{
  "version": "15.1.4",
  "scan": {
    "analyzer": {
      "id": "reachable",
      "name": "REACHABLE",
      "vendor": {
        "name": "Sthenos Security"
      },
      "version": "1.0.0b115"
    },
    "scanner": {
      "id": "reachable",
      "name": "REACHABLE",
      "vendor": {
        "name": "Sthenos Security"
      },
      "version": "1.0.0b115"
    },
    "type": "sast",
    "start_time": "2026-06-20T15:21:41",
    "end_time": "2026-06-20T15:21:41",
    "status": "success"
  },
  "vulnerabilities": [
    {
      "id": "6a83c401-89bc-5289-a9c3-b9b1e6757553",
      "category": "sast",
      "name": "[REACHABLE] LLM01: HTTP POST with PII payload \u2014 data leakage risk",
      "description": "HTTP POST with PII payload \u2014 data leakage risk\n\nReachability: REACHABLE (HIGH) \u2014 call-graph analysis confirmed a path from an application entry point to this finding.",
      "severity": "Critical",
      "scanner": {
        "id": "reachable",
        "name": "REACHABLE"
      },
      "location": {
        "file": "/builds/sthenos-security-public/reach-testbed-gitlab-go/internal/handlers/ai.go",
        "start_line": 51,
        "end_line": 51,
        "method": "AIAgentPlan"
      },
      "identifiers": [
        {
          "type": "reachable_ai",
          "name": "AI/LLM01",
          "value": "LLM01",
          "url": "https://genai.owasp.org/"
        },
        {
          "type": "reachable_reachability",
          "name": "Reachability: reachable",
          "value": "reachable"
        }
      ],
      "details": {
        "reachable_dfg": {
          "type": "text",
          "name": "Reachable DFG",
          "value": "DFG attack path evidence is available in the Reachable DB."
        }
      },
      "links": [
        {
          "url": "https://genai.owasp.org/"
        }
      ]
    },
    {
      "id": "543f545a-15d3-5732-8713-3236f23be313",
      "category": "sast",
      "name": "[REACHABLE] LLM01: HTTP POST with PII payload \u2014 data leakage risk",
      "description": "HTTP POST with PII payload \u2014 data leakage risk\n\nReachability: REACHABLE (HIGH) \u2014 call-graph analysis confirmed a path from an application entry point to this finding.",
      "severity": "Critical",
      "scanner": {
        "id": "reachable",
        "name": "REACHABLE"
      },
      "location": {
        "file": "/builds/sthenos-security-public/reach-testbed-gitlab-go/internal/handlers/ai.go",
        "start_line": 32,
        "end_line": 32,
        "method": "AIAnswer"
      },
      "identifiers": [
        {
          "type": "reachable_ai",
          "name": "AI/LLM01",
          "value": "LLM01",
          "url": "https://genai.owasp.org/"
        },
        {
          "type": "reachable_reachability",
          "name": "Reachability: reachable",
          "value": "reachable"
        }
      ],
      "details": {
        "reachable_dfg": {
          "type": "text",
          "name": "Reachable DFG",
          "value": "DFG attack path evidence is available in the Reachable DB."
        }
      },
      "links": [
        {
          "url": "https://genai.owasp.org/"
        }
      ]
    },
    {
      "id": "91ace407-4cda-5998-b765-444d008a5b21",
      "category": "sast",
      "name": "[EXPLOITABLE] OS command injection via exec.Command with shell",
      "description": "OS command injection via exec.Command with shell\n\nReachability: EXPLOITABLE \u2014 Enzo attacker/proof confirmed this reachable path is attackable.",
      "severity": "Critical",
      "scanner": {
        "id": "reachable",
        "name": "REACHABLE"
      },
      "location": {
        "file": "/builds/sthenos-security-public/reach-testbed-gitlab-go/internal/handlers/cwe.go",
        "start_line": 12,
        "end_line": 12,
        "method": "DiagnosticPing"
      },
      "identifiers": [
        {
          "type": "cwe",
          "name": "CWE-78",
          "value": "78",
          "url": "https://cwe.mitre.org/data/definitions/78.html"
        },
        {
          "type": "reachable_reachability",
          "name": "Reachability: exploitable",
          "value": "exploitable"
        }
      ],
      "details": {
        "reachable_dfg": {
          "type": "text",
          "name": "Reachable DFG",
          "value": "DFG path available: go-cmdi-exec-regex -> go-cmdi-exec-regex (1 hops)."
