All expected demo vulnerabilities were found and the remediation branch has no blocking findings.
This page is an archived successful proof from CI run 26972297438. A newer remediation template run may exist; the current workflow list is the authority for latest run status. This page is built from the Reachable scan database: vulnerable baseline scan, remediation proof scan, expected issue contract, branch, commit, scan number, timestamp, and AI cost telemetry. Private prompts, rules, agent transcripts, and local databases are not published.
Vulnerable baseline
Scan: #2 1.0.0b101 complete
Branch: main
Commit: 8abd7831
Timestamp: 2026-06-04 18:45:52
Runtime: 1m 9s
AI: 17 calls, 30,776 tokens, $0.0531
Remediated branch proof
Scan: #4 1.0.0b101 complete
Branch: reachable-remediate-26972297438
Commit: 8abd7831
Timestamp: 2026-06-04 18:50:16
Runtime: 5s
AI: 0 calls, 0 tokens, $0.0000
Sanitized Artifacts
These are convenience exports. The public page does not publish the private remediation bundle, prompt text, generated rules, agent transcript, raw witnesses, or local databases.
Demo Contract: Expected Vulnerabilities Fixed
Clean: This table is the demo contract. Each row is an expected vulnerable fixture. “Fixed” means it was present in the vulnerable baseline database and absent from the remediation proof database.
| Expected issue | Risk | Reachability | Exploitability | Location | Baseline | Remediation proof | Status | Fix / evidence |
|---|---|---|---|---|---|---|---|---|
AI/LLM01-http-post-with-pii-payload-—-data-leakagHTTP POST with PII payload — data leakage risk Problem contract | CRITICAL | REACHABLE | DEFENDED | internal/handlers/ai.go:32 | Found | Not reported | Fixed - no longer reported | AI/LLM unsafe data flow is removed or covered by the underlying code fix.DetailsHTTP POST with PII payload — data leakage risk |
AI/LLM01-http-post-with-pii-payload-—-data-leakagHTTP POST with PII payload — data leakage risk Problem contract | CRITICAL | REACHABLE | DEFENDED | internal/handlers/ai.go:51 | Found | Not reported | Fixed - no longer reported | AI/LLM unsafe data flow is removed or covered by the underlying code fix.DetailsHTTP POST with PII payload — data leakage risk |
CWE/78OS command injection via exec.Command with shell Problem contract | CRITICAL | REACHABLE | EXPLOITABLE | internal/handlers/cwe.go:12 | Found | Not reported | Fixed - no longer reported | Agent removed command-execution risk and proof scan confirms the sink is gone.DetailsOS command injection via exec.Command with shell |
CWE/319User-controlled URL passed to HTTP client without TLS scheme validation — sensitive data may be sent in cleartext (CWE-319). Validate that the URL scheme is "https" before making the request. Problem contract | CRITICAL | REACHABLE | DEFENDED | internal/handlers/suspicious.go:13 | Found | Not reported | Fixed - no longer reported | Expected vulnerable fixture row is no longer present in the proof scan.DetailsUser-controlled URL passed to HTTP client without TLS scheme validation — sensitive data may be sent in cleartext (CWE-319). Validate that the URL scheme is "https" before making the request. |
DLP/6fd2031f2cff0e06PII data (SSN, DOB, credit card) in Go log output Problem contract | CRITICAL | REACHABLE | DEFENDED | internal/handlers/dlp.go:13 | Found | Not reported | Fixed - no longer reported | Synthetic PII exposure is removed from logs or outbound data paths.DetailsPII data (SSN, DOB, credit card) in Go log output |
DLP/f22dde2c0a9e3739HTTP POST with PII payload — data leakage risk Problem contract | CRITICAL | REACHABLE | DEFENDED | internal/handlers/dlp.go:15 | Found | Not reported | Fixed - no longer reported | Synthetic PII exposure is removed from logs or outbound data paths.DetailsHTTP POST with PII payload — data leakage risk |
CVE/CVE-2022-32149GHSA-69ch-w2m2-3vjp Problem contract | HIGH | REACHABLE | NOT ATTACKED | internal/handlers/cve.go | Found | Not reported | Fixed - no longer reported | Dependency risk removed or upgraded; build manager no longer has to chase the vulnerable library manually.Detailsgolang.org/x/text/language Denial of service via crafted Accept-Language header |
AI/LLM05-unguarded-data-flow-from-http_param-to-cUnguarded data flow from http_param to code_exec Problem contract | MEDIUM | REACHABLE | NOT ATTACKED | internal/handlers/cwe.go:11 | Found | Not reported | Fixed - no longer reported | AI/LLM unsafe data flow is removed or covered by the underlying code fix. |
AI/LLM05-unguarded-data-flow-from-http_param-to-cUnguarded data flow from http_param to code_exec Problem contract | MEDIUM | REACHABLE | NOT ATTACKED | internal/handlers/suspicious.go:13 | Found | Not reported | Fixed - no longer reported | AI/LLM unsafe data flow is removed or covered by the underlying code fix. |
AI/LLM05-unguarded-data-flow-from-http_param-to-cUnguarded data flow from http_param to code_exec Problem contract | MEDIUM | REACHABLE | NOT ATTACKED | internal/handlers/cwe.go:22 | Found | Not reported | Fixed - no longer reported | AI/LLM unsafe data flow is removed or covered by the underlying code fix. |
CWE/200Internal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side. Problem contract | MEDIUM | REACHABLE | DEFENDED | internal/handlers/cve.go:38 | Found | Not reported | Fixed - no longer reported | Internal error details are no longer exposed to callers where remediation applied.DetailsInternal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side. |
