{
  "version": "15.1.4",
  "scan": {
    "analyzer": {
      "id": "reachable",
      "name": "REACHABLE",
      "vendor": {
        "name": "Sthenos Security"
      },
      "version": "1.0.0b136"
    },
    "scanner": {
      "id": "reachable",
      "name": "REACHABLE",
      "vendor": {
        "name": "Sthenos Security"
      },
      "version": "1.0.0b136"
    },
    "type": "sast",
    "start_time": "2026-07-09T21:15:54",
    "end_time": "2026-07-09T21:15:54",
    "status": "success"
  },
  "vulnerabilities": [
    {
      "id": "4823db15-6370-5e70-9a28-999ac6c05ae3",
      "category": "sast",
      "name": "[REACHABLE] LLM01: HTTP POST with PII payload \u2014 data leakage risk",
      "description": "HTTP POST with PII payload \u2014 data leakage risk\n\nReachability: REACHABLE (HIGH) \u2014 call-graph analysis confirmed a path from an application entry point to this finding.",
      "severity": "Critical",
      "scanner": {
        "id": "reachable",
        "name": "REACHABLE"
      },
      "location": {
        "file": "/builds/sthenos-security-public/reach-testbed-gitlab-catalog/internal/handlers/ai.go",
        "start_line": 51,
        "end_line": 51,
        "method": "AIAgentPlan"
      },
      "identifiers": [
        {
          "type": "reachable_ai",
          "name": "AI/LLM01",
          "value": "LLM01",
          "url": "https://genai.owasp.org/"
        },
        {
          "type": "reachable_reachability",
          "name": "Reachability: reachable",
          "value": "reachable"
        }
      ],
      "details": {
        "reachable_dfg": {
          "type": "text",
          "name": "Reachable DFG",
          "value": "DFG attack path evidence is available in the Reachable DB."
        }
      },
      "links": [
        {
          "url": "https://genai.owasp.org/"
        }
      ]
    },
    {
      "id": "765472b5-29e3-58e6-9235-76458778e735",
      "category": "sast",
      "name": "[REACHABLE] LLM01: HTTP POST with PII payload \u2014 data leakage risk",
      "description": "HTTP POST with PII payload \u2014 data leakage risk\n\nReachability: REACHABLE (HIGH) \u2014 call-graph analysis confirmed a path from an application entry point to this finding.",
      "severity": "Critical",
      "scanner": {
        "id": "reachable",
        "name": "REACHABLE"
      },
      "location": {
        "file": "/builds/sthenos-security-public/reach-testbed-gitlab-catalog/internal/handlers/ai.go",
        "start_line": 32,
        "end_line": 32,
        "method": "AIAnswer"
      },
      "identifiers": [
        {
          "type": "reachable_ai",
          "name": "AI/LLM01",
          "value": "LLM01",
          "url": "https://genai.owasp.org/"
        },
        {
          "type": "reachable_reachability",
          "name": "Reachability: reachable",
          "value": "reachable"
        }
      ],
      "details": {
        "reachable_dfg": {
          "type": "text",
          "name": "Reachable DFG",
          "value": "DFG attack path evidence is available in the Reachable DB."
        }
      },
      "links": [
        {
          "url": "https://genai.owasp.org/"
        }
      ]
    },
    {
      "id": "2354831f-1a94-5ec1-91ac-6e9f5d5063ed",
      "category": "sast",
      "name": "[EXPLOITABLE] OS command injection via exec.Command with shell",
      "description": "OS command injection via exec.Command with shell\n\nReachability: EXPLOITABLE \u2014 Enzo attacker/proof confirmed this reachable path is attackable.",
      "severity": "Critical",
      "scanner": {
        "id": "reachable",
        "name": "REACHABLE"
      },
      "location": {
        "file": "/builds/sthenos-security-public/reach-testbed-gitlab-catalog/internal/handlers/cwe.go",
        "start_line": 12,
        "end_line": 12,
        "method": "DiagnosticPing"
      },
      "identifiers": [
        {
          "type": "cwe",
          "name": "CWE-78",
          "value": "78",
          "url": "https://cwe.mitre.org/data/definitions/78.html"
        },
        {
          "type": "reachable_reachability",
          "name": "Reachability: exploitable",
          "value": "exploitable"
        }
      ],
      "details": {
        "reachable_dfg": {
          "type": "text",
          "name": "Reachable DFG",
          "value": "DFG path available: go-cmdi-exec-regex -> go-cmdi-exec-regex (1 hops)."
        }
      },
      "links": [
        {
          "url": "https://cwe.mitre.org/data/definitions/78.html"
        }
      ]
    },
    {
      "id": "75970f0c-caca-5ff7-95b3-722800ccd084",
      "category": "sast",
      "name": "[EXPLOITABLE] User-controlled URL passed to HTTP client without TLS scheme validation \u2014 sensitive data may be sent in cleartext (CWE-319). Validate that the URL scheme is \"https\" before making the request.\n",
      "description": "User-controlled URL passed to HTTP client without TLS scheme validation \u2014 sensitive data may be sent in cleartext (CWE-319). Validate that the URL scheme is \"https\" before making the request.\n\n\nReachability: EXPLOITABLE \u2014 Enzo attacker/proof confirmed this reachable path is attackable.",
      "severity": "Critical",
      "scanner": {
        "id": "reachable",
        "name": "REACHABLE"
      },
      "location": {
        "file": "/builds/sthenos-security-public/reach-testbed-gitlab-catalog/internal/handlers/suspicious.go",
        "start_line": 13,
        "end_line": 13,
        "method": "FetchTool"
      },
      "identifiers": [
        {
          "type": "cwe",
          "name": "CWE-319",
          "value": "319",
          "url": "https://cwe.mitre.org/data/definitions/319.html"
        },
        {
          "type": "reachable_reachability",
          "name": "Reachability: exploitable",
          "value": "exploitable"
        }
      ],
      "details": {
        "reachable_dfg": {
          "type": "text",
          "name": "Reachable DFG",
          "value": "DFG path available: go-user-controlled-url-no-tls -> go-user-controlled-url-no-tls (1 hops)."
        }
      },
      "links": [
        {
          "url": "https://cwe.mitre.org/data/definitions/319.html"
        }
      ]
    },
    {
      "id": "e666db91-e1cf-533f-94a6-ab724ac1b93f",
      "category": "sast",
      "name": "[REACHABLE] Data exposure: PII",
      "description": "PII data (SSN, DOB, credit card) in Go log output\n\nReachability: REACHABLE (HIGH) \u2014 call-graph analysis confirmed a path from an application entry point to this finding.",
      "severity": "Critical",
      "scanner": {
        "id": "reachable",
        "name": "REACHABLE"
      },
      "location": {
        "file": "/builds/sthenos-security-public/reach-testbed-gitlab-catalog/internal/handlers/dlp.go",
        "start_line": 13,
        "end_line": 13,
        "method": "SupportExport"
      },
      "identifiers": [
        {
          "type": "reachable_dlp",
          "name": "DLP/8d0597a572b2fa6a",
          "value": "8d0597a572b2fa6a"
        },
        {
          "type": "reachable_reachability",
          "name": "Reachability: reachable",
          "value": "reachable"
        }
      ],
      "details": {
        "reachable_dfg": {
          "type": "text",
          "name": "Reachable DFG",
          "value": "DFG attack path evidence is available in the Reachable DB."
        }
      }
    },
    {
      "id": "27dd32c6-43c7-5b41-a732-9ec9b48c8423",
      "category": "sast",
      "name": "[REACHABLE] Data exposure: PII",
      "description": "HTTP POST with PII payload \u2014 data leakage risk\n\nReachability: REACHABLE (HIGH) \u2014 call-graph analysis confirmed a path from an application entry point to this finding.",
      "severity": "Critical",
      "scanner": {
        "id": "reachable",
        "name": "REACHABLE"
      },
      "location": {
        "file": "/builds/sthenos-security-public/reach-testbed-gitlab-catalog/internal/handlers/dlp.go",
        "start_line": 15,
        "end_line": 15,
        "method": "SupportExport"
      },
      "identifiers": [
        {
          "type": "reachable_dlp",
          "name": "DLP/0e34f1f7e26a0682",
          "value": "0e34f1f7e26a0682"
        },
        {
          "type": "reachable_reachability",
          "name": "Reachability: reachable",
          "value": "reachable"
        }
      ],
      "details": {
        "reachable_dfg": {
          "type": "text",
          "name": "Reachable DFG",
          "value": "DFG attack path evidence is available in the Reachable DB."
        }
      }
    },
    {
      "id": "988550f2-7246-56c0-9d8e-ed589935ea08",
      "category": "sast",
      "name": "[REACHABLE] CVE-2022-32149 in golang.org/x/text",
      "description": "golang.org/x/text/language Denial of service via crafted Accept-Language header\n\nReachability: REACHABLE (HIGH) \u2014 call-graph analysis confirmed a path from an application entry point to this finding.\n\nThreat intelligence: CVSS: 7.5",
      "severity": "High",
      "scanner": {
        "id": "reachable",
        "name": "REACHABLE"
      },
      "location": {
        "file": "/builds/sthenos-security-public/reach-testbed-gitlab-catalog/internal/handlers/cve.go",
        "start_line": 32,
        "end_line": 32,
        "method": "ParseLanguage"
      },
      "identifiers": [
        {
          "type": "cve",
          "name": "CVE-2022-32149",
          "value": "CVE-2022-32149",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32149"
        },
        {
          "type": "reachable_reachability",
          "name": "Reachability: reachable",
          "value": "reachable"
        }
      ],
      "solution": "Upgrade golang.org/x/text to version 0.3.8 or later.",
      "details": {
        "reachable_dfg": {
          "type": "text",
          "name": "Reachable DFG",
          "value": "DFG attack path evidence is available in the Reachable DB."
        },
        "reachable_guidance": {
          "type": "text",
          "name": "Reachable guidance",
          "value": "0.3.8"
        }
      },
      "links": [
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32149"
        },
        {
          "url": "https://osv.dev/vulnerability/CVE-2022-32149"
        }
      ]
    },
    {
      "id": "ccf504d2-3054-57d1-b510-287dfe39b6b8",
      "category": "sast",
      "name": "[EXPLOITABLE] Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
      "description": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n\n\nReachability: EXPLOITABLE \u2014 Enzo attacker/proof confirmed this reachable path is attackable.",
      "severity": "Medium",
      "scanner": {
        "id": "reachable",
        "name": "REACHABLE"
      },
      "location": {
        "file": "/builds/sthenos-security-public/reach-testbed-gitlab-catalog/internal/handlers/ai.go",
        "start_line": 39,
        "end_line": 39,
        "method": "AIAgentPlan"
      },
      "identifiers": [
        {
          "type": "cwe",
          "name": "CWE-200",
          "value": "200",
          "url": "https://cwe.mitre.org/data/definitions/200.html"
        },
        {
          "type": "reachable_reachability",
          "name": "Reachability: exploitable",
          "value": "exploitable"
        }
      ],
      "details": {
        "reachable_dfg": {
          "type": "text",
          "name": "Reachable DFG",
          "value": "DFG path available: go-error-leak-in-response -> go-error-leak-in-response (1 hops)."
        }
      },
      "links": [
        {
          "url": "https://cwe.mitre.org/data/definitions/200.html"
        }
      ]
    },
    {
      "id": "6e926885-e2c3-59b7-b383-a6734c53a94b",
      "category": "sast",
      "name": "[EXPLOITABLE] Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
      "description": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n\n\nReachability: EXPLOITABLE \u2014 Enzo attacker/proof confirmed this reachable path is attackable.",
      "severity": "Medium",
      "scanner": {
        "id": "reachable",
        "name": "REACHABLE"
      },
      "location": {
        "file": "/builds/sthenos-security-public/reach-testbed-gitlab-catalog/internal/handlers/suspicious.go",
        "start_line": 30,
        "end_line": 30,
        "method": "FetchTool"
      },
      "identifiers": [
        {
          "type": "cwe",
          "name": "CWE-200",
          "value": "200",
          "url": "https://cwe.mitre.org/data/definitions/200.html"
        },
        {
          "type": "reachable_reachability",
          "name": "Reachability: exploitable",
          "value": "exploitable"
        }
      ],
      "details": {
        "reachable_dfg": {
          "type": "text",
          "name": "Reachable DFG",
          "value": "DFG path available: go-error-leak-in-response -> go-error-leak-in-response (1 hops)."
        }
      },
      "links": [
        {
          "url": "https://cwe.mitre.org/data/definitions/200.html"
        }
      ]
    },
    {
      "id": "46d3347c-e3b9-5ef9-9ab8-f6359a627a17",
      "category": "sast",
      "name": "[DEFENDED] Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
      "description": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n\n\nReachability: DEFENDED \u2014 Enzo attacker/proof could not produce a working attack for this reachable path.",
      "severity": "Medium",
      "scanner": {
        "id": "reachable",
        "name": "REACHABLE"
      },
      "location": {
        "file": "/builds/sthenos-security-public/reach-testbed-gitlab-catalog/internal/handlers/cve.go",
        "start_line": 38,
        "end_line": 38,
        "method": "ParseLanguage"
      },
      "identifiers": [
        {
          "type": "cwe",
          "name": "CWE-200",
          "value": "200",
          "url": "https://cwe.mitre.org/data/definitions/200.html"
        },
        {
          "type": "reachable_reachability",
          "name": "Reachability: defended",
          "value": "defended"
        }
      ],
      "details": {
        "reachable_dfg": {
          "type": "text",
          "name": "Reachable DFG",
          "value": "DFG path available: go-error-leak-in-response -> go-error-leak-in-response (1 hops)."
        }
      },
      "links": [
        {
          "url": "https://cwe.mitre.org/data/definitions/200.html"
        }
      ]
    },
    {
      "id": "5f5dac75-55b5-5422-922a-3dd8b2d26a9c",
      "category": "sast",
      "name": "[DEFENDED] Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
      "description": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n\n\nReachability: DEFENDED \u2014 Enzo attacker/proof could not produce a working attack for this reachable path.",
      "severity": "Medium",
      "scanner": {
        "id": "reachable",
        "name": "REACHABLE"
      },
      "location": {
        "file": "/builds/sthenos-security-public/reach-testbed-gitlab-catalog/internal/handlers/cve.go",
        "start_line": 22,
        "end_line": 22,
        "method": "ParseYAML"
      },
      "identifiers": [
        {
          "type": "cwe",
          "name": "CWE-200",
          "value": "200",
          "url": "https://cwe.mitre.org/data/definitions/200.html"
        },
        {
          "type": "reachable_reachability",
          "name": "Reachability: defended",
          "value": "defended"
        }
      ],
      "details": {
        "reachable_dfg": {
          "type": "text",
          "name": "Reachable DFG",
          "value": "DFG path available: go-error-leak-in-response -> go-error-leak-in-response (1 hops)."
        }
      },
      "links": [
        {
          "url": "https://cwe.mitre.org/data/definitions/200.html"
        }
      ]
    },
    {
      "id": "08b23fef-f6a8-5d1c-812d-b52638d68e3a",
      "category": "sast",
      "name": "[DEFENDED] Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
      "description": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n\n\nReachability: DEFENDED \u2014 Enzo attacker/proof could not produce a working attack for this reachable path.",
      "severity": "Medium",
      "scanner": {
        "id": "reachable",
        "name": "REACHABLE"
      },
      "location": {
        "file": "/builds/sthenos-security-public/reach-testbed-gitlab-catalog/internal/handlers/suspicious.go",
        "start_line": 16,
        "end_line": 16,
        "method": "FetchTool"
      },
      "identifiers": [
        {
          "type": "cwe",
          "name": "CWE-200",
          "value": "200",
          "url": "https://cwe.mitre.org/data/definitions/200.html"
        },
        {
          "type": "reachable_reachability",
          "name": "Reachability: defended",
          "value": "defended"
        }
      ],
      "details": {
        "reachable_dfg": {
          "type": "text",
          "name": "Reachable DFG",
          "value": "DFG path available: go-error-leak-in-response -> go-error-leak-in-response (1 hops)."
        }
      },
      "links": [
        {
          "url": "https://cwe.mitre.org/data/definitions/200.html"
        }
      ]
    },
    {
      "id": "6772beb7-2773-576e-8dae-9b3a76373340",
      "category": "sast",
      "name": "[EXPLOITABLE] Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
      "description": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n\n\nReachability: EXPLOITABLE \u2014 Enzo attacker/proof confirmed this reachable path is attackable.",
      "severity": "Medium",
      "scanner": {
        "id": "reachable",
        "name": "REACHABLE"
      },
      "location": {
        "file": "/builds/sthenos-security-public/reach-testbed-gitlab-catalog/internal/handlers/ai.go",
        "start_line": 21,
        "end_line": 21,
        "method": "AIAnswer"
      },
      "identifiers": [
        {
          "type": "cwe",
          "name": "CWE-200",
          "value": "200",
          "url": "https://cwe.mitre.org/data/definitions/200.html"
        },
        {
          "type": "reachable_reachability",
          "name": "Reachability: exploitable",
          "value": "exploitable"
        }
      ],
      "details": {
        "reachable_dfg": {
          "type": "text",
          "name": "Reachable DFG",
          "value": "DFG path available: go-error-leak-in-response -> go-error-leak-in-response (1 hops)."
        }
      },
      "links": [
        {
          "url": "https://cwe.mitre.org/data/definitions/200.html"
        }
      ]
    },
    {
      "id": "2feec48f-57f1-5ea4-9030-2a3e3e2b24bc",
      "category": "sast",
      "name": "[DEFENDED] Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
      "description": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n\n\nReachability: DEFENDED \u2014 Enzo attacker/proof could not produce a working attack for this reachable path.",
      "severity": "Medium",
      "scanner": {
        "id": "reachable",
        "name": "REACHABLE"
      },
      "location": {
        "file": "/builds/sthenos-security-public/reach-testbed-gitlab-catalog/internal/handlers/ai.go",
        "start_line": 61,
        "end_line": 61,
        "method": "SafeAIAnswer"
      },
      "identifiers": [
        {
          "type": "cwe",
          "name": "CWE-200",
          "value": "200",
          "url": "https://cwe.mitre.org/data/definitions/200.html"
        },
        {
          "type": "reachable_reachability",
          "name": "Reachability: defended",
          "value": "defended"
        }
      ],
      "details": {
        "reachable_dfg": {
          "type": "text",
          "name": "Reachable DFG",
          "value": "DFG path available: go-error-leak-in-response -> go-error-leak-in-response (1 hops)."