        }
      },
      "links": [
        {
          "url": "https://cwe.mitre.org/data/definitions/78.html"
        }
      ]
    },
    {
      "id": "4ed0b394-ffcd-5235-920d-09c156c873c0",
      "category": "sast",
      "name": "[EXPLOITABLE] User-controlled URL passed to HTTP client without TLS scheme validation \u2014 sensitive data may be sent in cleartext (CWE-319). Validate that the URL scheme is \"https\" before making the request.\n",
      "description": "User-controlled URL passed to HTTP client without TLS scheme validation \u2014 sensitive data may be sent in cleartext (CWE-319). Validate that the URL scheme is \"https\" before making the request.\n\n\nReachability: EXPLOITABLE \u2014 Enzo attacker/proof confirmed this reachable path is attackable.",
      "severity": "Critical",
      "scanner": {
        "id": "reachable",
        "name": "REACHABLE"
      },
      "location": {
        "file": "/builds/sthenos-security-public/reach-testbed-gitlab-go/internal/handlers/suspicious.go",
        "start_line": 13,
        "end_line": 13,
        "method": "FetchTool"
      },
      "identifiers": [
        {
          "type": "cwe",
          "name": "CWE-319",
          "value": "319",
          "url": "https://cwe.mitre.org/data/definitions/319.html"
        },
        {
          "type": "reachable_reachability",
          "name": "Reachability: exploitable",
          "value": "exploitable"
        }
      ],
      "details": {
        "reachable_dfg": {
          "type": "text",
          "name": "Reachable DFG",
          "value": "DFG path available: go-user-controlled-url-no-tls -> go-user-controlled-url-no-tls (1 hops)."
        }
      },
      "links": [
        {
          "url": "https://cwe.mitre.org/data/definitions/319.html"
        }
      ]
    },
    {
      "id": "cd58a90c-2702-5c02-818b-4a94a1c73761",
      "category": "sast",
      "name": "[REACHABLE] Data exposure: PII",
      "description": "HTTP POST with PII payload \u2014 data leakage risk\n\nReachability: REACHABLE (HIGH) \u2014 call-graph analysis confirmed a path from an application entry point to this finding.",
      "severity": "Critical",
      "scanner": {
        "id": "reachable",
        "name": "REACHABLE"
      },
      "location": {
        "file": "/builds/sthenos-security-public/reach-testbed-gitlab-go/internal/handlers/dlp.go",
        "start_line": 15,
        "end_line": 15,
        "method": "SupportExport"
      },
      "identifiers": [
        {
          "type": "reachable_dlp",
          "name": "DLP/07904faffe2a1ee4",
          "value": "07904faffe2a1ee4"
        },
        {
          "type": "reachable_reachability",
          "name": "Reachability: reachable",
          "value": "reachable"
        }
      ],
      "details": {
        "reachable_dfg": {
          "type": "text",
          "name": "Reachable DFG",
          "value": "DFG attack path evidence is available in the Reachable DB."
        }
      }
    },
    {
      "id": "1d6a1e86-27d3-55ec-9b46-76f0b70d6c52",
      "category": "sast",
      "name": "[REACHABLE] Data exposure: PII",
      "description": "PII data (SSN, DOB, credit card) in Go log output\n\nReachability: REACHABLE (HIGH) \u2014 call-graph analysis confirmed a path from an application entry point to this finding.",
      "severity": "Critical",
      "scanner": {
        "id": "reachable",
        "name": "REACHABLE"
      },
      "location": {
        "file": "/builds/sthenos-security-public/reach-testbed-gitlab-go/internal/handlers/dlp.go",
        "start_line": 13,
        "end_line": 13,
        "method": "SupportExport"
      },
      "identifiers": [
        {
          "type": "reachable_dlp",
          "name": "DLP/4e5409dcc3180515",
          "value": "4e5409dcc3180515"
        },
        {
          "type": "reachable_reachability",
          "name": "Reachability: reachable",
          "value": "reachable"
        }
      ],
      "details": {
        "reachable_dfg": {
          "type": "text",
          "name": "Reachable DFG",
          "value": "DFG attack path evidence is available in the Reachable DB."
