Reachable self-remediation demo · Needs review

Reachable remediation needs review

The remediation proof scan has no blocking findings, but the baseline contract did not fully match. Public, sanitized proof for the intentionally vulnerable Reachable Go testbed. The page is built from the Reachable scan database: vulnerable baseline scan, remediation proof scan, expected issue contract, branch, commit, scan number, timestamp, and AI cost telemetry. Private prompts, rules, agent transcripts, and local databases are not published.

21
Expected issues
18
Found on vulnerable main
18
Fixed on remediation branch
0
Still present
0
Final actionable findings
$0.2001
AI cost estimate
20,858
AI tokens
$1,000.00
Engineer baseline
$99.00
Reachable plan

Vulnerable baseline

Scan: #42 1.0.0b115 complete
Branch: reachable-remediate-2616266772
Commit: c0ba76fe
Timestamp: 2026-06-20 15:27:37
Runtime: 2m 37s
AI: 12 calls, 20,858 tokens, $0.2001

Remediated branch proof

Scan: #48 1.0.0b115 complete
Branch: reachable-remediate-2616266772
Commit: 562ca3c1
Timestamp: 2026-06-20 15:34:22
Runtime: 17s
AI: 0 calls, 0 tokens, $0.0000

CI cache / install evidence

Cache restored: no
Install mode: installed
Version: target latest, installed REACHABLE 1.0.0b115
repo.db reused: yes (1 before, 1 after)
Latest DB hash: ff6ccfb702d0
Latest scan: #48 commit 562ca3c1

Demo Contract: Expected Vulnerabilities Fixed

Needs review: This table is the demo contract. Each row is an expected vulnerable fixture. “Fixed” means it was present in the vulnerable baseline database and absent from the remediation proof database.

Expected issueRiskReachabilityExploitabilityLocationBaselineRemediation proofStatusFix / evidence
AI/LLM01-http-post-with-pii-payload-—-data-leakag
HTTP POST with PII payload — data leakage risk
Problem contract
CRITICALREACHABLENOT ATTACKEDinternal/handlers/ai.go:32FoundNot reportedFixed - no longer reportedAI/LLM unsafe data flow is removed or covered by the underlying code fix.
Details

HTTP POST with PII payload — data leakage risk

AI/LLM01-http-post-with-pii-payload-—-data-leakag
HTTP POST with PII payload — data leakage risk
Problem contract
CRITICALREACHABLENOT ATTACKEDinternal/handlers/ai.go:51FoundNot reportedFixed - no longer reportedAI/LLM unsafe data flow is removed or covered by the underlying code fix.
Details

HTTP POST with PII payload — data leakage risk

CWE/78
OS command injection via exec.Command with shell
Problem contract
CRITICALREACHABLEEXPLOITABLEinternal/handlers/cwe.go:12FoundNot reportedFixed - no longer reportedAgent removed command-execution risk and proof scan confirms the sink is gone.
Details

OS command injection via exec.Command with shell

CWE/319
User-controlled URL passed to HTTP client without TLS scheme validation — sensitive data may be sent in cleartext (CWE-319). Validate that the URL scheme is "https" before making the request.
Problem contract
CRITICALREACHABLEEXPLOITABLEinternal/handlers/suspicious.go:13FoundNot reportedFixed - no longer reportedExpected vulnerable fixture row is no longer present in the proof scan.
Details

User-controlled URL passed to HTTP client without TLS scheme validation — sensitive data may be sent in cleartext (CWE-319). Validate that the URL scheme is "https" before making the request.

DLP/6fd2031f2cff0e06
PII data (SSN, DOB, credit card) in Go log output
Problem contract
CRITICALREACHABLENOT ATTACKEDinternal/handlers/dlp.go:13FoundNot reportedFixed - no longer reportedSynthetic PII exposure is removed from logs or outbound data paths.
Details

PII data (SSN, DOB, credit card) in Go log output

DLP/f22dde2c0a9e3739
HTTP POST with PII payload — data leakage risk
Problem contract
CRITICALREACHABLENOT ATTACKEDinternal/handlers/dlp.go:15FoundNot reportedFixed - no longer reportedSynthetic PII exposure is removed from logs or outbound data paths.
Details

HTTP POST with PII payload — data leakage risk

CVE/CVE-2022-32149
GO-2022-1059
Problem contract
LOWNOT_REACHABLENOT ATTACKEDinternal/handlers/cve.goFoundNot reportedFixed - no longer reportedDependency risk removed or upgraded; build manager no longer has to chase the vulnerable library manually.
Details

An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.

AI/LLM05-unguarded-data-flow-from-http_param-to-c
AI / LLM security issue
Problem contract
MEDIUMreachableinternal/handlers/cwe.go:11MissingNot reportedExpected baseline row was not detectedAI/LLM unsafe data flow is removed or covered by the underlying code fix.
AI/LLM05-unguarded-data-flow-from-http_param-to-c
AI / LLM security issue
Problem contract
MEDIUMreachableinternal/handlers/suspicious.go:13MissingNot reportedExpected baseline row was not detectedAI/LLM unsafe data flow is removed or covered by the underlying code fix.
AI/LLM05-unguarded-data-flow-from-http_param-to-c
AI / LLM security issue
Problem contract
MEDIUMreachableinternal/handlers/cwe.go:22MissingNot reportedExpected baseline row was not detectedAI/LLM unsafe data flow is removed or covered by the underlying code fix.
CWE/200
Internal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.
Problem contract
MEDIUMREACHABLEDEFENDEDinternal/handlers/cve.go:38FoundNot reportedFixed - no longer reportedInternal error details are no longer exposed to callers where remediation applied.
Details

Internal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.

