Reachable autonomous remediation demo · archived successful proof

All expected demo vulnerabilities were found and the remediation branch has no blocking findings.

Verdict: All expected demo vulnerabilities were found and the remediation branch has no blocking findings.

This page is an archived successful proof from CI run 26972297438. A newer remediation template run may exist; the current workflow list is the authority for latest run status. This page is built from the Reachable scan database: vulnerable baseline scan, remediation proof scan, expected issue contract, branch, commit, scan number, timestamp, and AI cost telemetry. Private prompts, rules, agent transcripts, and local databases are not published.

21
Expected issues
21
Found on vulnerable main
21
Fixed on remediation branch
0
Still present
0
Final release blockers
$0.0531
AI cost estimate
30,776
AI tokens

Vulnerable baseline

Scan: #2 1.0.0b101 complete
Branch: main
Commit: 8abd7831
Timestamp: 2026-06-04 18:45:52
Runtime: 1m 9s
AI: 17 calls, 30,776 tokens, $0.0531

Remediated branch proof

Scan: #4 1.0.0b101 complete
Branch: reachable-remediate-26972297438
Commit: 8abd7831
Timestamp: 2026-06-04 18:50:16
Runtime: 5s
AI: 0 calls, 0 tokens, $0.0000

Sanitized Artifacts

These are convenience exports. The public page does not publish the private remediation bundle, prompt text, generated rules, agent transcript, raw witnesses, or local databases.

Demo Contract: Expected Vulnerabilities Fixed

Clean: This table is the demo contract. Each row is an expected vulnerable fixture. “Fixed” means it was present in the vulnerable baseline database and absent from the remediation proof database.

Expected issueRiskReachabilityExploitabilityLocationBaselineRemediation proofStatusFix / evidence
AI/LLM01-http-post-with-pii-payload-—-data-leakag
HTTP POST with PII payload — data leakage risk
Problem contract
CRITICALREACHABLEDEFENDEDinternal/handlers/ai.go:32FoundNot reportedFixed - no longer reportedAI/LLM unsafe data flow is removed or covered by the underlying code fix.
Details

HTTP POST with PII payload — data leakage risk

AI/LLM01-http-post-with-pii-payload-—-data-leakag
HTTP POST with PII payload — data leakage risk
Problem contract
CRITICALREACHABLEDEFENDEDinternal/handlers/ai.go:51FoundNot reportedFixed - no longer reportedAI/LLM unsafe data flow is removed or covered by the underlying code fix.
Details

HTTP POST with PII payload — data leakage risk

CWE/78
OS command injection via exec.Command with shell
Problem contract
CRITICALREACHABLEEXPLOITABLEinternal/handlers/cwe.go:12FoundNot reportedFixed - no longer reportedAgent removed command-execution risk and proof scan confirms the sink is gone.
Details

OS command injection via exec.Command with shell

CWE/319
User-controlled URL passed to HTTP client without TLS scheme validation — sensitive data may be sent in cleartext (CWE-319). Validate that the URL scheme is "https" before making the request.
Problem contract
CRITICALREACHABLEDEFENDEDinternal/handlers/suspicious.go:13FoundNot reportedFixed - no longer reportedExpected vulnerable fixture row is no longer present in the proof scan.
Details

User-controlled URL passed to HTTP client without TLS scheme validation — sensitive data may be sent in cleartext (CWE-319). Validate that the URL scheme is "https" before making the request.

DLP/6fd2031f2cff0e06
PII data (SSN, DOB, credit card) in Go log output
Problem contract
CRITICALREACHABLEDEFENDEDinternal/handlers/dlp.go:13FoundNot reportedFixed - no longer reportedSynthetic PII exposure is removed from logs or outbound data paths.
Details

PII data (SSN, DOB, credit card) in Go log output

DLP/f22dde2c0a9e3739
HTTP POST with PII payload — data leakage risk
Problem contract
CRITICALREACHABLEDEFENDEDinternal/handlers/dlp.go:15FoundNot reportedFixed - no longer reportedSynthetic PII exposure is removed from logs or outbound data paths.
Details

HTTP POST with PII payload — data leakage risk

CVE/CVE-2022-32149
GHSA-69ch-w2m2-3vjp
Problem contract
HIGHREACHABLENOT ATTACKEDinternal/handlers/cve.goFoundNot reportedFixed - no longer reportedDependency risk removed or upgraded; build manager no longer has to chase the vulnerable library manually.
Details

golang.org/x/text/language Denial of service via crafted Accept-Language header

AI/LLM05-unguarded-data-flow-from-http_param-to-c
Unguarded data flow from http_param to code_exec
Problem contract
MEDIUMREACHABLENOT ATTACKEDinternal/handlers/cwe.go:11FoundNot reportedFixed - no longer reportedAI/LLM unsafe data flow is removed or covered by the underlying code fix.
AI/LLM05-unguarded-data-flow-from-http_param-to-c
Unguarded data flow from http_param to code_exec
Problem contract
MEDIUMREACHABLENOT ATTACKEDinternal/handlers/suspicious.go:13FoundNot reportedFixed - no longer reportedAI/LLM unsafe data flow is removed or covered by the underlying code fix.
AI/LLM05-unguarded-data-flow-from-http_param-to-c
Unguarded data flow from http_param to code_exec
Problem contract
MEDIUMREACHABLENOT ATTACKEDinternal/handlers/cwe.go:22FoundNot reportedFixed - no longer reportedAI/LLM unsafe data flow is removed or covered by the underlying code fix.
CWE/200
Internal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.
Problem contract
MEDIUMREACHABLEDEFENDEDinternal/handlers/cve.go:38FoundNot reportedFixed - no longer reportedInternal error details are no longer exposed to callers where remediation applied.
Details

Internal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.

CWE/200
Internal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.
Problem contract
MEDIUMREACHABLEEXPLOITABLEinternal/handlers/cve.go:22FoundNot reportedFixed - no longer reportedInternal error details are no longer exposed to callers where remediation applied.
Details

Internal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.

CWE/200
Internal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.
Problem contract
MEDIUMREACHABLEDEFENDEDinternal/handlers/ai.go:21FoundNot reportedFixed - no longer reportedInternal error details are no longer exposed to callers where remediation applied.
Details

Internal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.

CWE/200
Internal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.
Problem contract
MEDIUMREACHABLEEXPLOITABLEinternal/handlers/cve.go:16FoundNot reportedFixed - no longer reportedInternal error details are no longer exposed to callers where remediation applied.
Details

Internal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.

CWE/918
http.Get / http.Client.Do called with a URL derived from user input — CWE-918 SSRF. Validate the host against an allowlist, or use a proxying client that blocks private-network CIDRs.
Problem contract
MEDIUMREACHABLEEXPLOITABLEinternal/handlers/suspicious.go:14FoundNot reportedFixed - no longer reportedAgent removed arbitrary outbound fetch behavior that could become SSRF.
Details

http.Get / http.Client.Do called with a URL derived from user input — CWE-918 SSRF. Validate the host against an allowlist, or use a proxying client that blocks private-network CIDRs.

CWE/200
Internal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.
Problem contract
MEDIUMREACHABLEDEFENDEDinternal/handlers/suspicious.go:16FoundNot reportedFixed - no longer reportedInternal error details are no longer exposed to callers where remediation applied.
Details

Internal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.

CWE/200
Internal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.
Problem contract
MEDIUMREACHABLEDEFENDEDinternal/handlers/ai.go:39FoundNot reportedFixed - no longer reportedInternal error details are no longer exposed to callers where remediation applied.
Details

Internal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.

CWE/200
Internal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.
Problem contract
MEDIUMREACHABLEDEFENDEDinternal/handlers/suspicious.go:24FoundNot reportedFixed - no longer reportedInternal error details are no longer exposed to callers where remediation applied.
Details

Internal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.

CWE/200
Internal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.
Problem contract
MEDIUMREACHABLEDEFENDEDinternal/handlers/ai.go:61FoundNot reportedFixed - no longer reportedInternal error details are no longer exposed to callers where remediation applied.
Details

Internal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.

CWE/200
Internal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.
Problem contract
MEDIUMREACHABLEDEFENDEDinternal/handlers/suspicious.go:30FoundNot reportedFixed - no longer reportedInternal error details are no longer exposed to callers where remediation applied.
Details

Internal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.

SECRET/github-pat
Token detected. Use a secrets manager (Vault, AWS Secrets Manager) for storage. Prefer short-lived tokens with automatic refresh. Implement proper token scoping and rotation.
Problem contract
INFONOT_REACHABLENOT ATTACKEDinternal/handlers/secrets.go:11FoundNot reportedFixed - no longer reportedSynthetic secret exposure is removed from release-blocking DB evidence.
Details

Token detected. Use a secrets manager (Vault, AWS Secrets Manager) for storage. Prefer short-lived tokens with automatic refresh. Implement proper token scoping and rotation.

Remaining Release Blockers

0
Selected public findings
0
Exploitable
0
Reachable
0
Unknown
0
Defended
0
Suspicious packages

This section is a selected public DB summary for release review. Platform exports such as SARIF are linked only as compatibility reports; the demo pass/fail proof above is DB-backed.

SignalReachabilityRiskFamiliesPackageFixLocationMessage
No exploitable or reachable findings were reported.

Defended / Defendable Evidence

SignalReachabilityRiskFamiliesPackageFixLocationMessage
No defended or defendable findings were included in the compatibility export.

All Release-Blocking Signals

SignalReachabilityRiskFamiliesPackageFixLocationMessage
No release-blocking signals were reported.

Remediation Attempt

Status: success. DB-backed verdict: All expected demo vulnerabilities were found and the remediation branch has no blocking findings.

RulePackageSignalsSuggested fix
RCH-RULE-877450ee
RCH-RULE-4c957bd8
RCH-RULE-df212f4e
RCH-RULE-b4ff9103
RCH-RULE-27bd65de
RCH-RULE-1ab079af
RCH-RULE-604223bd
RCH-RULE-8bb65d1e
RCH-RULE-217c2dae
RCH-RULE-d990ae0f
RCH-RULE-a755ac83
RCH-RULE-7059753c

Generated at 2026-06-04T18:50:24.960843+00:00 for sthenos-security/reach-testbed-github-go / main / commit 8abd78310ce1a9f20fa6468725b802d297175743. Page URL: https://sthenos-security.github.io/reach-testbed-github-go/