{
  "ai_economics": {
    "calls": 17,
    "cost_usd": 0.053112,
    "estimated": true,
    "source": "repo.db/enzo_attacker_audit",
    "tokens_total": 30776
  },
  "artifacts": [
    {
      "href": "reachable.sarif",
      "label": "SARIF compatibility export"
    },
    {
      "href": "remediation-ledger.json",
      "label": "Sanitized remediation ledger"
    },
    {
      "href": "db-remediation-verdict.json",
      "label": "DB remediation verdict"
    },
    {
      "href": "expected-results.html",
      "label": "Expected issue contract"
    },
    {
      "href": "summary.json",
      "label": "Summary JSON"
    }
  ],
  "by_family": {},
  "by_level": {},
  "by_reachability": {},
  "by_type": {},
  "compliance": {
    "available": true,
    "json": "compliance.json",
    "label": "after-final",
    "narrative_json": "compliance-narrative.json",
    "proof_run_counts": {
      "by_phase": {},
      "by_profile_kind": {},
      "by_profile_status": {},
      "by_state": {},
      "defended_after_reattack": 0,
      "failed": 0,
      "needs_review": 0,
      "samples": [],
      "skipped_policy": 0,
      "total_profiles": 0,
      "total_runs": 0,
      "verified_exploitable": 0
    }
  },
  "expected_demo": {
    "after": {
      "branch": "reachable-remediate-26972297438",
      "commit_hash": "8abd78310ce1a9f20fa6468725b802d297175743",
      "commit_short": "8abd7831",
      "critical_count": 0,
      "db_scan_id": 4,
      "duration_seconds": 5.03,
      "high_count": 0,
      "id": 4,
      "low_count": 0,
      "medium_count": 0,
      "reachable_findings": 0,
      "risk_level": "NONE",
      "status": "complete",
      "timestamp": "2026-06-04 18:50:16",
      "total_findings": 8,
      "version": "1.0.0b101"
    },
    "after_ai": {
      "calls": 0,
      "cost_usd": 0.0,
      "duration_seconds": 0.0,
      "tokens_in": 0,
      "tokens_out": 0,
      "tokens_total": 0
    },
    "after_available": true,
    "after_total": 0,
    "available": true,
    "baseline": {
      "branch": "main",
      "commit_hash": "8abd78310ce1a9f20fa6468725b802d297175743",
      "commit_short": "8abd7831",
      "critical_count": 6,
      "db_scan_id": 2,
      "duration_seconds": 69.64,
      "high_count": 3,
      "id": 2,
      "low_count": 0,
      "medium_count": 14,
      "reachable_findings": 23,
      "risk_level": "CRITICAL",
      "status": "complete",
      "timestamp": "2026-06-04 18:45:52",
      "total_findings": 32,
      "version": "1.0.0b101"
    },
    "baseline_ai": {
      "calls": 17,
      "cost_usd": 0.053112,
      "duration_seconds": 60.754,
      "tokens_in": 22768,
      "tokens_out": 8008,
      "tokens_total": 30776
    },
    "baseline_found": 21,
    "baseline_missing": 0,
    "clean": true,
    "contract_path": "expected-results.html",
    "evidence_source": "repo.db",
    "expected_total": 21,
    "fixed": 21,
    "headline": "All expected demo vulnerabilities were found and the remediation branch has no blocking findings.",
    "name": "reach-testbed-github-go golden baseline",
    "rows": [
      {
        "actual_exploitability": "DEFENDED",
        "actual_reachability": "REACHABLE",
        "actual_risk": "CRITICAL",
        "after_signal": {},
        "baseline_signal": {
          "app_reachability": "REACHABLE",
          "attacker": {
            "created_at": "2026-06-04 18:46:55",
            "error": null,
            "exploitable": "0",
            "model_used": "gpt-5.4-mini",
            "severity": "INFO"
          },
          "cwe_id": "CWE-359",
          "description": "HTTP POST with PII payload \u2014 data leakage risk",
          "file_path": "internal/handlers/ai.go",
          "finding_id": "6740c558f7cfe01d",
          "id": 41,
          "line_number": 32,
          "prod_status": "PRODUCTION",
          "risk_level": "CRITICAL",
          "rule_id": "home.runner..reachable.venv.lib.python3.12.site-packages.reachable.conf.semgrep.go-llm-api-call",
          "scanner": "semgrep",
          "severity": "CRITICAL",
          "signal_type": "cwe",
          "title": "HTTP POST with PII payload \u2014 data leakage risk"
        },
        "blocking_after": false,
        "expected_reachability": "reachable",
        "expected_risk": "CRITICAL",
        "family": "ai",
        "found_after": false,
        "found_before": true,
        "kind": "AI / LLM security issue",
        "line": 32,
        "location": "internal/handlers/ai.go:32",
        "match_key": [
          "ai",
          "internal/handlers/ai.go",
          32
        ],
        "path": "internal/handlers/ai.go",
        "problem_ref": "expected-results.html#expected-findings-table",
        "prod_status": "PRODUCTION",
        "remediation_action": "AI/LLM unsafe data flow is removed or covered by the underlying code fix.",
        "rule_id": "AI/LLM01-http-post-with-pii-payload-\u2014-data-leakag",
        "signal_description": "HTTP POST with PII payload \u2014 data leakage risk",
        "signal_title": "HTTP POST with PII payload \u2014 data leakage risk",
        "status": "fixed",
        "status_label": "Fixed - no longer reported"
      },
      {
        "actual_exploitability": "DEFENDED",
        "actual_reachability": "REACHABLE",
        "actual_risk": "CRITICAL",
        "after_signal": {},
        "baseline_signal": {
          "app_reachability": "REACHABLE",
          "attacker": {
            "created_at": "2026-06-04 18:46:55",
            "error": null,
            "exploitable": "0",
            "model_used": "gpt-5.4-mini",
            "severity": "INFO"
          },
          "cwe_id": "CWE-359",
          "description": "HTTP POST with PII payload \u2014 data leakage risk",
          "file_path": "internal/handlers/ai.go",
          "finding_id": "5192244fb7d1c57a",
          "id": 56,
          "line_number": 51,
          "prod_status": "PRODUCTION",
          "risk_level": "CRITICAL",
          "rule_id": "home.runner..reachable.venv.lib.python3.12.site-packages.reachable.conf.semgrep.go-llm-api-call",
          "scanner": "semgrep",
          "severity": "CRITICAL",
          "signal_type": "cwe",
          "title": "HTTP POST with PII payload \u2014 data leakage risk"
        },
        "blocking_after": false,
        "expected_reachability": "reachable",
        "expected_risk": "CRITICAL",
        "family": "ai",
        "found_after": false,
        "found_before": true,
        "kind": "AI / LLM security issue",