        }
      }
    },
    {
      "id": "168e7219-081a-53fd-a561-568ad8f45144",
      "category": "sast",
      "name": "[REACHABLE] CVE-2022-32149 in golang.org/x/text",
      "description": "golang.org/x/text/language Denial of service via crafted Accept-Language header\n\nReachability: REACHABLE (HIGH) \u2014 call-graph analysis confirmed a path from an application entry point to this finding.\n\nThreat intelligence: CVSS: 7.5",
      "severity": "High",
      "scanner": {
        "id": "reachable",
        "name": "REACHABLE"
      },
      "location": {
        "file": "/builds/sthenos-security-public/reach-testbed-gitlab-go/internal/handlers/cve.go",
        "start_line": 1,
        "end_line": 1,
        "method": "ParseLanguage"
      },
      "identifiers": [
        {
          "type": "cve",
          "name": "CVE-2022-32149",
          "value": "CVE-2022-32149",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32149"
        },
        {
          "type": "reachable_reachability",
          "name": "Reachability: reachable",
          "value": "reachable"
        }
      ],
      "solution": "Upgrade golang.org/x/text to version 0.3.8 or later.",
      "details": {
        "reachable_dfg": {
          "type": "text",
          "name": "Reachable DFG",
          "value": "DFG attack path evidence is available in the Reachable DB."
        },
        "reachable_guidance": {
          "type": "text",
          "name": "Reachable guidance",
          "value": "0.3.8"
        }
      },
      "links": [
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32149"
        },
        {
          "url": "https://osv.dev/vulnerability/CVE-2022-32149"
        }
      ]
    },
    {
      "id": "927d2369-3819-5ceb-b242-f3b9ac4b1d36",
      "category": "sast",
      "name": "[EXPLOITABLE] Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
      "description": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n\n\nReachability: EXPLOITABLE \u2014 Enzo attacker/proof confirmed this reachable path is attackable.",
      "severity": "Medium",
      "scanner": {
        "id": "reachable",
        "name": "REACHABLE"
      },
      "location": {
        "file": "/builds/sthenos-security-public/reach-testbed-gitlab-go/internal/handlers/ai.go",
        "start_line": 61,
        "end_line": 61,
        "method": "SafeAIAnswer"
      },
      "identifiers": [
        {
          "type": "cwe",
          "name": "CWE-200",
          "value": "200",
          "url": "https://cwe.mitre.org/data/definitions/200.html"
        },
        {
          "type": "reachable_reachability",
          "name": "Reachability: exploitable",
          "value": "exploitable"
        }
      ],
      "details": {
        "reachable_dfg": {
          "type": "text",
          "name": "Reachable DFG",
          "value": "DFG path available: go-error-leak-in-response -> go-error-leak-in-response (1 hops)."
        }
      },
      "links": [
        {
          "url": "https://cwe.mitre.org/data/definitions/200.html"
        }
      ]
    },
    {
      "id": "f0907d07-996e-5cd3-9313-03f12f02b10f",
      "category": "sast",
      "name": "[EXPLOITABLE] Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
      "description": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n\n\nReachability: EXPLOITABLE \u2014 Enzo attacker/proof confirmed this reachable path is attackable.",
      "severity": "Medium",
      "scanner": {
        "id": "reachable",
        "name": "REACHABLE"
      },
      "location": {
        "file": "/builds/sthenos-security-public/reach-testbed-gitlab-go/internal/handlers/ai.go",
        "start_line": 21,
        "end_line": 21,
        "method": "AIAnswer"
      },
      "identifiers": [
        {
          "type": "cwe",
          "name": "CWE-200",
          "value": "200",
          "url": "https://cwe.mitre.org/data/definitions/200.html"
        },
        {
          "type": "reachable_reachability",
          "name": "Reachability: exploitable",
          "value": "exploitable"
        }
      ],
      "details": {
        "reachable_dfg": {
          "type": "text",
          "name": "Reachable DFG",
          "value": "DFG path available: go-error-leak-in-response -> go-error-leak-in-response (1 hops)."
