Skip to content

Confidence Scoring

Caspian-Explorer edited this page Feb 7, 2026 · 1 revision

Confidence Scoring

Caspian Security classifies detected issues with a confidence level based on lightweight variable-source analysis. This helps you prioritize: fix critical issues first, skip safe ones, and manually verify the rest.


Classification Levels

Level Badge Color Meaning
Critical [Critical] Red The vulnerability is almost certainly real -- a hardcoded secret or clearly unsafe pattern
Safe [Safe] Green The flagged code uses a static value with no dynamic input -- likely a false positive
Verify Needed [Verify Needed] Orange The value is dynamic (concatenation, interpolation, or variable reference) -- requires manual review

When the heuristic is not confident enough to classify, no badge is shown.


Where Badges Appear

Results Panel

Confidence badges appear next to the Verify button for each issue in the results table:

  • Critical -- red badge
  • Safe -- green badge
  • Verify Needed -- orange badge

VS Code Diagnostics

The confidence level is prepended to the diagnostic message:

[Critical] [Secrets] CRED001: Hardcoded password or secret assignment
[Safe] [Database] DB001: Potential SQL injection via string concatenation
[Verify Needed] [Database] DB001: Potential SQL injection via string concatenation

How Classification Works

The classifier uses targeted regex heuristics on the issue line and surrounding code. It only classifies issues where the heuristic is confident:

Secrets & Credentials (CRED*, AUTH001)

Pattern Classification
Value is a string literal ("...", '...') Critical
Value references an environment variable (process.env, os.environ) Verify Needed

Examples:

const password = "admin123";        // Critical -- hardcoded string literal
const password = process.env.PASS;  // Verify Needed -- env var (could be empty)

SQL & Database Queries (SQL*, DB001, DB002)

Pattern Classification
Query uses string concatenation (+) or template interpolation (${}) Verify Needed
Query uses parameterized syntax (?, $1, :param) Safe
Query is a plain static string with no dynamic parts Safe

Examples:

const query = "SELECT * FROM users";                    // Safe -- static string
const query = "SELECT * FROM users WHERE id = ?";       // Safe -- parameterized
const query = "SELECT * FROM " + userInput;             // Verify Needed -- concatenation
const query = `SELECT * FROM ${table}`;                 // Verify Needed -- interpolation

Other Rules

Rules outside of CRED*/AUTH001 and SQL*/DB001/DB002 do not receive a confidence classification. The heuristic only fires when it can be reasonably confident in the result.


Prioritization Workflow

  1. Fix Critical issues immediately -- these are almost certainly real vulnerabilities
  2. Review Verify Needed issues -- check if the dynamic input is sanitized or validated
  3. Skim Safe issues -- these are likely false positives, but worth a quick glance
  4. Ignore with reason -- use .caspianignore to suppress confirmed false positives

Next Steps

  • Caspianignore -- suppress false positives with .caspianignore
  • AI Fixes -- generate AI-powered fixes for critical issues
  • Rule Reference -- browse all rules that can receive confidence scores

Clone this wiki locally