        "line": 51,
        "location": "internal/handlers/ai.go:51",
        "match_key": [
          "ai",
          "internal/handlers/ai.go",
          51
        ],
        "path": "internal/handlers/ai.go",
        "problem_ref": "expected-results.html#expected-findings-table",
        "prod_status": "PRODUCTION",
        "remediation_action": "AI/LLM unsafe data flow is removed or covered by the underlying code fix.",
        "rule_id": "AI/LLM01-http-post-with-pii-payload-\u2014-data-leakag",
        "signal_description": "HTTP POST with PII payload \u2014 data leakage risk",
        "signal_title": "HTTP POST with PII payload \u2014 data leakage risk",
        "status": "fixed",
        "status_label": "Fixed - no longer reported"
      },
      {
        "actual_exploitability": "EXPLOITABLE",
        "actual_reachability": "REACHABLE",
        "actual_risk": "CRITICAL",
        "after_signal": {},
        "baseline_signal": {
          "app_reachability": "REACHABLE",
          "attacker": {
            "created_at": "2026-06-04 18:46:54",
            "error": null,
            "exploitable": "1",
            "model_used": "gpt-5.4-mini",
            "severity": "CRITICAL"
          },
          "cwe_id": "CWE-78",
          "description": "OS command injection via exec.Command with shell",
          "file_path": "internal/handlers/cwe.go",
          "finding_id": "0382a9b8210d2122",
          "id": 40,
          "line_number": 12,
          "prod_status": "PRODUCTION",
          "risk_level": "CRITICAL",
          "rule_id": "home.runner..reachable.venv.lib.python3.12.site-packages.reachable.conf.semgrep.go-cmdi-exec-regex",
          "scanner": "semgrep",
          "severity": "CRITICAL",
          "signal_type": "cwe",
          "title": "OS command injection via exec.Command with shell"
        },
        "blocking_after": false,
        "expected_reachability": "exploitable",
        "expected_risk": "CRITICAL",
        "family": "cwe",
        "found_after": false,
        "found_before": true,
        "kind": "Command injection",
        "line": 12,
        "location": "internal/handlers/cwe.go:12",
        "match_key": [
          "cwe",
          "internal/handlers/cwe.go",
          12
        ],
        "path": "internal/handlers/cwe.go",
        "problem_ref": "expected-results.html#expected-findings-table",
        "prod_status": "PRODUCTION",
        "remediation_action": "Agent removed command-execution risk and proof scan confirms the sink is gone.",
        "rule_id": "CWE/78",
        "signal_description": "OS command injection via exec.Command with shell",
        "signal_title": "OS command injection via exec.Command with shell",
        "status": "fixed",
        "status_label": "Fixed - no longer reported"
      },
      {
        "actual_exploitability": "DEFENDED",
        "actual_reachability": "REACHABLE",
        "actual_risk": "CRITICAL",
        "after_signal": {},
        "baseline_signal": {
          "app_reachability": "REACHABLE",
          "attacker": {
            "created_at": "2026-06-04 18:46:55",
            "error": null,
            "exploitable": "0",
            "model_used": "gpt-5.4-mini",
            "severity": "LOW"
          },
          "cwe_id": "CWE-319",
          "description": "User-controlled URL passed to HTTP client without TLS scheme validation \u2014 sensitive data may be sent in cleartext (CWE-319). Validate that the URL scheme is \"https\" before making the request.\n",
          "file_path": "internal/handlers/suspicious.go",
          "finding_id": "6b8adfa16fca0f6e",
          "id": 49,
          "line_number": 13,
          "prod_status": "PRODUCTION",
          "risk_level": "CRITICAL",
          "rule_id": "home.runner..reachable.venv.lib.python3.12.site-packages.reachable.conf.semgrep.go-user-controlled-url-no-tls",
          "scanner": "semgrep",
          "severity": "CRITICAL",
          "signal_type": "cwe",
          "title": "User-controlled URL passed to HTTP client without TLS scheme validation \u2014 sensitive data may be sent in cleartext (CWE-319). Validate that the URL scheme is \"https\" before making the request.\n"
        },
        "blocking_after": false,
        "expected_reachability": "exploitable",
        "expected_risk": "CRITICAL",
        "family": "cwe",
        "found_after": false,
        "found_before": true,
        "kind": "Cleartext network exposure",
        "line": 13,
        "location": "internal/handlers/suspicious.go:13",
        "match_key": [
          "cwe",
          "internal/handlers/suspicious.go",
          13
        ],
        "path": "internal/handlers/suspicious.go",
        "problem_ref": "expected-results.html#expected-findings-table",
        "prod_status": "PRODUCTION",
        "remediation_action": "Expected vulnerable fixture row is no longer present in the proof scan.",
        "rule_id": "CWE/319",
        "signal_description": "User-controlled URL passed to HTTP client without TLS scheme validation \u2014 sensitive data may be sent in cleartext (CWE-319). Validate that the URL scheme is \"https\" before making the request.\n",
        "signal_title": "User-controlled URL passed to HTTP client without TLS scheme validation \u2014 sensitive data may be sent in cleartext (CWE-319). Validate that the URL scheme is \"https\" before making the request.\n",
        "status": "fixed",
        "status_label": "Fixed - no longer reported"
      },
      {
        "actual_exploitability": "DEFENDED",
        "actual_reachability": "REACHABLE",
        "actual_risk": "CRITICAL",
        "after_signal": {},
        "baseline_signal": {
          "app_reachability": "REACHABLE",
          "attacker": {
            "created_at": "2026-06-04 18:46:55",
            "error": null,
            "exploitable": "0",
            "model_used": "gpt-5.4-mini",
            "severity": "INFO"
          },
          "cwe_id": "CWE-532",
          "description": "PII data (SSN, DOB, credit card) in Go log output",
          "file_path": "internal/handlers/dlp.go",
          "finding_id": "a4166b11a07f88bc",
          "id": 47,
          "line_number": 13,
          "prod_status": "PRODUCTION",
          "risk_level": "CRITICAL",
          "rule_id": "home.runner..reachable.venv.lib.python3.12.site-packages.reachable.conf.semgrep.go-pii-to-log-regex",
          "scanner": "semgrep",
          "severity": "CRITICAL",
