SO
SecOps WorkbenchSprint 7 · Day 8/10
Agent working
?page=remediation&issue=issue-sec-1745&tab=evidence
SEC-1745·FOR-5183·order-service

SQL injection in OrderRepository.findByCustomer

Critical CWE-89 spring-sql-injection@2.3
Previous Next
Current stage
Awaiting human approval
5 of 7 · 71%
Triaged Planned Coded Tested Approval Merge Verified
Overview Evidence 12 Human Gates 1 Regression Verdict

Every artifact the agent produced or consulted. Used by approvers now and by auditors later — everything is traceable to a source system.

12
Artifacts
5
Sources
6
Auto-collected
100%
Hashed & signed
F

Scanner output

Fortify SSC · Sonatype cross-check
3 items
Original finding · FOR-5183 SQL injection at OrderRepository.java:87 · column 23 · taint flow from HTTP param "customerId"
Critical SAST
May 10 · 22:08
Rescan after fix · FOR-5183 marked Closed Same rulepack · finding no longer present · no new findings introduced
Resolved SAST
Today · 10:14
Sonatype SCA cross-check No related CVE in dependencies · ORM library versions are current
Clean SCA
Today · 10:14
G

Code changes

GitLab · branch fix/SEC-1745
2 items
Merge request !8442 · fix(security): parameterize OrderRepository query +18 / −4 lines · OrderRepository.java · approved by Reviewer Agent + J. Reviewer
CI green 2 approvals
2h ago
Commit history · 9a7f3d2 Single commit · clean, parametric replacement · no force-push
1 commit GPG signed
2h ago
T

Test & CI results

JUnit · regression suite · sandbox run
3 items
JUnit run · 47 of 47 passing Includes 3 new SqlInjectionRegressionTest cases for malicious inputs
47/47 2m 14s
1h ago
Sandbox execution log · full agent session All shell commands the Developer Agent ran · 4m 12s wall time
147 lines Sandboxed
2h ago
CI pipeline · build #4827 Compile · Test · Lint · SAST · Container scan — all green
5/5 stages 7m 41s
1h ago
P

Policy & reference

Playbook · Confluence standards
2 items
spring-sql-injection@2.3 · playbook used v2.3 published by @alice · 47 prior uses · 98% success rate
v2.3 approved
applied 2h ago
Confluence · Secure Coding Standards · Java Internal standard SEC-STD-04: SQL queries must use parameter binding
v4.1 SEC-STD-04
referenced
AI

Agent reasoning

Triage decision · Reviewer verdict
2 items
Triage agent · decision transcript Why CWE-89 → spring-sql-injection@2.3 · confidence 98%
confidence 98% 847 tokens
2h ago
Reviewer agent · approval "Single-file change, playbook applied cleanly, regression tests verify the fix"
approved 312 tokens
11m ago

Audit ledger

Chronological · hash-chained · signed
Scanner Agent ingested finding May 10 · 22:08
Pulled FOR-5183 from Fortify SSC · classified as Critical CWE-89
Triage Agent selected playbook May 10 · 22:09
Matched to spring-sql-injection@2.3 · confidence 98% · routed to Sprint 7
Alice Brown added to sprint May 11 · 09:23
Approved for inclusion in Sprint 7 during planning ceremony
Developer Agent opened MR May 12 · 09:18
Applied playbook · pushed branch fix/SEC-1745 · MR !8442 opened
CI pipeline passed May 12 · 09:26
5 of 5 stages green · build #4827 · 7m 41s
Scanner Agent rescanned May 12 · 10:14
FOR-5183 marked Closed · no new findings introduced
Reviewer Agent approved May 12 · 10:27
Posted approval to MR · routed to J. Reviewer for sign-off
J. Reviewer approved May 12 · 10:31
"LGTM — clean parametric replacement" · advanced to critical-severity gate
System awaiting final approval May 12 · 10:32 → now
Notified @alice in AgentBook · 8m elapsed · SLA 6 days