        }
      },
      "links": [
        {
          "url": "https://cwe.mitre.org/data/definitions/200.html"
        }
      ]
    },
    {
      "id": "1965f7af-23fa-5bcf-aa49-9dab94d12eac",
      "category": "sast",
      "name": "[DEFENDED] Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
      "description": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n\n\nReachability: DEFENDED \u2014 Enzo attacker/proof could not produce a working attack for this reachable path.",
      "severity": "Medium",
      "scanner": {
        "id": "reachable",
        "name": "REACHABLE"
      },
      "location": {
        "file": "/builds/sthenos-security-public/reach-testbed-gitlab-catalog/internal/handlers/suspicious.go",
        "start_line": 24,
        "end_line": 24,
        "method": "FetchTool"
      },
      "identifiers": [
        {
          "type": "cwe",
          "name": "CWE-200",
          "value": "200",
          "url": "https://cwe.mitre.org/data/definitions/200.html"
        },
        {
          "type": "reachable_reachability",
          "name": "Reachability: defended",
          "value": "defended"
        }
      ],
      "details": {
        "reachable_dfg": {
          "type": "text",
          "name": "Reachable DFG",
          "value": "DFG path available: go-error-leak-in-response -> go-error-leak-in-response (1 hops)."
        }
      },
      "links": [
        {
          "url": "https://cwe.mitre.org/data/definitions/200.html"
        }
      ]
    },
    {
      "id": "671bd0ca-346b-51ed-92cb-a4251b70a4c0",
      "category": "sast",
      "name": "[EXPLOITABLE] http.Get / http.Client.Do called with a URL derived from user input \u2014 CWE-918 SSRF. Validate the host against an allowlist, or use a proxying client that blocks private-network CIDRs.\n",
      "description": "http.Get / http.Client.Do called with a URL derived from user input \u2014 CWE-918 SSRF. Validate the host against an allowlist, or use a proxying client that blocks private-network CIDRs.\n\n\nReachability: EXPLOITABLE \u2014 Enzo attacker/proof confirmed this reachable path is attackable.",
      "severity": "Medium",
      "scanner": {
        "id": "reachable",
        "name": "REACHABLE"
      },
      "location": {
        "file": "/builds/sthenos-security-public/reach-testbed-gitlab-catalog/internal/handlers/suspicious.go",
        "start_line": 14,
        "end_line": 14,
        "method": "FetchTool"
      },
      "identifiers": [
        {
          "type": "cwe",
          "name": "CWE-918",
          "value": "918",
          "url": "https://cwe.mitre.org/data/definitions/918.html"
        },
        {
          "type": "reachable_reachability",
          "name": "Reachability: exploitable",
          "value": "exploitable"
        }
      ],
      "details": {
        "reachable_dfg": {
          "type": "text",
          "name": "Reachable DFG",
          "value": "DFG path available: go-ssrf-http-get-tainted-url -> go-ssrf-http-get-tainted-url (1 hops)."
        }
      },
      "links": [
        {
          "url": "https://cwe.mitre.org/data/definitions/918.html"
        }
      ]
    },
    {
      "id": "120f78a8-38c8-537f-8702-9503836f3f81",
      "category": "sast",
      "name": "[DEFENDED] Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n",
      "description": "Internal error details written to HTTP response \u2014 exposes server internals (table names, paths, stack traces) to clients. Return a generic error message and log the detail server-side.\n\n\nReachability: DEFENDED \u2014 Enzo attacker/proof could not produce a working attack for this reachable path.",
      "severity": "Medium",
      "scanner": {
        "id": "reachable",
        "name": "REACHABLE"
      },
      "location": {
        "file": "/builds/sthenos-security-public/reach-testbed-gitlab-catalog/internal/handlers/cve.go",
        "start_line": 16,
        "end_line": 16,
        "method": "ParseYAML"
      },
      "identifiers": [
        {
          "type": "cwe",
          "name": "CWE-200",
          "value": "200",
          "url": "https://cwe.mitre.org/data/definitions/200.html"
        },
        {
          "type": "reachable_reachability",
          "name": "Reachability: defended",
          "value": "defended"
        }
      ],
      "details": {
        "reachable_dfg": {
          "type": "text",
          "name": "Reachable DFG",
          "value": "DFG path available: go-error-leak-in-response -> go-error-leak-in-response (1 hops)."
        }
      },
      "links": [
        {
          "url": "https://cwe.mitre.org/data/definitions/200.html"
        }
      ]
    },
    {
      "id": "57934bc8-3f61-5064-8f6b-61f6a83c3207",
      "category": "sast",
      "name": "[UNKNOWN] Exposed token",
      "description": "Secret detected: threat_enrichment_max_tokens (token)\n\nReachability: UNKNOWN \u2014 call-graph analysis could not determine whether this finding is exploitable. Manual review recommended.",
      "severity": "Medium",
      "scanner": {
        "id": "reachable",
        "name": "REACHABLE"
      },
      "location": {
        "file": "/builds/sthenos-security-public/reach-testbed-gitlab-catalog/.reachable-ci-cache/reachable/config.json",
        "start_line": 186,
        "end_line": 186
      },
      "identifiers": [
        {
          "type": "reachable_secret",
          "name": "SECRET/token",
          "value": "token"
        },
        {
          "type": "reachable_reachability",
          "name": "Reachability: unknown",
          "value": "unknown"
        }
      ],
      "solution": "Rotate the exposed credential immediately. Remove it from source code and store it in a secrets manager.",
      "details": {
        "reachable_dfg": {
          "type": "text",
          "name": "Reachable DFG",
          "value": "DFG path available: reachable/config.json -> Token (hardcoded credential) (2 hops)."
        }
      }
    },
    {
      "id": "7c6a2819-e9f7-540c-b300-dfe2ab2a3b6f",
      "category": "sast",
      "name": "[UNKNOWN] Exposed token",
      "description": "Secret detected: scan_plan_est_tokens (token)\n\nReachability: UNKNOWN \u2014 call-graph analysis could not determine whether this finding is exploitable. Manual review recommended.",
      "severity": "Medium",
      "scanner": {
        "id": "reachable",
        "name": "REACHABLE"
      },
      "location": {
        "file": "/builds/sthenos-security-public/reach-testbed-gitlab-catalog/.reachable-ci-cache/reachable/config.json",
        "start_line": 63,
        "end_line": 63
      },
      "identifiers": [
        {
          "type": "reachable_secret",
          "name": "SECRET/token",
          "value": "token"
        },
        {
          "type": "reachable_reachability",
          "name": "Reachability: unknown",
          "value": "unknown"
        }
      ],
      "solution": "Rotate the exposed credential immediately. Remove it from source code and store it in a secrets manager.",
      "details": {
        "reachable_dfg": {
          "type": "text",
          "name": "Reachable DFG",
          "value": "DFG path available: reachable/config.json -> Token (hardcoded credential) (2 hops)."