          "signal_type": "cwe",
          "title": "PII data (SSN, DOB, credit card) in Go log output"
        },
        "blocking_after": false,
        "expected_reachability": "reachable",
        "expected_risk": "CRITICAL",
        "family": "dlp",
        "found_after": false,
        "found_before": true,
        "kind": "PII / sensitive data exposure",
        "line": 13,
        "location": "internal/handlers/dlp.go:13",
        "match_key": [
          "dlp",
          "internal/handlers/dlp.go",
          13
        ],
        "path": "internal/handlers/dlp.go",
        "problem_ref": "expected-results.html#expected-findings-table",
        "prod_status": "PRODUCTION",
        "remediation_action": "Synthetic PII exposure is removed from logs or outbound data paths.",
        "rule_id": "DLP/6fd2031f2cff0e06",
        "signal_description": "PII data (SSN, DOB, credit card) in Go log output",
        "signal_title": "PII data (SSN, DOB, credit card) in Go log output",
        "status": "fixed",
        "status_label": "Fixed - no longer reported"
      },
      {
        "actual_exploitability": "DEFENDED",
        "actual_reachability": "REACHABLE",
        "actual_risk": "CRITICAL",
        "after_signal": {},
        "baseline_signal": {
          "app_reachability": "REACHABLE",
          "attacker": {
            "created_at": "2026-06-04 18:46:54",
            "error": null,
            "exploitable": "0",
            "model_used": "gpt-5.4-mini",
            "severity": "INFO"
          },
          "cwe_id": "CWE-359",
          "description": "HTTP POST with PII payload \u2014 data leakage risk",
          "file_path": "internal/handlers/dlp.go",
          "finding_id": "cc262c69e2814158",
          "id": 53,
          "line_number": 15,
          "prod_status": "PRODUCTION",
          "risk_level": "CRITICAL",
          "rule_id": "home.runner..reachable.venv.lib.python3.12.site-packages.reachable.conf.semgrep.go-pii-to-http-regex",
          "scanner": "semgrep",
          "severity": "CRITICAL",
          "signal_type": "cwe",
          "title": "HTTP POST with PII payload \u2014 data leakage risk"
        },
        "blocking_after": false,
        "expected_reachability": "reachable",
        "expected_risk": "CRITICAL",
        "family": "dlp",
        "found_after": false,
        "found_before": true,
        "kind": "PII / sensitive data exposure",
        "line": 15,
        "location": "internal/handlers/dlp.go:15",
        "match_key": [
          "dlp",
          "internal/handlers/dlp.go",
          15
        ],
        "path": "internal/handlers/dlp.go",
        "problem_ref": "expected-results.html#expected-findings-table",
        "prod_status": "PRODUCTION",
        "remediation_action": "Synthetic PII exposure is removed from logs or outbound data paths.",
        "rule_id": "DLP/f22dde2c0a9e3739",
        "signal_description": "HTTP POST with PII payload \u2014 data leakage risk",
        "signal_title": "HTTP POST with PII payload \u2014 data leakage risk",
        "status": "fixed",
        "status_label": "Fixed - no longer reported"
      },
      {
        "actual_exploitability": "NOT ATTACKED",
        "actual_reachability": "REACHABLE",
        "actual_risk": "HIGH",
        "after_signal": {},
        "baseline_signal": {
          "app_reachability": "REACHABLE",
          "cve_id": "CVE-2022-32149",
          "description": "golang.org/x/text/language Denial of service via crafted Accept-Language header",
          "display_id": "GHSA-69ch-w2m2-3vjp",
          "file_path": "internal/handlers/cve.go",
          "finding_id": "6b3a862c9dafdd31",
          "id": 33,
          "line_number": 0,
          "package_name": "golang.org/x/text",
          "package_version": "v0.3.7",
          "prod_status": "PRODUCTION",
          "remediation_kind": "dependency_upgrade",
          "remediation_target": "0.3.8",
          "risk_level": "HIGH",
          "scanner": "grype",
          "severity": "HIGH",
          "signal_type": "cve",
          "title": "GHSA-69ch-w2m2-3vjp"
        },
        "blocking_after": false,
        "expected_reachability": "reachable",
        "expected_risk": "HIGH",
        "family": "cve",
        "found_after": false,
        "found_before": true,
        "kind": "Vulnerable dependency",
        "line": 0,
        "location": "internal/handlers/cve.go",
        "match_key": [
          "cve",
          "internal/handlers/cve.go",
          0
        ],
        "path": "internal/handlers/cve.go",
        "problem_ref": "expected-results.html#expected-findings-table",
        "prod_status": "PRODUCTION",
        "remediation_action": "Dependency risk removed or upgraded; build manager no longer has to chase the vulnerable library manually.",
        "rule_id": "CVE/CVE-2022-32149",
        "signal_description": "golang.org/x/text/language Denial of service via crafted Accept-Language header",
        "signal_title": "GHSA-69ch-w2m2-3vjp",
        "status": "fixed",
        "status_label": "Fixed - no longer reported"
      },
      {
        "actual_exploitability": "NOT ATTACKED",
        "actual_reachability": "REACHABLE",
        "actual_risk": "MEDIUM",
        "after_signal": {},
        "baseline_signal": {
          "app_reachability": "REACHABLE",
          "file_path": "internal/handlers/cwe.go",
          "finding_id": "bc6c5d3b1de55eb5",
          "id": 46,
          "line_number": 11,
          "prod_status": "PRODUCTION",
          "risk_level": "MEDIUM",
          "rule_id": "taint-unguarded-flow",
          "scanner": "ai_scanner",
          "severity": "MEDIUM",
          "signal_type": "ai",
          "title": "Unguarded data flow from http_param to code_exec"
        },
        "blocking_after": false,
        "expected_reachability": "reachable",
        "expected_risk": "MEDIUM",
        "family": "ai",
        "found_after": false,
        "found_before": true,
        "kind": "AI / LLM security issue",
        "line": 11,
        "location": "internal/handlers/cwe.go:11",
        "match_key": [
          "ai",
          "internal/handlers/cwe.go",
          11
        ],
        "path": "internal/handlers/cwe.go",
        "problem_ref": "expected-results.html#expected-findings-table",
        "prod_status": "PRODUCTION",
        "remediation_action": "AI/LLM unsafe data flow is removed or covered by the underlying code fix.",
        "rule_id": "AI/LLM05-unguarded-data-flow-from-http_param-to-c",