        }
      },
      "links": [
        {
          "url": "https://cwe.mitre.org/data/definitions/200.html"
        }
      ]
    },
    {
      "id": "aec13a8b-73d7-594b-982e-af2c1224053f",
      "category": "sast",
      "name": "[EXPLOITABLE] Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
      "description": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n\n\nReachability: EXPLOITABLE \u2014 Enzo attacker/proof confirmed this reachable path is attackable.",
      "severity": "Medium",
      "scanner": {
        "id": "reachable",
        "name": "REACHABLE"
      },
      "location": {
        "file": "/builds/sthenos-security-public/reach-testbed-gitlab-go/internal/handlers/suspicious.go",
        "start_line": 24,
        "end_line": 24,
        "method": "FetchTool"
      },
      "identifiers": [
        {
          "type": "cwe",
          "name": "CWE-200",
          "value": "200",
          "url": "https://cwe.mitre.org/data/definitions/200.html"
        },
        {
          "type": "reachable_reachability",
          "name": "Reachability: exploitable",
          "value": "exploitable"
        }
      ],
      "details": {
        "reachable_dfg": {
          "type": "text",
          "name": "Reachable DFG",
          "value": "DFG path available: go-error-leak-in-response -> go-error-leak-in-response (1 hops)."
        }
      },
      "links": [
        {
          "url": "https://cwe.mitre.org/data/definitions/200.html"
        }
      ]
    },
    {
      "id": "ff5765e7-d1ca-57a8-ace1-7e1272324eec",
      "category": "sast",
      "name": "[DEFENDED] Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
      "description": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n\n\nReachability: DEFENDED \u2014 Enzo attacker/proof could not produce a working attack for this reachable path.",
      "severity": "Medium",
      "scanner": {
        "id": "reachable",
        "name": "REACHABLE"
      },
      "location": {
        "file": "/builds/sthenos-security-public/reach-testbed-gitlab-go/internal/handlers/cve.go",
        "start_line": 16,
        "end_line": 16,
        "method": "ParseYAML"
      },
      "identifiers": [
        {
          "type": "cwe",
          "name": "CWE-200",
          "value": "200",
          "url": "https://cwe.mitre.org/data/definitions/200.html"
        },
        {
          "type": "reachable_reachability",
          "name": "Reachability: defended",
          "value": "defended"
        }
      ],
      "details": {
        "reachable_dfg": {
          "type": "text",
          "name": "Reachable DFG",
          "value": "DFG path available: go-error-leak-in-response -> go-error-leak-in-response (1 hops)."
        }
      },
      "links": [
        {
          "url": "https://cwe.mitre.org/data/definitions/200.html"
        }
      ]
    },
    {
      "id": "1e14ff84-dd53-5c63-9f5f-41cae9a39c7b",
      "category": "sast",
      "name": "[EXPLOITABLE] http.Get / http.Client.Do called with a URL derived from user input \u2014 CWE-918 SSRF. Validate the host against an allowlist, or use a proxying client that blocks private-network CIDRs.\n",
      "description": "http.Get / http.Client.Do called with a URL derived from user input \u2014 CWE-918 SSRF. Validate the host against an allowlist, or use a proxying client that blocks private-network CIDRs.\n\n\nReachability: EXPLOITABLE \u2014 Enzo attacker/proof confirmed this reachable path is attackable.",
      "severity": "Medium",
      "scanner": {
        "id": "reachable",
        "name": "REACHABLE"
      },
      "location": {
        "file": "/builds/sthenos-security-public/reach-testbed-gitlab-go/internal/handlers/suspicious.go",
        "start_line": 14,
        "end_line": 14,
        "method": "FetchTool"
      },
      "identifiers": [
        {
          "type": "cwe",
          "name": "CWE-918",
          "value": "918",
          "url": "https://cwe.mitre.org/data/definitions/918.html"
        },
        {
          "type": "reachable_reachability",
          "name": "Reachability: exploitable",
          "value": "exploitable"
        }
      ],
      "details": {
        "reachable_dfg": {
          "type": "text",
          "name": "Reachable DFG",
          "value": "DFG path available: go-ssrf-http-get-tainted-url -> go-ssrf-http-get-tainted-url (1 hops)."
