The False Positive Tax: a 1:1 TP:FP analysis of eslint-plugin-security

eslint-plugin-security flags one safe pattern for every real vulnerability it catches. Five other security plugins benchmarked side-by-side, with the false-positive code samples that drive alert fatigue.

lunedì 25 maggio 2026 New tab

1,955 words~9 min read

This is the false-positive deep dive companion to I Benchmarked 17 ESLint Security Plugins. That overview ranks plugins by recall; this one drills into the FP code samples that drive alert fatigue.

TL;DR

I built a comprehensive benchmark with 40 vulnerable code patterns across 14 security categories and 38 safe patterns that should NOT trigger warnings. Then I ran six ESLint security plugins against them.

The Headline Numbers

The False Positive Tax: a 1:1 TP:FP analysis of eslint-plugin-security

The False Positive Tax: a 1:1 TP:FP analysis of eslint-plugin-security

Other newsrooms on this story

Related reading

I Benchmarked 17 ESLint Security Plugins. Only One Found Every Vulnerability.

9 in 10 Docker Compose files skip the basic security flags

WordPress security: the 10-minute monthly checklist that catches real problems

Verified or Not? Ep. 2 — Snyk's Own Test App Scanned With 9 Engines

Detecting unusual processes on your servers without writing a single rule

Mozilla says 271 vulnerabilities found by Mythos have "almost no false…

Related reading

I Benchmarked 17 ESLint Security Plugins. Only One Found Every Vulnerability.

9 in 10 Docker Compose files skip the basic security flags

WordPress security: the 10-minute monthly checklist that catches real problems

Verified or Not? Ep. 2 — Snyk's Own Test App Scanned With 9 Engines

Detecting unusual processes on your servers without writing a single rule

Mozilla says 271 vulnerabilities found by Mythos have "almost no false…

Other newsrooms on this story