Reachable self-remediation demo · Needs review

Reachable remediation needs review

The remediation proof scan has no blocking findings, but the baseline contract did not fully match. Public, sanitized proof for the intentionally vulnerable Reachable Go testbed. The page is built from the Reachable scan database: vulnerable baseline scan, remediation proof scan, expected issue contract, branch, commit, scan number, timestamp, and AI cost telemetry. Private prompts, rules, agent transcripts, and local databases are not published.

21
Expected issues
17
Found on vulnerable main
17
Fixed on remediation branch
0
Still present
0
Final actionable findings
$0.0390
AI cost estimate
25,598
AI tokens
$1,000.00
Engineer baseline
$99.00
Reachable plan

Vulnerable baseline

Scan: #1 1.0.0b136 complete
Branch: unknown
Commit: 1a34bb31
Timestamp: 2026-07-09 21:15:54
Runtime: 2m 54s
AI: 12 calls, 25,598 tokens, $0.0390

Remediated branch proof

Scan: #9 1.0.0b136 complete
Branch: reachable-remediate-2665924351
Commit: bb600c87
Timestamp: 2026-07-09 21:34:08
Runtime: 8s
AI: 0 calls, 0 tokens, $0.0000

CI cache / install evidence

Cache restored: no
Install mode: installed
Version: target latest, installed REACHABLE 1.0.0b136
repo.db reused: no (0 before, 1 after)
Latest DB hash: 2af9d00a433b
Latest scan: #1 commit 1a34bb31

Demo Contract: Expected Vulnerabilities Fixed

Needs review: This table is the demo contract. Each row is an expected vulnerable fixture. “Fixed” means it was present in the vulnerable baseline database and absent from the remediation proof database.

Expected issueRiskReachabilityExploitabilityLocationBaselineRemediation proofStatusFix / evidence
AI/LLM01-http-post-with-pii-payload-—-data-leakag
HTTP POST with PII payload — data leakage risk
Problem contract
CRITICALREACHABLENOT ATTACKEDinternal/handlers/ai.go:32FoundNot reportedFixed - no longer reportedAI/LLM unsafe data flow is removed or covered by the underlying code fix.
Details

HTTP POST with PII payload — data leakage risk

AI/LLM01-http-post-with-pii-payload-—-data-leakag
HTTP POST with PII payload — data leakage risk
Problem contract
CRITICALREACHABLENOT ATTACKEDinternal/handlers/ai.go:51FoundNot reportedFixed - no longer reportedAI/LLM unsafe data flow is removed or covered by the underlying code fix.
Details

HTTP POST with PII payload — data leakage risk

CWE/78
OS command injection via exec.Command with shell
Problem contract
CRITICALREACHABLEEXPLOITABLEinternal/handlers/cwe.go:12FoundNot reportedFixed - no longer reportedAgent removed command-execution risk and proof scan confirms the sink is gone.
Details

OS command injection via exec.Command with shell

CWE/319
User-controlled URL passed to HTTP client without TLS scheme validation — sensitive data may be sent in cleartext (CWE-319). Validate that the URL scheme is "https" before making the request.
Problem contract
CRITICALREACHABLEEXPLOITABLEinternal/handlers/suspicious.go:13FoundNot reportedFixed - no longer reportedExpected vulnerable fixture row is no longer present in the proof scan.
Details

User-controlled URL passed to HTTP client without TLS scheme validation — sensitive data may be sent in cleartext (CWE-319). Validate that the URL scheme is "https" before making the request.

DLP/6fd2031f2cff0e06
PII data (SSN, DOB, credit card) in Go log output
Problem contract
CRITICALREACHABLENOT ATTACKEDinternal/handlers/dlp.go:13FoundNot reportedFixed - no longer reportedSynthetic PII exposure is removed from logs or outbound data paths.
Details

PII data (SSN, DOB, credit card) in Go log output

DLP/f22dde2c0a9e3739
HTTP POST with PII payload — data leakage risk
Problem contract
CRITICALREACHABLENOT ATTACKEDinternal/handlers/dlp.go:15FoundNot reportedFixed - no longer reportedSynthetic PII exposure is removed from logs or outbound data paths.
Details

HTTP POST with PII payload — data leakage risk

CVE/CVE-2022-32149
Vulnerable dependency
Problem contract
HIGHreachableinternal/handlers/cve.goMissingNot reportedExpected baseline row was not detectedDependency risk removed or upgraded; build manager no longer has to chase the vulnerable library manually.
AI/LLM05-unguarded-data-flow-from-http_param-to-c
AI / LLM security issue
Problem contract
MEDIUMreachableinternal/handlers/cwe.go:11MissingNot reportedExpected baseline row was not detectedAI/LLM unsafe data flow is removed or covered by the underlying code fix.
AI/LLM05-unguarded-data-flow-from-http_param-to-c
AI / LLM security issue
Problem contract
MEDIUMreachableinternal/handlers/suspicious.go:13MissingNot reportedExpected baseline row was not detectedAI/LLM unsafe data flow is removed or covered by the underlying code fix.
AI/LLM05-unguarded-data-flow-from-http_param-to-c
AI / LLM security issue
Problem contract
MEDIUMreachableinternal/handlers/cwe.go:22MissingNot reportedExpected baseline row was not detectedAI/LLM unsafe data flow is removed or covered by the underlying code fix.
CWE/200
Internal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.
Problem contract
MEDIUMREACHABLEDEFENDEDinternal/handlers/cve.go:38FoundNot reportedFixed - no longer reportedInternal error details are no longer exposed to callers where remediation applied.
Details

Internal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.

