Reachable remediation needs review
The remediation proof scan has no blocking findings, but the baseline contract did not fully match. Public, sanitized proof for the intentionally vulnerable Reachable Go testbed. The page is built from the Reachable scan database: vulnerable baseline scan, remediation proof scan, expected issue contract, branch, commit, scan number, timestamp, and AI cost telemetry. Private prompts, rules, agent transcripts, and local databases are not published.
Vulnerable baseline
Scan: #42 1.0.0b115 complete
Branch: reachable-remediate-2616266772
Commit: c0ba76fe
Timestamp: 2026-06-20 15:27:37
Runtime: 2m 37s
AI: 12 calls, 20,858 tokens, $0.2001
Remediated branch proof
Scan: #48 1.0.0b115 complete
Branch: reachable-remediate-2616266772
Commit: 562ca3c1
Timestamp: 2026-06-20 15:34:22
Runtime: 17s
AI: 0 calls, 0 tokens, $0.0000
CI cache / install evidence
Cache restored: no
Install mode: installed
Version: target latest, installed REACHABLE 1.0.0b115
repo.db reused: yes (1 before, 1 after)
Latest DB hash: ff6ccfb702d0
Latest scan: #48 commit 562ca3c1
Demo Contract: Expected Vulnerabilities Fixed
Needs review: This table is the demo contract. Each row is an expected vulnerable fixture. “Fixed” means it was present in the vulnerable baseline database and absent from the remediation proof database.
| Expected issue | Risk | Reachability | Exploitability | Location | Baseline | Remediation proof | Status | Fix / evidence |
|---|---|---|---|---|---|---|---|---|
AI/LLM01-http-post-with-pii-payload-—-data-leakagHTTP POST with PII payload — data leakage risk Problem contract | CRITICAL | REACHABLE | NOT ATTACKED | internal/handlers/ai.go:32 | Found | Not reported | Fixed - no longer reported | AI/LLM unsafe data flow is removed or covered by the underlying code fix.DetailsHTTP POST with PII payload — data leakage risk |
AI/LLM01-http-post-with-pii-payload-—-data-leakagHTTP POST with PII payload — data leakage risk Problem contract | CRITICAL | REACHABLE | NOT ATTACKED | internal/handlers/ai.go:51 | Found | Not reported | Fixed - no longer reported | AI/LLM unsafe data flow is removed or covered by the underlying code fix.DetailsHTTP POST with PII payload — data leakage risk |
CWE/78OS command injection via exec.Command with shell Problem contract | CRITICAL | REACHABLE | EXPLOITABLE | internal/handlers/cwe.go:12 | Found | Not reported | Fixed - no longer reported | Agent removed command-execution risk and proof scan confirms the sink is gone.DetailsOS command injection via exec.Command with shell |
CWE/319User-controlled URL passed to HTTP client without TLS scheme validation — sensitive data may be sent in cleartext (CWE-319). Validate that the URL scheme is "https" before making the request. Problem contract | CRITICAL | REACHABLE | EXPLOITABLE | internal/handlers/suspicious.go:13 | Found | Not reported | Fixed - no longer reported | Expected vulnerable fixture row is no longer present in the proof scan.DetailsUser-controlled URL passed to HTTP client without TLS scheme validation — sensitive data may be sent in cleartext (CWE-319). Validate that the URL scheme is "https" before making the request. |
DLP/6fd2031f2cff0e06PII data (SSN, DOB, credit card) in Go log output Problem contract | CRITICAL | REACHABLE | NOT ATTACKED | internal/handlers/dlp.go:13 | Found | Not reported | Fixed - no longer reported | Synthetic PII exposure is removed from logs or outbound data paths.DetailsPII data (SSN, DOB, credit card) in Go log output |
DLP/f22dde2c0a9e3739HTTP POST with PII payload — data leakage risk Problem contract | CRITICAL | REACHABLE | NOT ATTACKED | internal/handlers/dlp.go:15 | Found | Not reported | Fixed - no longer reported | Synthetic PII exposure is removed from logs or outbound data paths.DetailsHTTP POST with PII payload — data leakage risk |
CVE/CVE-2022-32149GO-2022-1059 Problem contract | LOW | NOT_REACHABLE | NOT ATTACKED | internal/handlers/cve.go | Found | Not reported | Fixed - no longer reported | Dependency risk removed or upgraded; build manager no longer has to chase the vulnerable library manually.DetailsAn attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse. |
AI/LLM05-unguarded-data-flow-from-http_param-to-cAI / LLM security issue Problem contract | MEDIUM | reachable | internal/handlers/cwe.go:11 | Missing | Not reported | Expected baseline row was not detected | AI/LLM unsafe data flow is removed or covered by the underlying code fix. | |
AI/LLM05-unguarded-data-flow-from-http_param-to-cAI / LLM security issue Problem contract | MEDIUM | reachable | internal/handlers/suspicious.go:13 | Missing | Not reported | Expected baseline row was not detected | AI/LLM unsafe data flow is removed or covered by the underlying code fix. | |
AI/LLM05-unguarded-data-flow-from-http_param-to-cAI / LLM security issue Problem contract | MEDIUM | reachable | internal/handlers/cwe.go:22 | Missing | Not reported | Expected baseline row was not detected | AI/LLM unsafe data flow is removed or covered by the underlying code fix. | |
CWE/200Internal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side. Problem contract | MEDIUM | REACHABLE | DEFENDED | internal/handlers/cve.go:38 | Found | Not reported | Fixed - no longer reported | Internal error details are no longer exposed to callers where remediation applied.DetailsInternal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side. |
CWE/200Internal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side. Problem contract | MEDIUM | REACHABLE | DEFENDED | internal/handlers/cve.go:22 | Found | Not reported | Fixed - no longer reported | Internal error details are no longer exposed to callers where remediation applied.DetailsInternal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side. |
