SRC009 — https://www.pixee.ai/blog/sast-false-positives-reduction¶
Contents¶
Metadata¶
| Field | Value |
|---|---|
| URL | https://www.pixee.ai/blog/sast-false-positives-reduction |
| Authors | Pixee AI |
| Date | March 24, 2026 |
Content Summary¶
Reports that Ghost Security's 2025 scan of public GitHub repos found 91% of SAST findings are false positives. OX Security's 2026 benchmark across 250 organizations found 865,398 average annual alerts, of which only 795 (0.092%) were critical after reachability analysis. Veracode data shows 82% of organizations harbor security debt.
Reliability: Medium¶
Vendor blog aggregating multiple data points — individual citations are verifiable but presentation is commercially motivated.
Relevance: High¶
Directly addresses false positive rates in SAST/SCA tools — central to Q002 barrier analysis.
Bias Assessment¶
| Domain | Rating | Rationale |
|---|---|---|
| Missing Data | Some concerns | Selectively cites data supporting the false positive narrative while omitting tool-specific improvements. |
| Measurement | Some concerns | Aggregates multiple studies with different methodologies and definitions of false positive. |
| Selective Reporting | High risk | Vendor selling false-positive-reduction tools — presentation emphasizes worst-case FP rates. |
| Randomization | N/A | Compilation of observational data. |
| Protocol Deviation | N/A | Not an RCT. |
| Conflict Of Interest | High risk | Pixee sells exploitability analysis tools that directly compete with traditional SAST — strong commercial incentive. |