Verify a remediation¶
After you fix a finding, Vex Raptor can re-attack the same vector and certify whether it is closed — turning "we suggested a fix" into "we proved the fix worked."
How it works¶
For a finding (or a whole scan), the verifier re-runs the original attack against the same endpoint and returns a status:
| Status | Meaning |
|---|---|
| CLOSED | The re-attack no longer succeeds — the fix holds |
| OPEN | The vector is still exploitable — not fixed |
| UNVERIFIABLE | This class needs manual re-validation |
A summary reports how many findings are closed, open, or unverifiable, plus a fixed-rate percentage.
Supported classes¶
Automated re-verification currently covers the classes that can be re-tested safely and deterministically:
- Reflected XSS — checks whether the payload still reflects unencoded
- Error-based SQL injection — checks whether a DB error still leaks
- Missing security headers — checks whether the header is now present
Everything else is honest about its limits
Classes that cannot be re-tested deterministically are returned as UNVERIFIABLE rather than guessed. A finding is never reported CLOSED unless the re-attack actually failed to reproduce it.
From the report¶
- Open a completed report.
- Use Verify remediation on a finding (or the whole scan).
- Review the CLOSED / OPEN / UNVERIFIABLE badges.
In CI¶
The CI Gate can re-scan on each pipeline run, so a regression that re-opens a previously closed finding fails the build.