        }
      },
      "links": [
        {
          "url": "https://cwe.mitre.org/data/definitions/918.html"
        }
      ]
    },
    {
      "id": "f8e8b174-a8ff-561c-9510-b1fc609eaccd",
      "category": "sast",
      "name": "[EXPLOITABLE] Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
      "description": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n\n\nReachability: EXPLOITABLE \u2014 Enzo attacker/proof confirmed this reachable path is attackable.",
      "severity": "Medium",
      "scanner": {
        "id": "reachable",
        "name": "REACHABLE"
      },
      "location": {
        "file": "/builds/sthenos-security-public/reach-testbed-gitlab-go/internal/handlers/cve.go",
        "start_line": 38,
        "end_line": 38,
        "method": "ParseLanguage"
      },
      "identifiers": [
        {
          "type": "cwe",
          "name": "CWE-200",
          "value": "200",
          "url": "https://cwe.mitre.org/data/definitions/200.html"
        },
        {
          "type": "reachable_reachability",
          "name": "Reachability: exploitable",
          "value": "exploitable"
        }
      ],
      "details": {
        "reachable_dfg": {
          "type": "text",
          "name": "Reachable DFG",
          "value": "DFG path available: go-error-leak-in-response -> go-error-leak-in-response (1 hops)."
        }
      },
      "links": [
        {
          "url": "https://cwe.mitre.org/data/definitions/200.html"
        }
      ]
    },
    {
      "id": "ae7748e8-ec56-58ae-8b2e-d2155d7a27d5",
      "category": "sast",
      "name": "[EXPLOITABLE] Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
      "description": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n\n\nReachability: EXPLOITABLE \u2014 Enzo attacker/proof confirmed this reachable path is attackable.",
      "severity": "Medium",
      "scanner": {
        "id": "reachable",
        "name": "REACHABLE"
      },
      "location": {
        "file": "/builds/sthenos-security-public/reach-testbed-gitlab-go/internal/handlers/suspicious.go",
        "start_line": 16,
        "end_line": 16,
        "method": "FetchTool"
      },
      "identifiers": [
        {
          "type": "cwe",
          "name": "CWE-200",
          "value": "200",
          "url": "https://cwe.mitre.org/data/definitions/200.html"
        },
        {
          "type": "reachable_reachability",
          "name": "Reachability: exploitable",
          "value": "exploitable"
        }
      ],
      "details": {
        "reachable_dfg": {
          "type": "text",
          "name": "Reachable DFG",
          "value": "DFG path available: go-error-leak-in-response -> go-error-leak-in-response (1 hops)."
        }
      },
      "links": [
        {
          "url": "https://cwe.mitre.org/data/definitions/200.html"
        }
      ]
    },
    {
      "id": "31dd0616-e330-5446-99a0-dc30349de376",
      "category": "sast",
      "name": "[EXPLOITABLE] Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
      "description": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n\n\nReachability: EXPLOITABLE \u2014 Enzo attacker/proof confirmed this reachable path is attackable.",
      "severity": "Medium",
      "scanner": {
        "id": "reachable",
        "name": "REACHABLE"
      },
      "location": {
        "file": "/builds/sthenos-security-public/reach-testbed-gitlab-go/internal/handlers/suspicious.go",
        "start_line": 30,
        "end_line": 30,
        "method": "FetchTool"
      },
      "identifiers": [
        {
          "type": "cwe",
          "name": "CWE-200",
          "value": "200",
          "url": "https://cwe.mitre.org/data/definitions/200.html"
        },
        {
          "type": "reachable_reachability",
          "name": "Reachability: exploitable",
          "value": "exploitable"
        }
      ],
      "details": {
        "reachable_dfg": {
          "type": "text",
          "name": "Reachable DFG",
          "value": "DFG path available: go-error-leak-in-response -> go-error-leak-in-response (1 hops)."