        "signal_description": "",
        "signal_title": "Unguarded data flow from http_param to code_exec",
        "status": "fixed",
        "status_label": "Fixed - no longer reported"
      },
      {
        "actual_exploitability": "NOT ATTACKED",
        "actual_reachability": "REACHABLE",
        "actual_risk": "MEDIUM",
        "after_signal": {},
        "baseline_signal": {
          "app_reachability": "REACHABLE",
          "file_path": "internal/handlers/suspicious.go",
          "finding_id": "1750786433085c33",
          "id": 28,
          "line_number": 13,
          "prod_status": "PRODUCTION",
          "risk_level": "MEDIUM",
          "rule_id": "taint-unguarded-flow",
          "scanner": "ai_scanner",
          "severity": "MEDIUM",
          "signal_type": "ai",
          "title": "Unguarded data flow from http_param to code_exec"
        },
        "blocking_after": false,
        "expected_reachability": "reachable",
        "expected_risk": "MEDIUM",
        "family": "ai",
        "found_after": false,
        "found_before": true,
        "kind": "AI / LLM security issue",
        "line": 13,
        "location": "internal/handlers/suspicious.go:13",
        "match_key": [
          "ai",
          "internal/handlers/suspicious.go",
          13
        ],
        "path": "internal/handlers/suspicious.go",
        "problem_ref": "expected-results.html#expected-findings-table",
        "prod_status": "PRODUCTION",
        "remediation_action": "AI/LLM unsafe data flow is removed or covered by the underlying code fix.",
        "rule_id": "AI/LLM05-unguarded-data-flow-from-http_param-to-c",
        "signal_description": "",
        "signal_title": "Unguarded data flow from http_param to code_exec",
        "status": "fixed",
        "status_label": "Fixed - no longer reported"
      },
      {
        "actual_exploitability": "NOT ATTACKED",
        "actual_reachability": "REACHABLE",
        "actual_risk": "MEDIUM",
        "after_signal": {},
        "baseline_signal": {
          "app_reachability": "REACHABLE",
          "file_path": "internal/handlers/cwe.go",
          "finding_id": "99074028bff9b8a3",
          "id": 38,
          "line_number": 22,
          "prod_status": "PRODUCTION",
          "risk_level": "MEDIUM",
          "rule_id": "taint-unguarded-flow",
          "scanner": "ai_scanner",
          "severity": "MEDIUM",
          "signal_type": "ai",
          "title": "Unguarded data flow from http_param to code_exec"
        },
        "blocking_after": false,
        "expected_reachability": "reachable",
        "expected_risk": "MEDIUM",
        "family": "ai",
        "found_after": false,
        "found_before": true,
        "kind": "AI / LLM security issue",
        "line": 22,
        "location": "internal/handlers/cwe.go:22",
        "match_key": [
          "ai",
          "internal/handlers/cwe.go",
          22
        ],
        "path": "internal/handlers/cwe.go",
        "problem_ref": "expected-results.html#expected-findings-table",
        "prod_status": "PRODUCTION",
        "remediation_action": "AI/LLM unsafe data flow is removed or covered by the underlying code fix.",
        "rule_id": "AI/LLM05-unguarded-data-flow-from-http_param-to-c",
        "signal_description": "",
        "signal_title": "Unguarded data flow from http_param to code_exec",
        "status": "fixed",
        "status_label": "Fixed - no longer reported"
      },
      {
        "actual_exploitability": "DEFENDED",
        "actual_reachability": "REACHABLE",
        "actual_risk": "MEDIUM",
        "after_signal": {},
        "baseline_signal": {
          "app_reachability": "REACHABLE",
          "attacker": {
            "created_at": "2026-06-04 18:46:58",
            "error": null,
            "exploitable": "0",
            "model_used": "gpt-5.4-mini",
            "severity": "INFO"
          },
          "cwe_id": "CWE-200",
          "description": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
          "file_path": "internal/handlers/cve.go",
          "finding_id": "a4cfb6534d8413e4",
          "id": 36,
          "line_number": 38,
          "prod_status": "PRODUCTION",
          "risk_level": "MEDIUM",
          "rule_id": "home.runner..reachable.venv.lib.python3.12.site-packages.reachable.conf.semgrep.go-error-leak-in-response",
          "scanner": "semgrep",
          "severity": "MEDIUM",
          "signal_type": "cwe",
          "title": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n"
        },
        "blocking_after": false,
        "expected_reachability": "defended",
        "expected_risk": "MEDIUM",
        "family": "cwe",
        "found_after": false,
        "found_before": true,
        "kind": "Information disclosure",
        "line": 38,
        "location": "internal/handlers/cve.go:38",
        "match_key": [
          "cwe",
          "internal/handlers/cve.go",
          38
        ],
        "path": "internal/handlers/cve.go",
        "problem_ref": "expected-results.html#expected-findings-table",
        "prod_status": "PRODUCTION",
        "remediation_action": "Internal error details are no longer exposed to callers where remediation applied.",
        "rule_id": "CWE/200",
        "signal_description": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
        "signal_title": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
        "status": "fixed",
        "status_label": "Fixed - no longer reported"
      },
      {
        "actual_exploitability": "EXPLOITABLE",
        "actual_reachability": "REACHABLE",
        "actual_risk": "MEDIUM",
        "after_signal": {},
        "baseline_signal": {
          "app_reachability": "REACHABLE",
          "attacker": {
            "created_at": "2026-06-04 18:46:57",
            "error": null,
            "exploitable": "1",
            "model_used": "gpt-5.4-mini",
            "severity": "LOW"
          },
          "cwe_id": "CWE-200",
          "description": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
          "file_path": "internal/handlers/cve.go",
          "finding_id": "1b149b8e37fdeb8b",
          "id": 43,
          "line_number": 22,
          "prod_status": "PRODUCTION",
          "risk_level": "MEDIUM",
          "rule_id": "home.runner..reachable.venv.lib.python3.12.site-packages.reachable.conf.semgrep.go-error-leak-in-response",
          "scanner": "semgrep",