CWE/200Internal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side. Problem contract | MEDIUM | REACHABLE | EXPLOITABLE | internal/handlers/ai.go:21 | Found | Not reported | Fixed - no longer reported | Internal error details are no longer exposed to callers where remediation applied.DetailsInternal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side. |
CWE/200Internal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side. Problem contract | MEDIUM | REACHABLE | DEFENDED | internal/handlers/cve.go:16 | Found | Not reported | Fixed - no longer reported | Internal error details are no longer exposed to callers where remediation applied.DetailsInternal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side. |
CWE/918http.Get / http.Client.Do called with a URL derived from user input — CWE-918 SSRF. Validate the host against an allowlist, or use a proxying client that blocks private-network CIDRs. Problem contract | MEDIUM | REACHABLE | EXPLOITABLE | internal/handlers/suspicious.go:14 | Found | Not reported | Fixed - no longer reported | Agent removed arbitrary outbound fetch behavior that could become SSRF.Detailshttp.Get / http.Client.Do called with a URL derived from user input — CWE-918 SSRF. Validate the host against an allowlist, or use a proxying client that blocks private-network CIDRs. |
CWE/200Internal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side. Problem contract | MEDIUM | REACHABLE | EXPLOITABLE | internal/handlers/suspicious.go:16 | Found | Not reported | Fixed - no longer reported | Internal error details are no longer exposed to callers where remediation applied.DetailsInternal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side. |
CWE/200Internal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side. Problem contract | MEDIUM | REACHABLE | EXPLOITABLE | internal/handlers/ai.go:39 | Found | Not reported | Fixed - no longer reported | Internal error details are no longer exposed to callers where remediation applied.DetailsInternal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side. |
CWE/200Internal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side. Problem contract | MEDIUM | REACHABLE | EXPLOITABLE | internal/handlers/suspicious.go:24 | Found | Not reported | Fixed - no longer reported | Internal error details are no longer exposed to callers where remediation applied.DetailsInternal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side. |
CWE/200Internal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side. Problem contract | MEDIUM | REACHABLE | EXPLOITABLE | internal/handlers/ai.go:61 | Found | Not reported | Fixed - no longer reported | Internal error details are no longer exposed to callers where remediation applied.DetailsInternal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side. |
CWE/200Internal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side. Problem contract | MEDIUM | REACHABLE | EXPLOITABLE | internal/handlers/suspicious.go:30 | Found | Not reported | Fixed - no longer reported | Internal error details are no longer exposed to callers where remediation applied.DetailsInternal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side. |
SECRET/github-patUncovered a GitHub Personal Access Token, potentially leading to unauthorized repository access and sensitive content exposure.: ghp_***00 Problem contract | MEDIUM | REACHABLE | NOT ATTACKED | internal/handlers/secrets.go:11 | Found | Not reported | Fixed - no longer reported | Synthetic secret exposure is removed from production-actionable posture.DetailsUncovered a GitHub Personal Access Token, potentially leading to unauthorized repository access and sensitive content exposure.: ghp_***00 |
Run Evidence: Install, Cache, Database
This section proves the CI run used an installed Reachable version and either restored or initialized the Reachable cache. The raw proof files are sanitized JSON artifacts; the demo verdict still comes from the scan database.
| Cache restored | no |
|---|---|
| Cache source | gitlab-cache |
| Install mode | installed |
| Target version | latest |
| Installed version | REACHABLE 1.0.0b115 |
| repo.db reused | yes |
| repo.db count before | 1 |
| repo.db count after | 1 |
| Scan sessions after | 48 |
| Cache size before | 4 KB |
| Cache size after | 4 KB |
| Latest repo.db hash | ff6ccfb702d0e6c67600fcedd5a4a7d34f5662b0a06ff5ebfd4550eee50825ef |
Remaining Production Actionable Findings
This section is the selected public posture export for code-scanning surfaces. The demo pass/fail proof above is built from REACHABLE's structured evidence record.
| Signal | Reachability | Risk | Families | Package | Fix | Location | Message |
|---|---|---|---|---|---|---|---|
| No exploitable or reachable findings were reported. | |||||||
Production Actionable: Defended / Defendable
| Signal | Reachability | Risk | Families | Package | Fix | Location | Message |
|---|---|---|---|---|---|---|---|
| No defended or defendable findings were included in this public SARIF. | |||||||
All Production Actionable Signals
| Signal | Reachability | Risk | Families | Package | Fix | Location | Message |
|---|---|---|---|---|---|---|---|
| No production actionable signals were reported. | |||||||
Remediation Attempt
Status: needs_review. Structured proof verdict: The remediation proof scan has no blocking findings, but the baseline contract did not fully match.
| Rule | Package | Signals | Suggested fix |
|---|---|---|---|
| No remediation rules were selected in this run. | |||
Sanitized Artifacts
These are convenience exports. The public page does not publish the private remediation bundle, prompt text, generated rules, agent transcript, raw witnesses, or local databases.
Generated at 2026-06-20T15:35:49.003917+00:00 for sthenos-security-public/reach-testbed-gitlab-go / main / commit c0ba76fe94d22e8a37e9fac3893e5ee1bae5fc64. Page URL: https://reach-testbed-gitlab-go-bfc337.gitlab.io/