        }
      }
    },
    {
      "id": "15a6c591-2603-5036-8aa6-0cfd1274ecde",
      "category": "sast",
      "name": "[UNKNOWN] Exposed token",
      "description": "Secret detected: dep_ai_escalation_est_tokens (token)\n\nReachability: UNKNOWN \u2014 call-graph analysis could not determine whether this finding is exploitable. Manual review recommended.",
      "severity": "Medium",
      "scanner": {
        "id": "reachable",
        "name": "REACHABLE"
      },
      "location": {
        "file": "/builds/sthenos-security-public/reach-testbed-gitlab-catalog/.reachable-ci-cache/reachable/config.json",
        "start_line": 181,
        "end_line": 181
      },
      "identifiers": [
        {
          "type": "reachable_secret",
          "name": "SECRET/token",
          "value": "token"
        },
        {
          "type": "reachable_reachability",
          "name": "Reachability: unknown",
          "value": "unknown"
        }
      ],
      "solution": "Rotate the exposed credential immediately. Remove it from source code and store it in a secrets manager.",
      "details": {
        "reachable_dfg": {
          "type": "text",
          "name": "Reachable DFG",
          "value": "DFG path available: reachable/config.json -> Token (hardcoded credential) (2 hops)."
        }
      }
    },
    {
      "id": "23eede2c-aee8-5c11-bfef-20da4dd34cc9",
      "category": "sast",
      "name": "[UNKNOWN] Exposed token",
      "description": "Secret detected: workflow_security_review_est_tokens (token)\n\nReachability: UNKNOWN \u2014 call-graph analysis could not determine whether this finding is exploitable. Manual review recommended.",
      "severity": "Medium",
      "scanner": {
        "id": "reachable",
        "name": "REACHABLE"
      },
      "location": {
        "file": "/builds/sthenos-security-public/reach-testbed-gitlab-catalog/.reachable-ci-cache/reachable/config.json",
        "start_line": 92,
        "end_line": 92
      },
      "identifiers": [
        {
          "type": "reachable_secret",
          "name": "SECRET/token",
          "value": "token"
        },
        {
          "type": "reachable_reachability",
          "name": "Reachability: unknown",
          "value": "unknown"
        }
      ],
      "solution": "Rotate the exposed credential immediately. Remove it from source code and store it in a secrets manager.",
      "details": {
        "reachable_dfg": {
          "type": "text",
          "name": "Reachable DFG",
          "value": "DFG path available: reachable/config.json -> Token (hardcoded credential) (2 hops)."
        }
      }
    },
    {
      "id": "8da46f14-1f3b-5b38-b147-b0c95709068a",
      "category": "sast",
      "name": "[UNKNOWN] Exposed token",
      "description": "Secret detected: cicd_workflow_remediation_prompt_eval_est_tokens (token)\n\nReachability: UNKNOWN \u2014 call-graph analysis could not determine whether this finding is exploitable. Manual review recommended.",
      "severity": "Medium",
      "scanner": {
        "id": "reachable",
        "name": "REACHABLE"
      },
      "location": {
        "file": "/builds/sthenos-security-public/reach-testbed-gitlab-catalog/.reachable-ci-cache/reachable/config.json",
        "start_line": 104,
        "end_line": 104
      },
      "identifiers": [
        {
          "type": "reachable_secret",
          "name": "SECRET/token",
          "value": "token"
        },
        {
          "type": "reachable_reachability",
          "name": "Reachability: unknown",
          "value": "unknown"
        }
      ],
      "solution": "Rotate the exposed credential immediately. Remove it from source code and store it in a secrets manager.",
      "details": {
        "reachable_dfg": {
          "type": "text",
          "name": "Reachable DFG",
          "value": "DFG path available: reachable/config.json -> Token (hardcoded credential) (2 hops)."
        }
      }
    },
    {
      "id": "0689619c-6ffa-54c4-8bed-4c15fd44eac3",
      "category": "sast",
      "name": "[UNKNOWN] Exposed token",
      "description": "Secret detected: cicd_workflow_remediation_max_tokens (token)\n\nReachability: UNKNOWN \u2014 call-graph analysis could not determine whether this finding is exploitable. Manual review recommended.",
      "severity": "Medium",
      "scanner": {
        "id": "reachable",
        "name": "REACHABLE"
      },
      "location": {
        "file": "/builds/sthenos-security-public/reach-testbed-gitlab-catalog/.reachable-ci-cache/reachable/config.json",
        "start_line": 97,
        "end_line": 97
      },
      "identifiers": [
        {
          "type": "reachable_secret",
          "name": "SECRET/token",
          "value": "token"
        },
        {
          "type": "reachable_reachability",
          "name": "Reachability: unknown",
          "value": "unknown"
        }
      ],
      "solution": "Rotate the exposed credential immediately. Remove it from source code and store it in a secrets manager.",
      "details": {
        "reachable_dfg": {
          "type": "text",
          "name": "Reachable DFG",
          "value": "DFG path available: reachable/config.json -> Token (hardcoded credential) (2 hops)."
        }
      }
    },
    {
      "id": "ede67590-d390-5d7c-8147-e876e131e67e",
      "category": "sast",
      "name": "[UNKNOWN] Exposed token",
      "description": "Secret detected: cicd_workflow_remediation_est_tokens (token)\n\nReachability: UNKNOWN \u2014 call-graph analysis could not determine whether this finding is exploitable. Manual review recommended.",
      "severity": "Medium",
      "scanner": {
        "id": "reachable",
        "name": "REACHABLE"
      },
      "location": {
        "file": "/builds/sthenos-security-public/reach-testbed-gitlab-catalog/.reachable-ci-cache/reachable/config.json",
        "start_line": 98,
        "end_line": 98
      },
      "identifiers": [
        {
          "type": "reachable_secret",
          "name": "SECRET/token",
          "value": "token"
        },
        {
          "type": "reachable_reachability",
          "name": "Reachability: unknown",
          "value": "unknown"
        }
      ],
      "solution": "Rotate the exposed credential immediately. Remove it from source code and store it in a secrets manager.",
      "details": {
        "reachable_dfg": {
          "type": "text",
          "name": "Reachable DFG",
          "value": "DFG path available: reachable/config.json -> Token (hardcoded credential) (2 hops)."
