-
Notifications
You must be signed in to change notification settings - Fork 0
Confidence Scoring
Caspian Security classifies detected issues with a confidence level based on lightweight variable-source analysis. This helps you prioritize: fix critical issues first, skip safe ones, and manually verify the rest.
| Level | Badge | Color | Meaning |
|---|---|---|---|
| Critical | [Critical] |
Red | The vulnerability is almost certainly real -- a hardcoded secret or clearly unsafe pattern |
| Safe | [Safe] |
Green | The flagged code uses a static value with no dynamic input -- likely a false positive |
| Verify Needed | [Verify Needed] |
Orange | The value is dynamic (concatenation, interpolation, or variable reference) -- requires manual review |
When the heuristic is not confident enough to classify, no badge is shown.
Confidence badges appear next to the Verify button for each issue in the results table:
- Critical -- red badge
- Safe -- green badge
- Verify Needed -- orange badge
The confidence level is prepended to the diagnostic message:
[Critical] [Secrets] CRED001: Hardcoded password or secret assignment
[Safe] [Database] DB001: Potential SQL injection via string concatenation
[Verify Needed] [Database] DB001: Potential SQL injection via string concatenation
The classifier uses targeted regex heuristics on the issue line and surrounding code. It only classifies issues where the heuristic is confident:
| Pattern | Classification |
|---|---|
Value is a string literal ("...", '...') |
Critical |
Value references an environment variable (process.env, os.environ) |
Verify Needed |
Examples:
const password = "admin123"; // Critical -- hardcoded string literal
const password = process.env.PASS; // Verify Needed -- env var (could be empty)| Pattern | Classification |
|---|---|
Query uses string concatenation (+) or template interpolation (${}) |
Verify Needed |
Query uses parameterized syntax (?, $1, :param) |
Safe |
| Query is a plain static string with no dynamic parts | Safe |
Examples:
const query = "SELECT * FROM users"; // Safe -- static string
const query = "SELECT * FROM users WHERE id = ?"; // Safe -- parameterized
const query = "SELECT * FROM " + userInput; // Verify Needed -- concatenation
const query = `SELECT * FROM ${table}`; // Verify Needed -- interpolationRules outside of CRED*/AUTH001 and SQL*/DB001/DB002 do not receive a confidence classification. The heuristic only fires when it can be reasonably confident in the result.
- Fix Critical issues immediately -- these are almost certainly real vulnerabilities
- Review Verify Needed issues -- check if the dynamic input is sanitized or validated
- Skim Safe issues -- these are likely false positives, but worth a quick glance
-
Ignore with reason -- use
.caspianignoreto suppress confirmed false positives
-
Caspianignore -- suppress false positives with
.caspianignore - AI Fixes -- generate AI-powered fixes for critical issues
- Rule Reference -- browse all rules that can receive confidence scores
Caspian Security
Run Anywhere
Features
Reference