Detection Record Canonical public record

Vibe Check Detection Record

269 unique findings classified

Vibe Check scanner verified across 15 intentionally vulnerable training corpus targets and synthetic fixtures spanning 12 framework families. 269 unique findings classified. 100% HIGH/CRITICAL exploitability retention. Production codebase validation underway.

Cross-reference validation complete across three independent passes plus auto-resolution. 0 novel undisclosed vulnerabilities. Java Spring remains qualified pending BenchmarkJava clean rerun.

Captured 2026-04-29T01:15:47.674227+00:00 Commit c4bed56e4b2316d05d9e95e28b52b871ae7384a5 Record date 2026-04-28

15

Targets scanned

269

Findings persisted

12

Framework families

100.0%

HIGH/CRITICAL retained after exploitability verification

Corpus type

Intentionally vulnerable training targets and synthetic fixtures.

Verification classification

Final normalized counts from the validation chain.

TRAINING_APP_INTENTIONAL: 205 TEST_FIXTURE: 64 PATTERN_MATCH: 0 LIKELY_FALSE_POSITIVE: 0 UNMATCHED: 0 NOVEL_FINDING: 0

Validation chain

Pass 1: broad reference-set classification.

Pass 2: deeper validation with full-file context.

G1: independent adversarial audit.

I1: taxonomy normalization across 269 unique findings.

Auto-resolution: deterministic closure of the remaining escalation queue.

Severity distribution

Findings by severity

Totals are shown as a proportional distribution of persisted findings.

49

104

80

36

CRITICAL 49 18.2%

HIGH 104 38.7%

MEDIUM 80 29.7%

LOW 36 13.4%

Framework coverage

Manifest capture by framework family

Detection rate on this page measures manifest capture against the seeded corpus. What this measures

Framework	Targets	Findings	Detection rate
generic	3	30	2/3 expected cases credited
go_gin	1	3	2/4 expected cases credited
java_spring	2	17	0/7 expected cases credited
javascript_express	1	24	1/1 expected cases credited
javascript_nextjs	1	16	1/1 expected cases credited
javascript_react	1	3	1/1 expected cases credited
php_laravel	1	8	3/4 expected cases credited
python_django	1	87	1/1 expected cases credited
python_fastapi	1	20	1/1 expected cases credited
python_flask	1	22	1/1 expected cases credited
ruby_rails	1	35	1/1 expected cases credited
rust_actix	1	4	4/4 expected cases credited

Per target

Target-level record

Failed scans are kept visible for transparency and shown as n/a (scan failed) rather than 0.0%.

Target	Status	Findings	Detection rate	Duration
OWASP BenchmarkJava java_spring `43ee1946-6378-4eb5-8f2c-b73aa1e144c4`	Complete	7	0/4 expected cases credited	7m 48s
OWASP WebGoat java_spring `e263df5e-d0d6-48c2-bbb5-3dbdf84b44eb`	Complete	10	0/3 expected cases credited	7m 31s
OWASP NodeGoat javascript_express `41347630-d27c-4ef8-a5ee-9d7cf1ef6816`	Complete	24	1/1 expected cases credited	11m 38s
OWASP RailsGoat ruby_rails `02ec386c-48a7-48be-91bc-a710e0012620`	Complete	35	1/1 expected cases credited	15m 46s
OWASP PyGoat python_django `2b12664b-ae60-4d5e-bf21-73a889c24b00`	Complete	87	1/1 expected cases credited	19m 35s
Damn Vulnerable RESTaurant API Game python_fastapi `37074dd0-7236-47aa-a2fc-63aa3992214c`	Complete	20	1/1 expected cases credited	10m 6s
Damn Vulnerable Flask App python_flask `3a365821-cf26-4d28-bc3a-922e7554aabf`	Complete	22	1/1 expected cases credited	5m 49s
Next.js middleware bypass lab javascript_nextjs `c2bdd0ec-0e3c-4df2-8d83-f27982f7caf6`	Complete	16	1/1 expected cases credited	5m 16s
Local SQL injection pack generic `451904b1-5593-43ef-bf51-e402a5840a24`	Complete	4	1/1 expected cases credited	1m 57s
Local React XSS pack javascript_react `70f0ce76-55ea-49bd-b2b9-ff80130edaf8`	Complete	3	1/1 expected cases credited	2m 5s
Local AI smells pack generic `9e99319a-856a-45a8-85d1-5ea36f07382c`	Complete	23	1/2 expected cases credited	3m 51s
Local safe controls pack generic `ab24ba7f-2fb7-4349-87b9-6b04f69429e6`	Complete	3	n/a	1m 4s
Laravel synthetic security target php_laravel `fb7a669d-ae2d-425d-b80c-a37b32883b53`	Complete	8	3/4 expected cases credited	3m 35s
Actix synthetic security target rust_actix `37377363-cb79-4a06-906e-925393380501`	Complete	5	4/4 expected cases credited	37s
Gin synthetic security target go_gin `08283a81-0fdc-4c31-871a-763ff39791a9`	Complete	3	2/4 expected cases credited	2m 2s

Safe-control validation

A safe-control target remained in the corpus to test whether the scanner would raise findings where no seeded vulnerability was expected. That signal remains useful for calibration, but this corpus is not the right surface for a scanner-wide false-positive claim because almost every target is intentionally vulnerable by construction.