        }
      }
    },
    {
      "id": "bf736568-0b24-5fca-953a-f86e9d6457d4",
      "category": "sast",
      "name": "[UNKNOWN] Exposed token",
      "description": "Secret detected: cicd_workflow_remediation_prompt_eval_max_tokens (token)\n\nReachability: UNKNOWN \u2014 call-graph analysis could not determine whether this finding is exploitable. Manual review recommended.",
      "severity": "Medium",
      "scanner": {
        "id": "reachable",
        "name": "REACHABLE"
      },
      "location": {
        "file": "/builds/sthenos-security-public/reach-testbed-gitlab-catalog/.reachable-ci-cache/reachable/config.json",
        "start_line": 103,
        "end_line": 103
      },
      "identifiers": [
        {
          "type": "reachable_secret",
          "name": "SECRET/token",
          "value": "token"
        },
        {
          "type": "reachable_reachability",
          "name": "Reachability: unknown",
          "value": "unknown"
        }
      ],
      "solution": "Rotate the exposed credential immediately. Remove it from source code and store it in a secrets manager.",
      "details": {
        "reachable_dfg": {
          "type": "text",
          "name": "Reachable DFG",
          "value": "DFG path available: reachable/config.json -> Token (hardcoded credential) (2 hops)."
        }
      }
    },
    {
      "id": "e26f34ec-84c9-57c8-916e-46b8cefb2305",
      "category": "sast",
      "name": "[UNKNOWN] Exposed token",
      "description": "Secret detected: unclassified_discovery_prompt_eval_est_tokens (token)\n\nReachability: UNKNOWN \u2014 call-graph analysis could not determine whether this finding is exploitable. Manual review recommended.",
      "severity": "Medium",
      "scanner": {
        "id": "reachable",
        "name": "REACHABLE"
      },
      "location": {
        "file": "/builds/sthenos-security-public/reach-testbed-gitlab-catalog/.reachable-ci-cache/reachable/config.json",
        "start_line": 116,
        "end_line": 116
      },
      "identifiers": [
        {
          "type": "reachable_secret",
          "name": "SECRET/token",
          "value": "token"
        },
        {
          "type": "reachable_reachability",
          "name": "Reachability: unknown",
          "value": "unknown"
        }
      ],
      "solution": "Rotate the exposed credential immediately. Remove it from source code and store it in a secrets manager.",
      "details": {
        "reachable_dfg": {
          "type": "text",
          "name": "Reachable DFG",
          "value": "DFG path available: reachable/config.json -> Token (hardcoded credential) (2 hops)."
        }
      }
    },
    {
      "id": "769fbfee-b6a5-595f-ba22-c6cfa8fcb741",
      "category": "sast",
      "name": "[UNKNOWN] Exposed token",
      "description": "Secret detected: scan_plan_max_tokens (token)\n\nReachability: UNKNOWN \u2014 call-graph analysis could not determine whether this finding is exploitable. Manual review recommended.",
      "severity": "Medium",
      "scanner": {
        "id": "reachable",
        "name": "REACHABLE"
      },
      "location": {
        "file": "/builds/sthenos-security-public/reach-testbed-gitlab-catalog/.reachable-ci-cache/reachable/config.json",
        "start_line": 62,
        "end_line": 62
      },
      "identifiers": [
        {
          "type": "reachable_secret",
          "name": "SECRET/token",
          "value": "token"
        },
        {
          "type": "reachable_reachability",
          "name": "Reachability: unknown",
          "value": "unknown"
        }
      ],
      "solution": "Rotate the exposed credential immediately. Remove it from source code and store it in a secrets manager.",
      "details": {
        "reachable_dfg": {
          "type": "text",
          "name": "Reachable DFG",
          "value": "DFG path available: reachable/config.json -> Token (hardcoded credential) (2 hops)."
        }
      }
    },
    {
      "id": "ddfc647d-dc25-5a00-a695-160f3a5728be",
      "category": "sast",
      "name": "[UNKNOWN] Exposed token",
      "description": "Secret detected: compliance_narrative_est_tokens (token)\n\nReachability: UNKNOWN \u2014 call-graph analysis could not determine whether this finding is exploitable. Manual review recommended.",
      "severity": "Medium",
      "scanner": {
        "id": "reachable",
        "name": "REACHABLE"
      },
      "location": {
        "file": "/builds/sthenos-security-public/reach-testbed-gitlab-catalog/.reachable-ci-cache/reachable/config.json",
        "start_line": 194,
        "end_line": 194
      },
      "identifiers": [
        {
          "type": "reachable_secret",
          "name": "SECRET/token",
          "value": "token"
        },
        {
          "type": "reachable_reachability",
          "name": "Reachability: unknown",
          "value": "unknown"
        }
      ],
      "solution": "Rotate the exposed credential immediately. Remove it from source code and store it in a secrets manager.",
      "details": {
        "reachable_dfg": {
          "type": "text",
          "name": "Reachable DFG",
          "value": "DFG path available: reachable/config.json -> Token (hardcoded credential) (2 hops)."
        }
      }
    },
    {
      "id": "90f7fe10-de26-561c-84a2-ca9efab8dca2",
      "category": "sast",
      "name": "[UNKNOWN] Exposed api_key",
      "description": "Secret detected: api_key_credential (api_key)\n\nReachability: UNKNOWN \u2014 call-graph analysis could not determine whether this finding is exploitable. Manual review recommended.",
      "severity": "Medium",
      "scanner": {
        "id": "reachable",
        "name": "REACHABLE"
      },
      "location": {
        "file": "/builds/sthenos-security-public/reach-testbed-gitlab-catalog/.reachable-ci-cache/reachable/config.json",
        "start_line": 287,
        "end_line": 287
      },
      "identifiers": [
        {
          "type": "reachable_secret",
          "name": "SECRET/api_key",
          "value": "api_key"
        },
        {
          "type": "reachable_reachability",
          "name": "Reachability: unknown",
          "value": "unknown"
        }
      ],
      "solution": "Rotate the exposed credential immediately. Remove it from source code and store it in a secrets manager.",
      "details": {
        "reachable_dfg": {
          "type": "text",
          "name": "Reachable DFG",
          "value": "DFG path available: reachable/config.json -> Api Key (hardcoded credential) (2 hops)."
