Package: Invicti AppSec Core (on-demand), Invicti AppSec Enterprise (on-premise, on-demand)
Mark vulnerability as false or true positive
You can mark vulnerabilities as false positive or true positive to validate scan findings. False positive requests go through an approval workflow, while Invicti AppSec applies true positive markings directly.
Mark a vulnerability as false positive
Marking a vulnerability as false positive indicates that the finding isn't a real vulnerability. False positive requests require approval from an administrator before they take effect.
Prerequisites
- You must have write permission on FP requests.
Mark a single vulnerability
- Navigate to the project and open the Vulnerabilities tab.
- Click the page icon on the right side of the vulnerability row to open the vulnerability details.
- In the vulnerability details drawer, find the False Positive section and set the toggle to Yes.
- Fill in the following fields:
- Description: a description explaining why this vulnerability is a false positive. (mandatory)
- Expiration Date: enable the toggle and choose a date and time if you want the FP status to expire automatically. If not set, the FP status doesn't expire.
- Click Mark as False Positive.
The request enters a Pending state until an administrator approves or rejects it.
Mark vulnerabilities in bulk
- In the vulnerability list, check the boxes for the vulnerabilities you want to mark.
- Click the Actions dropdown and choose False Positive.
- Set the FP Selection toggle to Yes to mark or No to unmark.
- Fill in the Description and optionally set an Expiration Date.
- Click Mark as False Positive.
After the bulk action completes, a summary shows:
- Successful transactions: Vulnerabilities that Invicti AppSec processed successfully.
- Failed transactions: Vulnerabilities that Invicti AppSec couldn't process, with error details.
- Untouched transactions: Vulnerabilities that Invicti AppSec skipped.
Approval workflow
False positive requests go through the following statuses:
- Pending: The request is waiting for review.
- Approved: An administrator approved the request. The vulnerability is now marked as false positive.
- Rejected: An administrator rejected the request.
- Expired: The FP status expired based on the expiration date.
Administrators can approve or reject pending FP requests from the vulnerability details drawer. The requester can cancel a pending request.
Unmark a false positive
To remove a false positive marking, open the vulnerability details, set the False Positive toggle to No, and click Unmark False Positive.
Mark a vulnerability as true positive
Marking a vulnerability as true positive confirms that the finding is a real vulnerability. Unlike false positive requests, true positive markings don't require approval.
Mark a single vulnerability
- Navigate to the project and open the Vulnerabilities tab.
- Click the page icon on the right side of the vulnerability row to open the vulnerability details.
- In the vulnerability details drawer, find the True Positive section and set the toggle to Yes.
- Enter a Description explaining why this vulnerability is a true positive.
- Click Mark as True Positive.
Invicti AppSec applies the marking immediately without an approval step.
Mark vulnerabilities in bulk
- In the vulnerability list, check the boxes for the vulnerabilities you want to mark.
- Click the Actions dropdown and choose True Positive.
- Set the TP Selection toggle to Yes to mark or No to unmark.
- Enter a Description.
- Click Mark as True Positive.
Unmark a true positive
To remove a true positive marking, open the vulnerability details, set the True Positive toggle to No, and click Unmark True Positive.
Need help?
Invicti Support team is ready to provide you with technical help. Go to Help Center