CWE/200
Internal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.
Problem contract
MEDIUMREACHABLEDEFENDEDinternal/handlers/cve.go:22FoundNot reportedFixed - no longer reportedInternal error details are no longer exposed to callers where remediation applied.
Details

Internal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.

CWE/200
Internal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.
Problem contract
MEDIUMREACHABLEEXPLOITABLEinternal/handlers/ai.go:21FoundNot reportedFixed - no longer reportedInternal error details are no longer exposed to callers where remediation applied.
Details

Internal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.

CWE/200
Internal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.
Problem contract
MEDIUMREACHABLEDEFENDEDinternal/handlers/cve.go:16FoundNot reportedFixed - no longer reportedInternal error details are no longer exposed to callers where remediation applied.
Details

Internal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.

CWE/918
http.Get / http.Client.Do called with a URL derived from user input — CWE-918 SSRF. Validate the host against an allowlist, or use a proxying client that blocks private-network CIDRs.
Problem contract
MEDIUMREACHABLEEXPLOITABLEinternal/handlers/suspicious.go:14FoundNot reportedFixed - no longer reportedAgent removed arbitrary outbound fetch behavior that could become SSRF.
Details

http.Get / http.Client.Do called with a URL derived from user input — CWE-918 SSRF. Validate the host against an allowlist, or use a proxying client that blocks private-network CIDRs.

CWE/200
Internal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.
Problem contract
MEDIUMREACHABLEEXPLOITABLEinternal/handlers/suspicious.go:16FoundNot reportedFixed - no longer reportedInternal error details are no longer exposed to callers where remediation applied.
Details

Internal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.

CWE/200
Internal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.
Problem contract
MEDIUMREACHABLEEXPLOITABLEinternal/handlers/ai.go:39FoundNot reportedFixed - no longer reportedInternal error details are no longer exposed to callers where remediation applied.
Details

Internal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.

CWE/200
Internal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.
Problem contract
MEDIUMREACHABLEEXPLOITABLEinternal/handlers/suspicious.go:24FoundNot reportedFixed - no longer reportedInternal error details are no longer exposed to callers where remediation applied.
Details

Internal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.

CWE/200
Internal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.
Problem contract
MEDIUMREACHABLEEXPLOITABLEinternal/handlers/ai.go:61FoundNot reportedFixed - no longer reportedInternal error details are no longer exposed to callers where remediation applied.
Details

Internal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.

CWE/200
Internal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.
Problem contract
MEDIUMREACHABLEEXPLOITABLEinternal/handlers/suspicious.go:30FoundNot reportedFixed - no longer reportedInternal error details are no longer exposed to callers where remediation applied.
Details

Internal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.

SECRET/github-pat
Uncovered a GitHub Personal Access Token, potentially leading to unauthorized repository access and sensitive content exposure.: ghp_***00
Problem contract
MEDIUMREACHABLENOT ATTACKEDinternal/handlers/secrets.go:11FoundNot reportedFixed - no longer reportedSynthetic secret exposure is removed from production-actionable posture.
Details

Uncovered a GitHub Personal Access Token, potentially leading to unauthorized repository access and sensitive content exposure.: ghp_***00

Run Evidence: Install, Cache, Database

This section proves the CI run used an installed Reachable version and either restored or initialized the Reachable cache. The raw proof files are sanitized JSON artifacts; the demo verdict still comes from the scan database.

Cache restoredno
Cache sourcegitlab-cache
Install modeinstalled
Target versionlatest
Installed versionREACHABLE 1.0.0b115
repo.db reusedyes
repo.db count before1
repo.db count after1
Scan sessions after48
Cache size before4 KB
Cache size after4 KB
Latest repo.db hashff6ccfb702d0e6c67600fcedd5a4a7d34f5662b0a06ff5ebfd4550eee50825ef

Remaining Production Actionable Findings

0
Selected public findings
0
Exploitable
0
Reachable
0
Unknown
0
Defended
0
Suspicious packages

This section is the selected public posture export for code-scanning surfaces. The demo pass/fail proof above is built from REACHABLE's structured evidence record.

SignalReachabilityRiskFamiliesPackageFixLocationMessage
No exploitable or reachable findings were reported.

Production Actionable: Defended / Defendable

SignalReachabilityRiskFamiliesPackageFixLocationMessage
No defended or defendable findings were included in this public SARIF.

All Production Actionable Signals

SignalReachabilityRiskFamiliesPackageFixLocationMessage
No production actionable signals were reported.

Remediation Attempt

Status: needs_review. Structured proof verdict: The remediation proof scan has no blocking findings, but the baseline contract did not fully match.

RulePackageSignalsSuggested fix
No remediation rules were selected in this run.

Sanitized Artifacts

These are convenience exports. The public page does not publish the private remediation bundle, prompt text, generated rules, agent transcript, raw witnesses, or local databases.

Code scanning report CI run Selected SARIF GitLab SAST report Sanitized remediation ledger Run evidence: before-install Run evidence: after-install Run evidence: after-scan Expected issue contract Summary JSON Summary Markdown

Generated at 2026-06-20T15:35:49.003917+00:00 for sthenos-security-public/reach-testbed-gitlab-go / main / commit c0ba76fe94d22e8a37e9fac3893e5ee1bae5fc64. Page URL: https://reach-testbed-gitlab-go-bfc337.gitlab.io/