          "severity": "MEDIUM",
          "signal_type": "cwe",
          "title": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n"
        },
        "blocking_after": false,
        "expected_reachability": "exploitable",
        "expected_risk": "MEDIUM",
        "family": "cwe",
        "found_after": false,
        "found_before": true,
        "kind": "Information disclosure",
        "line": 22,
        "location": "internal/handlers/cve.go:22",
        "match_key": [
          "cwe",
          "internal/handlers/cve.go",
          22
        ],
        "path": "internal/handlers/cve.go",
        "problem_ref": "expected-results.html#expected-findings-table",
        "prod_status": "PRODUCTION",
        "remediation_action": "Internal error details are no longer exposed to callers where remediation applied.",
        "rule_id": "CWE/200",
        "signal_description": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
        "signal_title": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
        "status": "fixed",
        "status_label": "Fixed - no longer reported"
      },
      {
        "actual_exploitability": "DEFENDED",
        "actual_reachability": "REACHABLE",
        "actual_risk": "MEDIUM",
        "after_signal": {},
        "baseline_signal": {
          "app_reachability": "REACHABLE",
          "attacker": {
            "created_at": "2026-06-04 18:46:56",
            "error": null,
            "exploitable": "0",
            "model_used": "gpt-5.4-mini",
            "severity": "LOW"
          },
          "cwe_id": "CWE-200",
          "description": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
          "file_path": "internal/handlers/ai.go",
          "finding_id": "f402a4a98087a661",
          "id": 31,
          "line_number": 21,
          "prod_status": "PRODUCTION",
          "risk_level": "MEDIUM",
          "rule_id": "home.runner..reachable.venv.lib.python3.12.site-packages.reachable.conf.semgrep.go-error-leak-in-response",
          "scanner": "semgrep",
          "severity": "MEDIUM",
          "signal_type": "cwe",
          "title": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n"
        },
        "blocking_after": false,
        "expected_reachability": "exploitable",
        "expected_risk": "MEDIUM",
        "family": "cwe",
        "found_after": false,
        "found_before": true,
        "kind": "Information disclosure",
        "line": 21,
        "location": "internal/handlers/ai.go:21",
        "match_key": [
          "cwe",
          "internal/handlers/ai.go",
          21
        ],
        "path": "internal/handlers/ai.go",
        "problem_ref": "expected-results.html#expected-findings-table",
        "prod_status": "PRODUCTION",
        "remediation_action": "Internal error details are no longer exposed to callers where remediation applied.",
        "rule_id": "CWE/200",
        "signal_description": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
        "signal_title": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
        "status": "fixed",
        "status_label": "Fixed - no longer reported"
      },
      {
        "actual_exploitability": "EXPLOITABLE",
        "actual_reachability": "REACHABLE",
        "actual_risk": "MEDIUM",
        "after_signal": {},
        "baseline_signal": {
          "app_reachability": "REACHABLE",
          "attacker": {
            "created_at": "2026-06-04 18:46:57",
            "error": null,
            "exploitable": "1",
            "model_used": "gpt-5.4-mini",
            "severity": "LOW"
          },
          "cwe_id": "CWE-200",
          "description": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
          "file_path": "internal/handlers/cve.go",
          "finding_id": "b3b9bcfacb7f21f6",
          "id": 37,
          "line_number": 16,
          "prod_status": "PRODUCTION",
          "risk_level": "MEDIUM",
          "rule_id": "home.runner..reachable.venv.lib.python3.12.site-packages.reachable.conf.semgrep.go-error-leak-in-response",
          "scanner": "semgrep",
          "severity": "MEDIUM",
          "signal_type": "cwe",
          "title": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n"
        },
        "blocking_after": false,
        "expected_reachability": "defended",
        "expected_risk": "MEDIUM",
        "family": "cwe",
        "found_after": false,
        "found_before": true,
        "kind": "Information disclosure",
        "line": 16,
        "location": "internal/handlers/cve.go:16",
        "match_key": [
          "cwe",
          "internal/handlers/cve.go",
          16
        ],
        "path": "internal/handlers/cve.go",
        "problem_ref": "expected-results.html#expected-findings-table",
        "prod_status": "PRODUCTION",
        "remediation_action": "Internal error details are no longer exposed to callers where remediation applied.",
        "rule_id": "CWE/200",
        "signal_description": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
        "signal_title": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
        "status": "fixed",
        "status_label": "Fixed - no longer reported"
      },
      {
        "actual_exploitability": "EXPLOITABLE",
        "actual_reachability": "REACHABLE",
        "actual_risk": "MEDIUM",
        "after_signal": {},
        "baseline_signal": {
          "app_reachability": "REACHABLE",
          "attacker": {
            "created_at": "2026-06-04 18:46:57",
            "error": null,
            "exploitable": "1",
            "model_used": "gpt-5.4-mini",
            "severity": "HIGH"
          },
          "cwe_id": "CWE-918",
          "description": "http.Get / http.Client.Do called with a URL derived from user input \u2014 CWE-918 SSRF. Validate the host against an allowlist, or use a proxying client that blocks private-network CIDRs.\n",
          "file_path": "internal/handlers/suspicious.go",
          "finding_id": "418cf0e29604ac04",
          "id": 34,
          "line_number": 14,
          "prod_status": "PRODUCTION",
          "risk_level": "MEDIUM",
          "rule_id": "home.runner..reachable.venv.lib.python3.12.site-packages.reachable.conf.semgrep.go-ssrf-http-get-tainted-url",
          "scanner": "semgrep",
          "severity": "MEDIUM",
          "signal_type": "cwe",
