Configure Confidence
Tune confidence thresholds to balance precision and recall.
Understanding Confidence
Confidence scores range from 0.0 to 1.0:
| Score | Level | Meaning |
|---|---|---|
| 0.8 - 1.0 | HIGH | Very likely a real dependency |
| 0.5 - 0.8 | MEDIUM | Probably related, review recommended |
| 0.0 - 0.5 | LOW | Weak signal, often false positive |
Setting the Threshold
In .jnkn/config.yaml:
Higher threshold = fewer matches, fewer false positives:
Lower threshold = more matches, may catch subtle dependencies:
Per-Rule Thresholds
Different rules can have different thresholds:
stitching:
min_confidence: 0.5 # Default
rule_overrides:
EnvVarToInfraRule:
min_confidence: 0.6 # Stricter for env→infra
K8sToSecretRule:
min_confidence: 0.4 # More permissive for K8s
Signal Weights
Customize how confidence is calculated:
stitching:
confidence:
signals:
exact_match: 1.0
normalized_match: 0.9
token_overlap_high: 0.85
token_overlap_medium: 0.7
suffix_match: 0.6
contains: 0.5
penalties:
short_token: 0.5 # Tokens < 4 chars
common_token: 0.7 # Generic words like "url", "host"
ambiguous: 0.8 # Multiple possible matches
Token Configuration
Blocked Tokens
Tokens that provide no matching signal:
Minimum Token Length
Ignore short tokens:
Low-Value Tokens
Tokens that reduce confidence when matched:
Finding the Right Balance
Start Conservative
Run jnkn scan and check results. If you're missing real dependencies, lower the threshold.
Check What You're Missing
If the confidence is 0.65 but the match is real, consider lowering your threshold.
Iterate
- Scan with current settings
- Review a sample of matches
- Adjust threshold or add suppressions
- Repeat
Environment Variable Override
Override in CI without changing config: