DEV Community

kongkong
kongkong

Posted on

Let AI Triage Static-Analysis Alerts Without Letting It Hide Bugs

“Use AI to remove static-analysis false positives” sounds like a classification feature. In production it is an authorization feature: who may hide a warning, for how long, with what evidence, and what happens when the code changes?

Keep detection and disposition separate.

scanner -> immutable finding -> context builder -> AI proposal
                                      |               |
                                      v               v
                               source snapshot   evidence bundle
                                                      |
                                                      v
                                      deterministic policy / reviewer
                                                      |
                                                      v
                                           time-bounded disposition
Enter fullscreen mode Exit fullscreen mode

The model should never delete a finding. It proposes one of needs_review, likely_false_positive, or likely_true_positive, plus cited code ranges and reasoning.

Store a durable contract

type TriageProposal = {
  findingId: string;
  scannerRule: string;
  sourceRevision: string;
  verdict: "needs_review" | "likely_false_positive" | "likely_true_positive";
  citedRanges: Array<{ path: string; start: number; end: number }>;
  modelId: string;
  promptVersion: string;
};

type Disposition = {
  proposalId: string;
  action: "keep_open" | "suppress_until_change";
  decidedBy: string;
  decidedAt: string;
  expiresAt: string;
};
Enter fullscreen mode Exit fullscreen mode

Bind every proposal to the scanner rule and source revision. If a cited file, data flow, dependency, or rule version changes, reopen the finding. “Suppressed forever” is not a recovery policy.

Put deterministic gates after the model

Never auto-suppress findings involving credentials, authorization, injection sinks, unsafe deserialization, cryptography, or public network exposure. Require cited ranges to exist in the scanned revision. Reject proposals with missing evidence. Sample accepted suppressions for review and track reopen rate by rule and repository.

Your evaluation set needs confirmed true positives, confirmed false positives, ambiguous cases, and code changes that invalidate an earlier disposition. Measure missed true positives separately from analyst time saved; averaging them into one accuracy number hides the expensive error.

The public MonkeyCode repository describes automated PR/MR review, AI tasks, and managed development environments. The contract above is applicable to AI-assisted review generally, but it is not a claim about MonkeyCode's scanner integrations or current suppression behavior.

Disclosure: I contribute to the MonkeyCode project. Product context comes from public documentation; this workflow is an independent design pattern.

AI can reduce review effort by assembling context. Authority to hide security evidence should remain explicit, reversible, and auditable.

Top comments (0)