CWE/200
Internal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.
Problem contract
MEDIUMREACHABLEDEFENDEDinternal/handlers/cve.go:22FoundNot reportedFixed - no longer reportedInternal error details are no longer exposed to callers where remediation applied.
Details

Internal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.

CWE/200
Internal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.
Problem contract
MEDIUMREACHABLEEXPLOITABLEinternal/handlers/ai.go:21FoundNot reportedFixed - no longer reportedInternal error details are no longer exposed to callers where remediation applied.
Details

Internal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.

CWE/200
Internal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.
Problem contract
MEDIUMREACHABLEDEFENDEDinternal/handlers/cve.go:16FoundNot reportedFixed - no longer reportedInternal error details are no longer exposed to callers where remediation applied.
Details

Internal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.

CWE/918
http.Get / http.Client.Do called with a URL derived from user input — CWE-918 SSRF. Validate the host against an allowlist, or use a proxying client that blocks private-network CIDRs.
Problem contract
MEDIUMREACHABLEEXPLOITABLEinternal/handlers/suspicious.go:14FoundNot reportedFixed - no longer reportedAgent removed arbitrary outbound fetch behavior that could become SSRF.
Details

http.Get / http.Client.Do called with a URL derived from user input — CWE-918 SSRF. Validate the host against an allowlist, or use a proxying client that blocks private-network CIDRs.

CWE/200
Internal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.
Problem contract
MEDIUMREACHABLEDEFENDEDinternal/handlers/suspicious.go:16FoundNot reportedFixed - no longer reportedInternal error details are no longer exposed to callers where remediation applied.
Details

Internal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.

CWE/200
Internal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.
Problem contract
MEDIUMREACHABLEEXPLOITABLEinternal/handlers/ai.go:39FoundNot reportedFixed - no longer reportedInternal error details are no longer exposed to callers where remediation applied.
Details

Internal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.

CWE/200
Internal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.
Problem contract
MEDIUMREACHABLEDEFENDEDinternal/handlers/suspicious.go:24FoundNot reportedFixed - no longer reportedInternal error details are no longer exposed to callers where remediation applied.
Details

Internal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.

CWE/200
Internal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.
Problem contract
MEDIUMREACHABLEDEFENDEDinternal/handlers/ai.go:61FoundNot reportedFixed - no longer reportedInternal error details are no longer exposed to callers where remediation applied.
Details

Internal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.

CWE/200
Internal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.
Problem contract
MEDIUMREACHABLEEXPLOITABLEinternal/handlers/suspicious.go:30FoundNot reportedFixed - no longer reportedInternal error details are no longer exposed to callers where remediation applied.
Details

Internal error details written to HTTP response — exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.

SECRET/github-pat
Token detected. Use a secrets manager (Vault, AWS Secrets Manager) for storage. Prefer short-lived tokens with automatic refresh. Implement proper token scoping and rotation.
Problem contract
INFONOT_REACHABLENOT ATTACKEDinternal/handlers/secrets.go:11FoundNot reportedFixed - no longer reportedSynthetic secret exposure is removed from production-actionable posture.
Details

Token detected. Use a secrets manager (Vault, AWS Secrets Manager) for storage. Prefer short-lived tokens with automatic refresh. Implement proper token scoping and rotation.

Run Evidence: Install, Cache, Database

This section proves the CI run used an installed Reachable version and either restored or initialized the Reachable cache. The raw proof files are sanitized JSON artifacts; the demo verdict still comes from the scan database.

Cache restoredno
Cache sourcegitlab-cache
Install modeinstalled
Target versionlatest
Installed versionREACHABLE 1.0.0b136
repo.db reusedno
repo.db count before0
repo.db count after1
Scan sessions after1
Cache size before4 KB
Cache size after4 KB
Latest repo.db hash2af9d00a433b0de04efbd887768c4e947d1683273e7ba40f711fad184d588aa6

Remaining Production Actionable Findings

0
Selected public findings
0
Exploitable
0
Reachable
0
Unknown
0
Defended
0
Suspicious packages

This section is the selected public posture export for code-scanning surfaces. The demo pass/fail proof above is built from REACHABLE's structured evidence record.

SignalReachabilityRiskFamiliesPackageFixLocationMessage
No exploitable or reachable findings were reported.

Production Actionable: Defended / Defendable

SignalReachabilityRiskFamiliesPackageFixLocationMessage
No defended or defendable findings were included in this public SARIF.

All Production Actionable Signals

SignalReachabilityRiskFamiliesPackageFixLocationMessage
No production actionable signals were reported.

Remediation Attempt

Status: needs_review. Structured proof verdict: The remediation proof scan has no blocking findings, but the baseline contract did not fully match.

RulePackageSignalsSuggested fix
No remediation rules were selected in this run.

Sanitized Artifacts

These are convenience exports. The public page does not publish the private remediation bundle, prompt text, generated rules, agent transcript, raw witnesses, or local databases.

Code scanning report CI run Selected SARIF GitLab SAST report Sanitized remediation ledger Run evidence: before-install Run evidence: after-install Run evidence: after-scan Expected issue contract Summary JSON Summary Markdown

Generated at 2026-07-09T21:35:43.401001+00:00 for sthenos-security-public/reach-testbed-gitlab-catalog / main / commit 1a34bb312a01b993e9f44dba7e5fd91078e8a839. Page URL: https://reach-testbed-gitlab-catalog-fcbdbc.gitlab.io/