Avoiding False Positives
Before Flagging Anything
MUST verify ALL three:
- •Can you trace the execution path showing incorrect behavior?
- •Is this handled elsewhere (error boundaries, middleware, validators)?
- •Are you certain about framework behavior, API contracts, and language semantics?
If you cannot confidently answer all three, DO NOT create the finding.
Patterns to Recognize (DO NOT flag)
- •Intentional simplicity - Not every function needs error handling if caller handles it
- •Framework conventions - React hooks, dependency injection, ORM patterns have specific rules
- •Test code - Different standards apply (hardcoded values, no error handling often OK)
- •Generated code - Migrations, API clients, proto files (only review if hand-edited)
- •Copied patterns - If code matches existing patterns in codebase, consistency > "better" approach
When uncertain about a pattern, search the codebase for similar examples before flagging.
Codebase Conventions
Before suggesting changes:
- •Check existing patterns - How does this codebase handle similar cases?
- •Respect established conventions - Even if non-standard, consistency > perfection
- •Don't flag convention violations unless they cause bugs or security issues
Examples:
- •Codebase uses
anytypes extensively → Don't flag individual uses - •Codebase has no error handling in services → Don't flag one missing try-catch
- •Consistency matters more than isolated improvements
Common False Positives to Avoid
Do NOT flag when handled elsewhere or guaranteed by framework:
- •Null checks: Language/framework ensures non-null, or prior validation occurred
- •Error handling: Error boundaries exist, function designed to throw, or caller handles
- •Race conditions: Framework synchronizes (React state, DB transactions), or operations idempotent
- •Performance: Data bounded (<100 items), runs once at startup, no profiling evidence
- •Security: Framework sanitizes (parameterized queries, JSX escaping), or API layer validates
When uncertain, assume the developer knows something you don't.