Handling False Positives
A false positive occurs when the scanner flags a legitimate pattern as a security issue. False positives can be reported through the scan exception request process, which routes the finding to a human security reviewer.
Common False Positive Scenarios
| Check | False Positive Scenario | Recommended Fix |
|---|---|---|
| Expression Injection | A RuleSet condition uses env as a field name (e.g., record.env), not an environment variable access | Rename the field to avoid the reserved prefix, or submit false positive with explanation |
| SQL Injection | A workflow node name contains "UNION" as a business term (e.g., "Union Dues Calculation") | Rename the node, or submit false positive — node names are not executed |
| Content Policy | A README example shows a placeholder that matches an API key pattern | Change to clearly labeled placeholder: YOUR_API_KEY_HERE |
| Content Policy | A form field label in French triggers an English profanity match | Submit false positive with language explanation |
| Dependency Vulnerability | A CVE affects a code path in the dependency that your package never exercises | Submit false positive with explanation of which code path is affected and how your package avoids it |
Requesting a Scan Exception
For marketplace submissions (Phase 3 — PENDING):
POST /api/marketplace/submissions/{submissionId}/scan-exception
Authorization: Bearer {publisherToken}
{
"findingIndex": 0, // Index of the finding in the scan report
"explanation": "The expression 'record.env' refers to an employee environment field in our HR data model (env = environment, as in 'work environment score'). It is not accessing Node.js process.env or any system environment variables. The expression evaluator in BizFirstGO does not have access to system environment variables.",
"evidence": "The 'env' field is defined in our EntitySchema 'EmployeeRecord' as a numeric score field (type: number, range: 1-10)."
}
// Response:
{
"exceptionId": "exc-a1b2c3",
"status": "UnderReview",
"reviewSLA": "2 business days",
"reviewerAssigned": true
}For direct imports (tenant administrator path):
POST /api/installhub/imports/{importId}/scan-exception
Authorization: Bearer {adminToken}
{
"findingIndex": 0,
"explanation": "...",
"justification": "This package is from a trusted internal source. The scan finding is a false positive."
}
// Requires: installhub:admin role
// Effect: If approved, the import is requeued and proceeds past the flagged findingException Review Process
Exception Submitted
Publisher or admin submits exception request with explanation and optional evidence. The request is logged with an immutable timestamp.
Assigned to Reviewer
A BizFirstGO security team member is assigned. Marketplace exceptions are reviewed within 2 business days. Import exceptions (admin-initiated) are reviewed within 4 business hours.
Reviewer Decision
The reviewer can: approve (proceed as if finding is absent), reject (finding stands — package remains blocked), or escalate (request additional information from the publisher).
Rule Update (if applicable)
If the false positive reveals a systematic scanner issue, the security team updates the detection rule to reduce future false positives for similar patterns.
Checking Exception Status
GET /api/marketplace/submissions/{submissionId}/scan-exception/{exceptionId}
// Approved:
{
"exceptionId": "exc-a1b2c3",
"status": "Approved",
"decision": "The 'env' field reference is consistent with the EntitySchema definition provided. Not an environment variable access. Finding dismissed.",
"reviewedBy": "BizFirstGO Security Team",
"reviewedAt": "2026-05-26T10:00:00Z",
"effect": "Submission requeued for listing"
}
// Rejected:
{
"exceptionId": "exc-a1b2c3",
"status": "Rejected",
"decision": "The expression 'process.env.SECRET' is unambiguous. This is not a false positive. Please remove this expression and resubmit.",
"reviewedAt": "2026-05-26T10:00:00Z"
}