Metadata¶
| Field | Value |
|---|---|
| URL | https://www.pixee.ai/blog/sast-false-positives-reduction |
| Authors | Pixee AI |
| Date | March 24, 2026 |
Content Summary¶
Reports that Ghost Security found a 91% false positive rate scanning public GitHub repositories across Go, Python, and PHP. OX Security's 2026 benchmark found enterprises face 865,398 security alerts per year, of which only 795 (0.092%) were critical after reachability analysis. Well-tuned SAST deployments can operate at 10-20% false positive rates compared to 60-90% out of the box.
Reliability: Medium¶
Vendor blog post that cites multiple third-party sources; vendor sells a false-positive reduction tool.
Relevance: High¶
Directly addresses Q002 about false positive rates and alert fatigue driving security tool abandonment.
Bias Assessment¶
| Domain | Rating | Rationale |
|---|---|---|
| Missing Data | Some concerns | Cites third-party data but does not reproduce full methodologies. |
| Measurement | Low risk | References specific benchmark data from named third-party sources. |
| Selective Reporting | High risk | Selects alarming false positive statistics that support their product pitch. |
| Randomization | N/A | Not an RCT. |
| Protocol Deviation | N/A | Not an RCT. |
| Conflict Of Interest | High risk | Pixee sells false-positive reduction tools; alarming false positive statistics directly support their product. |