        }
      }
    },
    {
      "id": "9eb5f676-d751-552d-bead-c0e1d7751c2a",
      "category": "sast",
      "name": "[UNKNOWN] Exposed token",
      "description": "Secret detected: attack_prompt_est_tokens (token)\n\nReachability: UNKNOWN \u2014 call-graph analysis could not determine whether this finding is exploitable. Manual review recommended.",
      "severity": "Medium",
      "scanner": {
        "id": "reachable",
        "name": "REACHABLE"
      },
      "location": {
        "file": "/builds/sthenos-security-public/reach-testbed-gitlab-catalog/.reachable-ci-cache/reachable/config.json",
        "start_line": 80,
        "end_line": 80
      },
      "identifiers": [
        {
          "type": "reachable_secret",
          "name": "SECRET/token",
          "value": "token"
        },
        {
          "type": "reachable_reachability",
          "name": "Reachability: unknown",
          "value": "unknown"
        }
      ],
      "solution": "Rotate the exposed credential immediately. Remove it from source code and store it in a secrets manager.",
      "details": {
        "reachable_dfg": {
          "type": "text",
          "name": "Reachable DFG",
          "value": "DFG path available: reachable/config.json -> Token (hardcoded credential) (2 hops)."
        }
      }
    },
    {
      "id": "c87736c4-9ac2-51fc-a124-3f08335a1b82",
      "category": "sast",
      "name": "[REACHABLE] Exposed github-pat",
      "description": "Uncovered a GitHub Personal Access Token, potentially leading to unauthorized repository access and sensitive content exposure.: ghp_***00\n\nReachability: REACHABLE (LOW) \u2014 call-graph analysis confirmed a path from an application entry point to this finding.",
      "severity": "Medium",
      "scanner": {
        "id": "reachable",
        "name": "REACHABLE"
      },
      "location": {
        "file": "/builds/sthenos-security-public/reach-testbed-gitlab-catalog/internal/handlers/secrets.go",
        "start_line": 11,
        "end_line": 11
      },
      "identifiers": [
        {
          "type": "reachable_secret",
          "name": "SECRET/github-pat",
          "value": "github-pat"
        },
        {
          "type": "reachable_reachability",
          "name": "Reachability: reachable",
          "value": "reachable"
        }
      ],
      "solution": "Rotate the exposed credential immediately. Remove it from source code and store it in a secrets manager.",
      "details": {
        "reachable_dfg": {
          "type": "text",
          "name": "Reachable DFG",
          "value": "DFG path available: handlers/secrets.go -> Github Pat (hardcoded credential) (2 hops)."
        }
      }
    },
    {
      "id": "4336c3c3-4f21-55e8-9f25-adfad754e97d",
      "category": "sast",
      "name": "[UNKNOWN] Exposed token",
      "description": "Secret detected: vibe_refinement_est_tokens (token)\n\nReachability: UNKNOWN \u2014 call-graph analysis could not determine whether this finding is exploitable. Manual review recommended.",
      "severity": "Medium",
      "scanner": {
        "id": "reachable",
        "name": "REACHABLE"
      },
      "location": {
        "file": "/builds/sthenos-security-public/reach-testbed-gitlab-catalog/.reachable-ci-cache/reachable/config.json",
        "start_line": 201,
        "end_line": 201
      },
      "identifiers": [
        {
          "type": "reachable_secret",
          "name": "SECRET/token",
          "value": "token"
        },
        {
          "type": "reachable_reachability",
          "name": "Reachability: unknown",
          "value": "unknown"
        }
      ],
      "solution": "Rotate the exposed credential immediately. Remove it from source code and store it in a secrets manager.",
      "details": {
        "reachable_dfg": {
          "type": "text",
          "name": "Reachable DFG",
          "value": "DFG path available: reachable/config.json -> Token (hardcoded credential) (2 hops)."
        }
      }
    },
    {
      "id": "7a802ef7-f971-5ddf-90aa-f65b7d0a44a0",
      "category": "sast",
      "name": "[UNKNOWN] Exposed token",
      "description": "Secret detected: guidance_est_tokens (token)\n\nReachability: UNKNOWN \u2014 call-graph analysis could not determine whether this finding is exploitable. Manual review recommended.",
      "severity": "Medium",
      "scanner": {
        "id": "reachable",
        "name": "REACHABLE"
      },
      "location": {
        "file": "/builds/sthenos-security-public/reach-testbed-gitlab-catalog/.reachable-ci-cache/reachable/config.json",
        "start_line": 86,
        "end_line": 86
      },
      "identifiers": [
        {
          "type": "reachable_secret",
          "name": "SECRET/token",
          "value": "token"
        },
        {
          "type": "reachable_reachability",
          "name": "Reachability: unknown",
          "value": "unknown"
        }
      ],
      "solution": "Rotate the exposed credential immediately. Remove it from source code and store it in a secrets manager.",
      "details": {
        "reachable_dfg": {
          "type": "text",
          "name": "Reachable DFG",
          "value": "DFG path available: reachable/config.json -> Token (hardcoded credential) (2 hops)."
        }
      }
    },
    {
      "id": "ffeb3871-e027-5fb3-bc0e-e099362e25e9",
      "category": "sast",
      "name": "[UNKNOWN] Exposed token",
      "description": "Secret detected: guidance_max_tokens (token)\n\nReachability: UNKNOWN \u2014 call-graph analysis could not determine whether this finding is exploitable. Manual review recommended.",
      "severity": "Medium",
      "scanner": {
        "id": "reachable",
        "name": "REACHABLE"
      },
      "location": {
        "file": "/builds/sthenos-security-public/reach-testbed-gitlab-catalog/.reachable-ci-cache/reachable/config.json",
        "start_line": 85,
        "end_line": 85
      },
      "identifiers": [
        {
          "type": "reachable_secret",
          "name": "SECRET/token",
          "value": "token"
        },
        {
          "type": "reachable_reachability",
          "name": "Reachability: unknown",
          "value": "unknown"
        }
      ],
      "solution": "Rotate the exposed credential immediately. Remove it from source code and store it in a secrets manager.",
      "details": {
        "reachable_dfg": {
          "type": "text",
          "name": "Reachable DFG",
          "value": "DFG path available: reachable/config.json -> Token (hardcoded credential) (2 hops)."