        }
      },
      "links": [
        {
          "url": "https://cwe.mitre.org/data/definitions/200.html"
        }
      ]
    },
    {
      "id": "a28fe084-ec55-5f58-a7ac-7754b8524113",
      "category": "sast",
      "name": "[EXPLOITABLE] Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
      "description": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n\n\nReachability: EXPLOITABLE \u2014 Enzo attacker/proof confirmed this reachable path is attackable.",
      "severity": "Medium",
      "scanner": {
        "id": "reachable",
        "name": "REACHABLE"
      },
      "location": {
        "file": "/builds/sthenos-security-public/reach-testbed-gitlab-go/internal/handlers/ai.go",
        "start_line": 39,
        "end_line": 39,
        "method": "AIAgentPlan"
      },
      "identifiers": [
        {
          "type": "cwe",
          "name": "CWE-200",
          "value": "200",
          "url": "https://cwe.mitre.org/data/definitions/200.html"
        },
        {
          "type": "reachable_reachability",
          "name": "Reachability: exploitable",
          "value": "exploitable"
        }
      ],
      "details": {
        "reachable_dfg": {
          "type": "text",
          "name": "Reachable DFG",
          "value": "DFG path available: go-error-leak-in-response -> go-error-leak-in-response (1 hops)."
        }
      },
      "links": [
        {
          "url": "https://cwe.mitre.org/data/definitions/200.html"
        }
      ]
    },
    {
      "id": "5f968b43-2fd2-5da9-951a-d8507082e003",
      "category": "sast",
      "name": "[DEFENDED] Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
      "description": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n\n\nReachability: DEFENDED \u2014 Enzo attacker/proof could not produce a working attack for this reachable path.",
      "severity": "Medium",
      "scanner": {
        "id": "reachable",
        "name": "REACHABLE"
      },
      "location": {
        "file": "/builds/sthenos-security-public/reach-testbed-gitlab-go/internal/handlers/cve.go",
        "start_line": 22,
        "end_line": 22,
        "method": "ParseYAML"
      },
      "identifiers": [
        {
          "type": "cwe",
          "name": "CWE-200",
          "value": "200",
          "url": "https://cwe.mitre.org/data/definitions/200.html"
        },
        {
          "type": "reachable_reachability",
          "name": "Reachability: defended",
          "value": "defended"
        }
      ],
      "details": {
        "reachable_dfg": {
          "type": "text",
          "name": "Reachable DFG",
          "value": "DFG path available: go-error-leak-in-response -> go-error-leak-in-response (1 hops)."
        }
      },
      "links": [
        {
          "url": "https://cwe.mitre.org/data/definitions/200.html"
        }
      ]
    },
    {
      "id": "0c00ba9f-9a6e-55a0-a53d-2c6a09b9de2b",
      "category": "sast",
      "name": "[REACHABLE] Exposed github-pat",
      "description": "Uncovered a GitHub Personal Access Token, potentially leading to unauthorized repository access and sensitive content exposure.: ghp_***00\n\nReachability: REACHABLE (LOW) \u2014 call-graph analysis confirmed a path from an application entry point to this finding.",
      "severity": "Medium",
      "scanner": {
        "id": "reachable",
        "name": "REACHABLE"
      },
      "location": {
        "file": "/builds/sthenos-security-public/reach-testbed-gitlab-go/internal/handlers/secrets.go",
        "start_line": 11,
        "end_line": 11
      },
      "identifiers": [
        {
          "type": "reachable_secret",
          "name": "SECRET/github-pat",
          "value": "github-pat"
        },
        {
          "type": "reachable_reachability",
          "name": "Reachability: reachable",
          "value": "reachable"
        }
      ],
      "solution": "Rotate the exposed credential immediately. Remove it from source code and store it in a secrets manager.",
      "details": {
        "reachable_dfg": {
          "type": "text",
          "name": "Reachable DFG",
          "value": "DFG path available: handlers/secrets.go -> Github Pat (hardcoded credential) (2 hops)."
        }
      }
    }
  ]
}