          "title": "http.Get / http.Client.Do called with a URL derived from user input \u2014 CWE-918 SSRF. Validate the host against an allowlist, or use a proxying client that blocks private-network CIDRs.\n"
        },
        "blocking_after": false,
        "expected_reachability": "exploitable",
        "expected_risk": "MEDIUM",
        "family": "cwe",
        "found_after": false,
        "found_before": true,
        "kind": "Server-side request forgery",
        "line": 14,
        "location": "internal/handlers/suspicious.go:14",
        "match_key": [
          "cwe",
          "internal/handlers/suspicious.go",
          14
        ],
        "path": "internal/handlers/suspicious.go",
        "problem_ref": "expected-results.html#expected-findings-table",
        "prod_status": "PRODUCTION",
        "remediation_action": "Agent removed arbitrary outbound fetch behavior that could become SSRF.",
        "rule_id": "CWE/918",
        "signal_description": "http.Get / http.Client.Do called with a URL derived from user input \u2014 CWE-918 SSRF. Validate the host against an allowlist, or use a proxying client that blocks private-network CIDRs.\n",
        "signal_title": "http.Get / http.Client.Do called with a URL derived from user input \u2014 CWE-918 SSRF. Validate the host against an allowlist, or use a proxying client that blocks private-network CIDRs.\n",
        "status": "fixed",
        "status_label": "Fixed - no longer reported"
      },
      {
        "actual_exploitability": "DEFENDED",
        "actual_reachability": "REACHABLE",
        "actual_risk": "MEDIUM",
        "after_signal": {},
        "baseline_signal": {
          "app_reachability": "REACHABLE",
          "attacker": {
            "created_at": "2026-06-04 18:46:59",
            "error": null,
            "exploitable": "0",
            "model_used": "gpt-5.4-mini",
            "severity": "INFO"
          },
          "cwe_id": "CWE-200",
          "description": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
          "file_path": "internal/handlers/suspicious.go",
          "finding_id": "37b80d2ff59c283d",
          "id": 48,
          "line_number": 16,
          "prod_status": "PRODUCTION",
          "risk_level": "MEDIUM",
          "rule_id": "home.runner..reachable.venv.lib.python3.12.site-packages.reachable.conf.semgrep.go-error-leak-in-response",
          "scanner": "semgrep",
          "severity": "MEDIUM",
          "signal_type": "cwe",
          "title": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n"
        },
        "blocking_after": false,
        "expected_reachability": "exploitable",
        "expected_risk": "MEDIUM",
        "family": "cwe",
        "found_after": false,
        "found_before": true,
        "kind": "Information disclosure",
        "line": 16,
        "location": "internal/handlers/suspicious.go:16",
        "match_key": [
          "cwe",
          "internal/handlers/suspicious.go",
          16
        ],
        "path": "internal/handlers/suspicious.go",
        "problem_ref": "expected-results.html#expected-findings-table",
        "prod_status": "PRODUCTION",
        "remediation_action": "Internal error details are no longer exposed to callers where remediation applied.",
        "rule_id": "CWE/200",
        "signal_description": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
        "signal_title": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
        "status": "fixed",
        "status_label": "Fixed - no longer reported"
      },
      {
        "actual_exploitability": "DEFENDED",
        "actual_reachability": "REACHABLE",
        "actual_risk": "MEDIUM",
        "after_signal": {},
        "baseline_signal": {
          "app_reachability": "REACHABLE",
          "attacker": {
            "created_at": "2026-06-04 18:46:59",
            "error": null,
            "exploitable": "0",
            "model_used": "gpt-5.4-mini",
            "severity": "INFO"
          },
          "cwe_id": "CWE-200",
          "description": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
          "file_path": "internal/handlers/ai.go",
          "finding_id": "e8a509a2889e951b",
          "id": 50,
          "line_number": 39,
          "prod_status": "PRODUCTION",
          "risk_level": "MEDIUM",
          "rule_id": "home.runner..reachable.venv.lib.python3.12.site-packages.reachable.conf.semgrep.go-error-leak-in-response",
          "scanner": "semgrep",
          "severity": "MEDIUM",
          "signal_type": "cwe",
          "title": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n"
        },
        "blocking_after": false,
        "expected_reachability": "exploitable",
        "expected_risk": "MEDIUM",
        "family": "cwe",
        "found_after": false,
        "found_before": true,
        "kind": "Information disclosure",
        "line": 39,
        "location": "internal/handlers/ai.go:39",
        "match_key": [
          "cwe",
          "internal/handlers/ai.go",
          39
        ],
        "path": "internal/handlers/ai.go",
        "problem_ref": "expected-results.html#expected-findings-table",
        "prod_status": "PRODUCTION",
        "remediation_action": "Internal error details are no longer exposed to callers where remediation applied.",
        "rule_id": "CWE/200",
        "signal_description": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
        "signal_title": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
        "status": "fixed",
        "status_label": "Fixed - no longer reported"
      },
      {
        "actual_exploitability": "DEFENDED",
        "actual_reachability": "REACHABLE",
        "actual_risk": "MEDIUM",
        "after_signal": {},
        "baseline_signal": {
          "app_reachability": "REACHABLE",
          "attacker": {
            "created_at": "2026-06-04 18:46:59",
            "error": null,
            "exploitable": "0",
            "model_used": "gpt-5.4-mini",
            "severity": "INFO"
          },
          "cwe_id": "CWE-200",
          "description": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
          "file_path": "internal/handlers/suspicious.go",
          "finding_id": "17c10dfd5cf1ea39",
          "id": 54,
          "line_number": 24,
          "prod_status": "PRODUCTION",
          "risk_level": "MEDIUM",
          "rule_id": "home.runner..reachable.venv.lib.python3.12.site-packages.reachable.conf.semgrep.go-error-leak-in-response",
          "scanner": "semgrep",
          "severity": "MEDIUM",