Doctrine

This record reports measured Vibe Check results only. It does not publish comparative claims or competitor framing.

Methodology, corpus manifest, and source scan IDs are preserved so the record can be independently reviewed.

Production validation

Firefox validation placeholder

Production codebase validation is tracked separately from the training corpus.

Firefox (gecko-dev) scan dispatched. Results section pending.

Use Version A only if Q1 resolves Java Spring cleanly. Otherwise use the qualified Version B framing.

Sample findings

Representative persisted findings

Examples below are preserved exactly from the corrected record.

MEDIUM CONFIG

Dockerfile runs as root

No USER directive found. Container processes run as root by default, which gives an attacker full control if they escape the application.

Suggested fix:

Add a USER directive to run as a non-root user (e.g. USER node or USER appuser).

LOW CONFIG

Dockerfile uses unpinned :latest tag

Using :latest means builds are not reproducible. A new base image version could introduce vulnerabilities or break your app.

Suggested fix:

Pin the base image to a specific version (e.g. node:20-alpine instead of node:latest).

LOW SECRETS

High-entropy string may be a hardcoded secret

A string with Shannon entropy 5.94 bits/char was found in an assignment context in .travis.yml at line 7. Strings above 4.5 bits/char are consistent with generated API keys, tokens, or passwords. Review manually to confirm.

Path .travis.yml:7

Suggested fix:

If this is a real credential, move it to an environment variable and reference it via os.environ or process.env. Add .env to .gitignore to prevent future exposure.

LOW SECRETS

High-entropy string may be a hardcoded secret

A string with Shannon entropy 4.72 bits/char was found in an assignment context in scripts/mvnFortifyScan.sh at line 5. Strings above 4.5 bits/char are consistent with generated API keys, tokens, or passwords. Review manually to confirm.

Path scripts/mvnFortifyScan.sh:5

Suggested fix:

If this is a real credential, move it to an environment variable and reference it via os.environ or process.env. Add .env to .gitignore to prevent future exposure.

LOW SECRETS

High-entropy string may be a hardcoded secret

A string with Shannon entropy 4.72 bits/char was found in an assignment context in scripts/mvnFortifyScan_OnWindows.sh at line 5. Strings above 4.5 bits/char are consistent with generated API keys, tokens, or passwords. Review manually to confirm.

Path scripts/mvnFortifyScan_OnWindows.sh:5

Suggested fix:

If this is a real credential, move it to an environment variable and reference it via os.environ or process.env. Add .env to .gitignore to prevent future exposure.

LOW CONFIG

No automated tests detected

No test files were found in this repository. AI-built apps without tests are the highest-risk category: changes cannot be verified automatically and bugs compound undetected.

Suggested fix:

Add a test directory (tests/ for Python, __tests__/ for JavaScript) and write tests for your core logic. Even a single smoke test is a meaningful starting point.

HIGH CONFIG

Use of deprecated TLSv1 protocol

The SSL connection socket factory is restricted to only TLSv1, a deprecated and insecure protocol vulnerable to attacks like BEAST. Combined with NoopHostnameVerifier and TrustSelfSignedStrategy, this creates a weak TLS configuration.

Suggested fix:

Use TLSv1.2 or TLSv1.3 protocols and a proper hostname verifier in production code.

LOW SECRETS

High-entropy string may be a hardcoded secret

A string with Shannon entropy 5.44 bits/char was found in an assignment context in src/it/java/org/owasp/webgoat/playwright/webwolf/JwtUITest.java at line 30. Strings above 4.5 bits/char are consistent with generated API keys, tokens, or passwords. Review manually to confirm.

Path src/it/java/org/owasp/webgoat/playwright/webwolf/JwtUITest.java:30

Suggested fix:

If this is a real credential, move it to an environment variable and reference it via os.environ or process.env. Add .env to .gitignore to prevent future exposure.

Reproducibility

Source scans and manifest

Reproducibility instructions and the methodology remain part of the canonical record.

Corpus manifest: tests/comparison_corpus/repositories.json

Methodology: /proof/methodology/detection-record

43ee1946-6378-4eb5-8f2c-b73aa1e144c4 e263df5e-d0d6-48c2-bbb5-3dbdf84b44eb 41347630-d27c-4ef8-a5ee-9d7cf1ef6816 02ec386c-48a7-48be-91bc-a710e0012620 2b12664b-ae60-4d5e-bf21-73a889c24b00 37074dd0-7236-47aa-a2fc-63aa3992214c 3a365821-cf26-4d28-bc3a-922e7554aabf c2bdd0ec-0e3c-4df2-8d83-f27982f7caf6 451904b1-5593-43ef-bf51-e402a5840a24 70f0ce76-55ea-49bd-b2b9-ff80130edaf8 9e99319a-856a-45a8-85d1-5ea36f07382c ab24ba7f-2fb7-4349-87b9-6b04f69429e6 fb7a669d-ae2d-425d-b80c-a37b32883b53 37377363-cb79-4a06-906e-925393380501 08283a81-0fdc-4c31-871a-763ff39791a9

This record reports measured Vibe Check results only. It does not publish comparative claims.

The corpus is intentionally vulnerable by construction and should be read as canonical vulnerable-pattern validation, not generalized production-code proof.

Production-code validation is tracked separately from this corpus record.