Introduction

Automated vulnerability scanners are designed to flag anything that matches a known vulnerability pattern. Occasionally, this results in a false positive — a reported issue that, upon closer inspection, does not actually exist in your application. Knowing how to correctly mark these and prevent them from appearing in future scans saves your team significant time and keeps your vulnerability list focused on real, actionable issues.

This article walks you through how to mark a vulnerability as a false positive, add a note for future reference, and optionally exclude that scan rule from all subsequent scans on your target.

Who Should Read This

This article is for developers, security engineers, and anyone responsible for triaging and managing vulnerabilities reported in the Astra dashboard. It is particularly useful for teams running frequent automated scans who want to keep their results clean and relevant.

Prerequisites

Before marking a vulnerability as a false positive, ensure that:

• You have verified manually that the reported vulnerability does not exist in your application. Do not mark an issue as a false positive based solely on assumption — confirm it first.

• You have Workspace Full Member access or higher. Restricted members cannot update vulnerability statuses.

• You understand that marking a vulnerability as a false positive will not automatically remove it from your current scan results — it updates the status and optionally suppresses it in future scans.

Instructions - How to report a false positive

1. Open the vulnerability that you believe is a false positive from the Vulnerabilities tab

2. click on the vulnerability and on the right side, you will find the option to mark the vulnerability as false positive

3. Now enter a note to help remember why it is a false positive. Keep the "Exclude scanning of this vulnerability in all future scans" box checked if required.

4. Click on "Mark false positive".

How to View and Manage Excluded Scan Rules

If you need to review which scan rules have been excluded, or want to re-enable a rule that was previously suppressed, you can manage the full list from your target settings.

1. From your dashboard, navigate to Settings.

2. Select the relevant target.

3. Go to Target Settings and look for the Excluded Scan Rules section.

4. Here you will see a list of all rules currently excluded for this target. You can review or remove exclusions as needed.

Alternatively, if you want to add a new exclusion without going through the false positive flow, open the specific vulnerability, mark it as a false positive, and check the exclusion option as described in Step 3.

Best Practices

• Always verify before marking. Confirm through manual testing that the vulnerability is genuinely a false positive before suppressing it. Incorrectly dismissing a real vulnerability could leave your application exposed.

• Add a detailed note. A clear explanation of why an issue is a false positive helps your team and Astra's engineers understand the context, especially if the same issue appears in a future pentest.

• Use exclusions sparingly. Only exclude a scan rule if you are confident it will never apply to your application. Over-excluding rules reduces the effectiveness of your scans.

• Review your excluded rules periodically. As your application evolves, a previously excluded rule may become relevant again. Review the excluded rules list in your target settings during regular security reviews.

• Consider requesting a vetted scan if you are regularly encountering false positives. Vetted scans include a manual review by Astra's security engineers to eliminate false positives before results are delivered to you. See [What are false positives and how to work with them?] for more details.

Troubleshooting

I marked a vulnerability as a false positive but it still appears in my results. Marking a vulnerability as a false positive updates its status — it does not delete it from your scan history. The vulnerability will remain visible in your list with a False Positive status. If you also excluded the scan rule, it will not appear in future scans, but historical records are preserved.

I accidentally marked a real vulnerability as a false positive. How do I undo it? Open the vulnerability details sheet and update the status back to Unsolved using the status dropdown on the right side of the sheet. If you also excluded the scan rule, go to Target Settings and remove it from the Excluded Scan Rules list.

The "Mark False Positive" option is not visible. This option is available for automated scan vulnerabilities. For manual pentest findings, the resolution process differs — use the comments section to discuss the finding with Astra's security engineers or raise a support ticket for clarification.

I excluded a scan rule but the vulnerability still appeared in my next scan. Check that the exclusion was saved correctly by reviewing the Excluded Scan Rules list in your target settings. If the rule is listed there, the vulnerability may have been reported from a different scan rule with a similar description. Raise a support ticket with the vulnerability ID and our team will investigate.

I want to exclude a scan rule without marking a specific vulnerability as a false positive. You can add exclusions directly from the Excluded Scan Rules section in your target settings, or by opening any instance of the relevant vulnerability type and following the false positive flow.