          "signal_type": "cwe",
          "title": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n"
        },
        "blocking_after": false,
        "expected_reachability": "defended",
        "expected_risk": "MEDIUM",
        "family": "cwe",
        "found_after": false,
        "found_before": true,
        "kind": "Information disclosure",
        "line": 24,
        "location": "internal/handlers/suspicious.go:24",
        "match_key": [
          "cwe",
          "internal/handlers/suspicious.go",
          24
        ],
        "path": "internal/handlers/suspicious.go",
        "problem_ref": "expected-results.html#expected-findings-table",
        "prod_status": "PRODUCTION",
        "remediation_action": "Internal error details are no longer exposed to callers where remediation applied.",
        "rule_id": "CWE/200",
        "signal_description": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
        "signal_title": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
        "status": "fixed",
        "status_label": "Fixed - no longer reported"
      },
      {
        "actual_exploitability": "DEFENDED",
        "actual_reachability": "REACHABLE",
        "actual_risk": "MEDIUM",
        "after_signal": {},
        "baseline_signal": {
          "app_reachability": "REACHABLE",
          "attacker": {
            "created_at": "2026-06-04 18:46:58",
            "error": null,
            "exploitable": "0",
            "model_used": "gpt-5.4-mini",
            "severity": "LOW"
          },
          "cwe_id": "CWE-200",
          "description": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
          "file_path": "internal/handlers/ai.go",
          "finding_id": "ce57feb309bd5707",
          "id": 45,
          "line_number": 61,
          "prod_status": "PRODUCTION",
          "risk_level": "MEDIUM",
          "rule_id": "home.runner..reachable.venv.lib.python3.12.site-packages.reachable.conf.semgrep.go-error-leak-in-response",
          "scanner": "semgrep",
          "severity": "MEDIUM",
          "signal_type": "cwe",
          "title": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n"
        },
        "blocking_after": false,
        "expected_reachability": "exploitable",
        "expected_risk": "MEDIUM",
        "family": "cwe",
        "found_after": false,
        "found_before": true,
        "kind": "Information disclosure",
        "line": 61,
        "location": "internal/handlers/ai.go:61",
        "match_key": [
          "cwe",
          "internal/handlers/ai.go",
          61
        ],
        "path": "internal/handlers/ai.go",
        "problem_ref": "expected-results.html#expected-findings-table",
        "prod_status": "PRODUCTION",
        "remediation_action": "Internal error details are no longer exposed to callers where remediation applied.",
        "rule_id": "CWE/200",
        "signal_description": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
        "signal_title": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
        "status": "fixed",
        "status_label": "Fixed - no longer reported"
      },
      {
        "actual_exploitability": "DEFENDED",
        "actual_reachability": "REACHABLE",
        "actual_risk": "MEDIUM",
        "after_signal": {},
        "baseline_signal": {
          "app_reachability": "REACHABLE",
          "attacker": {
            "created_at": "2026-06-04 18:47:01",
            "error": null,
            "exploitable": "0",
            "model_used": "gpt-5.4-mini",
            "severity": "INFO"
          },
          "cwe_id": "CWE-200",
          "description": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
          "file_path": "internal/handlers/suspicious.go",
          "finding_id": "e6ffcd76b3b73152",
          "id": 57,
          "line_number": 30,
          "prod_status": "PRODUCTION",
          "risk_level": "MEDIUM",
          "rule_id": "home.runner..reachable.venv.lib.python3.12.site-packages.reachable.conf.semgrep.go-error-leak-in-response",
          "scanner": "semgrep",
          "severity": "MEDIUM",
          "signal_type": "cwe",
          "title": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n"
        },
        "blocking_after": false,
        "expected_reachability": "exploitable",
        "expected_risk": "MEDIUM",
        "family": "cwe",
        "found_after": false,
        "found_before": true,
        "kind": "Information disclosure",
        "line": 30,
        "location": "internal/handlers/suspicious.go:30",
        "match_key": [
          "cwe",
          "internal/handlers/suspicious.go",
          30
        ],
        "path": "internal/handlers/suspicious.go",
        "problem_ref": "expected-results.html#expected-findings-table",
        "prod_status": "PRODUCTION",
        "remediation_action": "Internal error details are no longer exposed to callers where remediation applied.",
        "rule_id": "CWE/200",
        "signal_description": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
        "signal_title": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
        "status": "fixed",
        "status_label": "Fixed - no longer reported"
      },
      {
        "actual_exploitability": "NOT ATTACKED",
        "actual_reachability": "NOT_REACHABLE",
        "actual_risk": "INFO",
        "after_signal": {},
        "baseline_signal": {
          "app_reachability": "NOT_REACHABLE",
          "cwe_id": "CWE-798",
          "description": "Token detected. Use a secrets manager (Vault, AWS Secrets Manager) for storage. Prefer short-lived tokens with automatic refresh. Implement proper token scoping and rotation.",
          "display_id": "secret-token-handlers-secrets",
          "file_path": "internal/handlers/secrets.go",
          "finding_id": "b214d82662cc7c80",
          "id": 30,
          "line_number": 11,
          "prod_status": "UNKNOWN",
          "remediation_kind": "secret_rotation",
          "risk_level": "INFO",
          "rule_id": "home.runner..reachable.venv.lib.python3.12.site-packages.reachable.conf.semgrep.hardcoded-github-token",
          "scanner": "semgrep",
          "secret_type": "token",
          "severity": "LOW",
          "signal_type": "secret",
          "title": "Token detected. Use a secrets manager (Vault, AWS Secrets Manager) for storage. Prefer short-lived tokens with automatic refresh. Implement proper token scoping and rotation."
