Interview › Security & DevSecOps
How do you handle false positives in SonarQube? [Basic]
Answer
I handle false positives by validating the finding, documenting why it is not exploitable, marking it appropriately in SonarQube, and tuning rules only when the pattern is repeatedly noisy. I avoid blanket suppression because that hides real issues.
Technical explanation
False positives should be reviewed by someone with enough context to understand the code path and threat model.
Use issue workflow states, comments, or targeted suppression with justification rather than disabling rules globally.
If a rule creates excessive noise across many teams, adjust the quality profile centrally and communicate the reason.
Hands-on example
Hands-on: for a flagged SQL injection that uses a safe query builder, attach evidence in the issue, mark it false positive or accepted as configured, and add a unit test showing parameter binding. Keep the rule enabled for raw SQL concatenation cases.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Security & DevSecOps interview questions
- What is DevSecOps, and how does it differ from traditional security gating at the end? [Basic]
- What does shift-left security mean, and why does it matter? [Basic]
- What is the difference between SAST, DAST, IAST, and SCA? [Basic]
- When in the pipeline does each of SAST, DAST, and SCA run? [Basic]
- What is the difference between SAST and DAST, and what does each catch and miss? [Basic]
- What is software composition analysis (SCA), and why does it matter for dependencies? [Basic]
- What is SonarQube, and what does it analyse? [Basic]
- Is SonarQube primarily SAST, code quality, or both? [Basic]