CWE/200Internal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side. Problem contract | MEDIUM | REACHABLE | EXPLOITABLE | internal/handlers/cve.go:22 | Found | Not reported | Fixed - no longer reported | Internal error details are no longer exposed to callers where remediation applied.DetailsInternal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side. |
CWE/200Internal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side. Problem contract | MEDIUM | REACHABLE | DEFENDED | internal/handlers/ai.go:21 | Found | Not reported | Fixed - no longer reported | Internal error details are no longer exposed to callers where remediation applied.DetailsInternal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side. |
CWE/200Internal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side. Problem contract | MEDIUM | REACHABLE | EXPLOITABLE | internal/handlers/cve.go:16 | Found | Not reported | Fixed - no longer reported | Internal error details are no longer exposed to callers where remediation applied.DetailsInternal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side. |
CWE/918http.Get / http.Client.Do called with a URL derived from user input — CWE-918 SSRF. Validate the host against an allowlist, or use a proxying client that blocks private-network CIDRs. Problem contract | MEDIUM | REACHABLE | EXPLOITABLE | internal/handlers/suspicious.go:14 | Found | Not reported | Fixed - no longer reported | Agent removed arbitrary outbound fetch behavior that could become SSRF.Detailshttp.Get / http.Client.Do called with a URL derived from user input — CWE-918 SSRF. Validate the host against an allowlist, or use a proxying client that blocks private-network CIDRs. |
CWE/200Internal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side. Problem contract | MEDIUM | REACHABLE | DEFENDED | internal/handlers/suspicious.go:16 | Found | Not reported | Fixed - no longer reported | Internal error details are no longer exposed to callers where remediation applied.DetailsInternal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side. |
CWE/200Internal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side. Problem contract | MEDIUM | REACHABLE | DEFENDED | internal/handlers/ai.go:39 | Found | Not reported | Fixed - no longer reported | Internal error details are no longer exposed to callers where remediation applied.DetailsInternal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side. |
CWE/200Internal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side. Problem contract | MEDIUM | REACHABLE | DEFENDED | internal/handlers/suspicious.go:24 | Found | Not reported | Fixed - no longer reported | Internal error details are no longer exposed to callers where remediation applied.DetailsInternal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side. |
CWE/200Internal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side. Problem contract | MEDIUM | REACHABLE | DEFENDED | internal/handlers/ai.go:61 | Found | Not reported | Fixed - no longer reported | Internal error details are no longer exposed to callers where remediation applied.DetailsInternal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side. |
CWE/200Internal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side. Problem contract | MEDIUM | REACHABLE | DEFENDED | internal/handlers/suspicious.go:30 | Found | Not reported | Fixed - no longer reported | Internal error details are no longer exposed to callers where remediation applied.DetailsInternal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side. |
SECRET/github-patToken detected. Use a secrets manager (Vault, AWS Secrets Manager) for storage. Prefer short-lived tokens with automatic refresh. Implement proper token scoping and rotation. Problem contract | INFO | NOT_REACHABLE | NOT ATTACKED | internal/handlers/secrets.go:11 | Found | Not reported | Fixed - no longer reported | Synthetic secret exposure is removed from release-blocking DB evidence.DetailsToken detected. Use a secrets manager (Vault, AWS Secrets Manager) for storage. Prefer short-lived tokens with automatic refresh. Implement proper token scoping and rotation. |
Remaining Release Blockers
This section is a selected public DB summary for release review. Platform exports such as SARIF are linked only as compatibility reports; the demo pass/fail proof above is DB-backed.
| Signal | Reachability | Risk | Families | Package | Fix | Location | Message |
|---|---|---|---|---|---|---|---|
| No exploitable or reachable findings were reported. | |||||||
Defended / Defendable Evidence
| Signal | Reachability | Risk | Families | Package | Fix | Location | Message |
|---|---|---|---|---|---|---|---|
| No defended or defendable findings were included in the compatibility export. | |||||||
All Release-Blocking Signals
| Signal | Reachability | Risk | Families | Package | Fix | Location | Message |
|---|---|---|---|---|---|---|---|
| No release-blocking signals were reported. | |||||||
Remediation Attempt
Status: success. DB-backed verdict: All expected demo vulnerabilities were found and the remediation branch has no blocking findings.
| Rule | Package | Signals | Suggested fix |
|---|---|---|---|
RCH-RULE-877450ee | |||
RCH-RULE-4c957bd8 | |||
RCH-RULE-df212f4e | |||
RCH-RULE-b4ff9103 | |||
RCH-RULE-27bd65de | |||
RCH-RULE-1ab079af | |||
RCH-RULE-604223bd | |||
RCH-RULE-8bb65d1e | |||
RCH-RULE-217c2dae | |||
RCH-RULE-d990ae0f | |||
RCH-RULE-a755ac83 | |||
RCH-RULE-7059753c |
Generated at 2026-06-04T18:50:24.960843+00:00 for sthenos-security/reach-testbed-github-go / main / commit 8abd78310ce1a9f20fa6468725b802d297175743. Page URL: https://sthenos-security.github.io/reach-testbed-github-go/