        },
        "blocking_after": false,
        "expected_reachability": "reachable",
        "expected_risk": "MEDIUM",
        "family": "secret",
        "found_after": false,
        "found_before": true,
        "kind": "Secret exposure",
        "line": 11,
        "location": "internal/handlers/secrets.go:11",
        "match_key": [
          "secret",
          "internal/handlers/secrets.go",
          11
        ],
        "path": "internal/handlers/secrets.go",
        "problem_ref": "expected-results.html#expected-findings-table",
        "prod_status": "UNKNOWN",
        "remediation_action": "Synthetic secret exposure is removed from release-blocking DB evidence.",
        "rule_id": "SECRET/github-pat",
        "signal_description": "Token detected. Use a secrets manager (Vault, AWS Secrets Manager) for storage. Prefer short-lived tokens with automatic refresh. Implement proper token scoping and rotation.",
        "signal_title": "Token detected. Use a secrets manager (Vault, AWS Secrets Manager) for storage. Prefer short-lived tokens with automatic refresh. Implement proper token scoping and rotation.",
        "status": "fixed",
        "status_label": "Fixed - no longer reported"
      }
    ],
    "still_present": 0,
    "verified_with_reachable": "1.0.0b97"
  },
  "ledger_error": null,
  "proof": {
    "by_state": {},
    "defended_after_reattack": 0,
    "failed": 0,
    "needs_review": 0,
    "profile_count": 0,
    "profile_kinds": [],
    "run_count": 0,
    "skipped_policy": 0,
    "source": "none",
    "verified_exploitable": 0
  },
  "ref": "main",
  "remediation": {
    "attempt_count": 1,
    "message": "DB-backed verdict: All expected demo vulnerabilities were found and the remediation branch has no blocking findings.",
    "proof_scan": {
      "by_level": {},
      "exists": true,
      "label": "after-final",
      "path": ".reachable/ci-artifacts/reachable-after-final.sarif",
      "results": 0,
      "top_rules": []
    },
    "scan_count": 2,
    "selected_rule_count": 12,
    "selected_rules": [
      {
        "backing_signal_count": 1,
        "finding_ids": [],
        "packages": [],
        "priority_score": 1000,
        "remediation_key": null,
        "rule_id": "RCH-RULE-877450ee",
        "signal_families": [
          "cwe"
        ],
        "title": "OS command injection via exec.Command with shell"
      },
      {
        "backing_signal_count": 2,
        "finding_ids": [],
        "packages": [
          "golang.org/x/text v0.3.7"
        ],
        "priority_score": 523,
        "remediation_key": "golang.org/x/text@v0.3.7",
        "rule_id": "RCH-RULE-4c957bd8",
        "signal_families": [
          "cve"
        ],
        "title": "Do not introduce vulnerable dependency golang.org/x/text@v0.3.7"
      },
      {
        "backing_signal_count": 1,
        "finding_ids": [],
        "packages": [],
        "priority_score": 422,
        "remediation_key": null,
        "rule_id": "RCH-RULE-df212f4e",
        "signal_families": [
          "ai"
        ],
        "title": "Unguarded data flow from http_param to code_exec"
      },
      {
        "backing_signal_count": 1,
        "finding_ids": [],
        "packages": [],
        "priority_score": 120,
        "remediation_key": null,
        "rule_id": "RCH-RULE-b4ff9103",
        "signal_families": [
          "secret"
        ],
        "title": "Uncovered a GitHub Personal Access Token, potentially leading to unauthorized repository access and sensitive content exposure.: ghp_***00"
      },
      {
        "backing_signal_count": 1,
        "finding_ids": [],
        "packages": [],
        "priority_score": 1000,
        "remediation_key": null,
        "rule_id": "RCH-RULE-27bd65de",
        "signal_families": [
          "cwe"
        ],
        "title": "http.Get / http.Client.Do called with a URL derived from user input \u2014 CWE-918 SSRF. Validate the host against an allowlist, or use a proxying client that block\u2026"
      },
      {
        "backing_signal_count": 3,
        "finding_ids": [],
        "packages": [],
        "priority_score": 904,
        "remediation_key": null,
        "rule_id": "RCH-RULE-1ab079af",
        "signal_families": [
          "cwe"
        ],
        "title": "HTTP POST with PII payload \u2014 data leakage risk (3 proven sites)"
      },
      {
        "backing_signal_count": 1,
        "finding_ids": [],
        "packages": [],
        "priority_score": 904,
        "remediation_key": null,
        "rule_id": "RCH-RULE-604223bd",
        "signal_families": [
          "cwe"
        ],
        "title": "PII data (SSN, DOB, credit card) in Go log output"
      },
      {
        "backing_signal_count": 1,
        "finding_ids": [],
        "packages": [],
        "priority_score": 904,
        "remediation_key": null,
        "rule_id": "RCH-RULE-8bb65d1e",
        "signal_families": [
          "cwe"
        ],
        "title": "User-controlled URL passed to HTTP client without TLS scheme validation \u2014 sensitive data may be sent in cleartext (CWE-319). Validate that the URL scheme is \"h\u2026"
      },
      {
        "backing_signal_count": 1,
        "finding_ids": [],
        "packages": [],
        "priority_score": 903,
        "remediation_key": null,
        "rule_id": "RCH-RULE-217c2dae",
        "signal_families": [
          "cwe"
        ],
        "title": "Unauthenticated admin and diagnostic endpoints"
      },
      {
        "backing_signal_count": 9,
        "finding_ids": [],
        "packages": [],
        "priority_score": 902,
        "remediation_key": null,
        "rule_id": "RCH-RULE-d990ae0f",
        "signal_families": [
          "cwe"
        ],
        "title": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and lo\u2026"
      },
      {
        "backing_signal_count": 1,
        "finding_ids": [],
        "packages": [],
        "priority_score": 422,
        "remediation_key": null,
        "rule_id": "RCH-RULE-a755ac83",
        "signal_families": [
          "ai"
        ],
        "title": "Unguarded data flow from http_param to code_exec"
      },
      {
        "backing_signal_count": 1,
        "finding_ids": [],
        "packages": [],
        "priority_score": 422,
        "remediation_key": null,
        "rule_id": "RCH-RULE-7059753c",
        "signal_families": [
          "ai"
        ],
        "title": "Unguarded data flow from http_param to code_exec"
      }
    ],
    "status": "success"
  },
  "repo": "sthenos-security/reach-testbed-github-go",
  "run_id": "26972297438",
  "sarif_error": null,
  "sha": "8abd78310ce1a9f20fa6468725b802d297175743",
  "suspicious_package_count": 0,
  "top": [],
  "top_defended": [],
  "top_priority": [],
  "total": 0,
  "verification": {
    "blocking_results": 0,
    "branch": "reachable-remediate-26972297438",
    "clean": true,
    "label": "repo.db expected-contract comparison",
    "message": "All expected demo vulnerabilities were found and the remediation branch has no blocking findings.",
    "mode": "DB-backed baseline/remediation proof",
    "results": 0,
    "run_url": "https://github.com/sthenos-security/reach-testbed-github-go/actions/runs/26972297438",
    "status": "db_verified"
  }
}