        }
      }
    },
    {
      "id": "772d6027-374a-5cdb-81b6-09b51db4a2a5",
      "category": "sast",
      "name": "[UNKNOWN] Exposed token",
      "description": "Secret detected: unclassified_discovery_prompt_eval_max_tokens (token)\n\nReachability: UNKNOWN \u2014 call-graph analysis could not determine whether this finding is exploitable. Manual review recommended.",
      "severity": "Medium",
      "scanner": {
        "id": "reachable",
        "name": "REACHABLE"
      },
      "location": {
        "file": "/builds/sthenos-security-public/reach-testbed-gitlab-catalog/.reachable-ci-cache/reachable/config.json",
        "start_line": 115,
        "end_line": 115
      },
      "identifiers": [
        {
          "type": "reachable_secret",
          "name": "SECRET/token",
          "value": "token"
        },
        {
          "type": "reachable_reachability",
          "name": "Reachability: unknown",
          "value": "unknown"
        }
      ],
      "solution": "Rotate the exposed credential immediately. Remove it from source code and store it in a secrets manager.",
      "details": {
        "reachable_dfg": {
          "type": "text",
          "name": "Reachable DFG",
          "value": "DFG path available: reachable/config.json -> Token (hardcoded credential) (2 hops)."
        }
      }
    },
    {
      "id": "0ffe9689-8879-5a09-a43b-6bbe3fdf817f",
      "category": "sast",
      "name": "[UNKNOWN] Exposed token",
      "description": "Secret detected: enzo_tiebreaker_est_tokens (token)\n\nReachability: UNKNOWN \u2014 call-graph analysis could not determine whether this finding is exploitable. Manual review recommended.",
      "severity": "Medium",
      "scanner": {
        "id": "reachable",
        "name": "REACHABLE"
      },
      "location": {
        "file": "/builds/sthenos-security-public/reach-testbed-gitlab-catalog/.reachable-ci-cache/reachable/config.json",
        "start_line": 161,
        "end_line": 161
      },
      "identifiers": [
        {
          "type": "reachable_secret",
          "name": "SECRET/token",
          "value": "token"
        },
        {
          "type": "reachable_reachability",
          "name": "Reachability: unknown",
          "value": "unknown"
        }
      ],
      "solution": "Rotate the exposed credential immediately. Remove it from source code and store it in a secrets manager.",
      "details": {
        "reachable_dfg": {
          "type": "text",
          "name": "Reachable DFG",
          "value": "DFG path available: reachable/config.json -> Token (hardcoded credential) (2 hops)."
        }
      }
    },
    {
      "id": "88a8fdad-b92b-5525-ada6-49d200d97403",
      "category": "sast",
      "name": "[UNKNOWN] Exposed token",
      "description": "Secret detected: discovery_max_tokens (token)\n\nReachability: UNKNOWN \u2014 call-graph analysis could not determine whether this finding is exploitable. Manual review recommended.",
      "severity": "Medium",
      "scanner": {
        "id": "reachable",
        "name": "REACHABLE"
      },
      "location": {
        "file": "/builds/sthenos-security-public/reach-testbed-gitlab-catalog/.reachable-ci-cache/reachable/config.json",
        "start_line": 69,
        "end_line": 69
      },
      "identifiers": [
        {
          "type": "reachable_secret",
          "name": "SECRET/token",
          "value": "token"
        },
        {
          "type": "reachable_reachability",
          "name": "Reachability: unknown",
          "value": "unknown"
        }
      ],
      "solution": "Rotate the exposed credential immediately. Remove it from source code and store it in a secrets manager.",
      "details": {
        "reachable_dfg": {
          "type": "text",
          "name": "Reachable DFG",
          "value": "DFG path available: reachable/config.json -> Token (hardcoded credential) (2 hops)."
        }
      }
    },
    {
      "id": "f5ce87a1-3792-509e-8ac1-67d366b4a222",
      "category": "sast",
      "name": "[UNKNOWN] Exposed token",
      "description": "Secret detected: threat_enrichment_est_tokens (token)\n\nReachability: UNKNOWN \u2014 call-graph analysis could not determine whether this finding is exploitable. Manual review recommended.",
      "severity": "Medium",
      "scanner": {
        "id": "reachable",
        "name": "REACHABLE"
      },
      "location": {
        "file": "/builds/sthenos-security-public/reach-testbed-gitlab-catalog/.reachable-ci-cache/reachable/config.json",
        "start_line": 187,
        "end_line": 187
      },
      "identifiers": [
        {
          "type": "reachable_secret",
          "name": "SECRET/token",
          "value": "token"
        },
        {
          "type": "reachable_reachability",
          "name": "Reachability: unknown",
          "value": "unknown"
        }
      ],
      "solution": "Rotate the exposed credential immediately. Remove it from source code and store it in a secrets manager.",
      "details": {
        "reachable_dfg": {
          "type": "text",
          "name": "Reachable DFG",
          "value": "DFG path available: reachable/config.json -> Token (hardcoded credential) (2 hops)."
        }
      }
    },
    {
      "id": "19f4d30c-1d71-52dc-9a28-fc06d1003681",
      "category": "sast",
      "name": "[UNKNOWN] Exposed token",
      "description": "Secret detected: discovery_est_tokens (token)\n\nReachability: UNKNOWN \u2014 call-graph analysis could not determine whether this finding is exploitable. Manual review recommended.",
      "severity": "Medium",
      "scanner": {
        "id": "reachable",
        "name": "REACHABLE"
      },
      "location": {
        "file": "/builds/sthenos-security-public/reach-testbed-gitlab-catalog/.reachable-ci-cache/reachable/config.json",
        "start_line": 70,
        "end_line": 70
      },
      "identifiers": [
        {
          "type": "reachable_secret",
          "name": "SECRET/token",
          "value": "token"
        },
        {
          "type": "reachable_reachability",
          "name": "Reachability: unknown",
          "value": "unknown"
        }
      ],
      "solution": "Rotate the exposed credential immediately. Remove it from source code and store it in a secrets manager.",
      "details": {
        "reachable_dfg": {
          "type": "text",
          "name": "Reachable DFG",
          "value": "DFG path available: reachable/config.json -> Token (hardcoded credential) (2 hops)."
        }
      }
    }
  ]
}