What do I do about false positives?

If a finding is wrong, mark it as false_positive. Qodex keeps the finding fingerprint so the item can stay out of the default open workflow while remaining searchable for audit and history.

Before a finding reaches you

Qodex applies guards to reduce common false positives:

Guard	What it catches
Misanchor guard	PR findings attached to imports, comments, blank lines, or structural lines.
Evidence guard	High-severity claims without enough screenshot, DOM, request, or response evidence.
Deduplication	Repeated observations of the same open issue.

These guards reduce noise, but reviewers should still triage findings.

Mark a false positive

Open the finding and change its status to false_positive. The finding remains in history, but it should no longer appear in the default open list.

False positive vs wontfix

Use false_positive when Qodex is wrong. Use wontfix when Qodex is right but your team intentionally accepts the risk or chooses not to change the behavior.

PR review notes

Inline PR findings can occasionally be advisory when the anchor is uncertain. Review the surrounding code and evidence before treating the finding as confirmed.

Roadmap

PR slash commands for false-positive, resolve, and wontfix are planned so teams can update finding status directly from a PR thread.

Next steps

Inline findings

See how PR comments are anchored.

Slash commands

Learn the current PR command surface.

Findings

Understand Qodex findings.

Triage workflow

Move findings through review.

How do I keep secrets from leaking into scenarios and findings?Should I self-host or use Qodex cloud?

​What do I do about false positives?

​Before a finding reaches you

​Mark a false positive

​False positive vs wontfix

​PR review notes

​Roadmap

​Next steps