A system includes a memory and processor. The memory stores code segment vulnerability findings that were generated through static application security testing (SAST). The processor generates a code fingerprint for each code segment, which corresponds to an abstract syntax tree that has been augmented by data flow information and flattened. The processor applies a machine learning clustering algorithm to group the code fingerprints into clusters of fingerprints that share one or more features. The processor additionally determines that both the fingerprint corresponding to the first source code segment and the fingerprint corresponding to a second source code segment belong to the same cluster. In response, the processor transmits an alert to a device of an administrator, identifying the second code segment as vulnerable to a real vulnerability, where a vulnerability finding for the first code segment has been classified as the real vulnerability through external review.