The verification act after remediation

A closed ticket is not evidence that risk was removed.

When a developer marks a finding fixed, that is a claim. GoSentrix re-executes the original replay command against the new artifact, compares hashes, and produces a verification outcome. Indeterminate is preserved as a first-class outcome — it is not auto-promoted to fixed.

What enters

A fix verification round begins with:

The original finding, with its evidence state, replay command, and artifact hash at the time it was first verified
The new artifact produced after the claimed fix — typically a new build, a new container, a new commit
The developer action that marked the finding fixed (or the AI agent action, if remediation was AI-driven)
The policy version that was active when the original finding was promoted to its current state

How GoSentrix verifies

Step 1

Re-execute.

GoSentrix re-runs the original replay command against the new artifact. The replay command is deterministic and was captured when the original finding was promoted.

Step 2

Compare.

The new artifact's hash is compared to the original. Behavior under the replay is compared to the original execution.

Step 3

Classify the outcome.

Three outcomes only:

VULNERABILITY_ABSENT — the replay no longer produces the original behavior. The fix is evidenced.
VULNERABILITY_PRESENT — the replay still produces the original behavior. The fix did not work, regardless of what the ticket says.
INDETERMINATE — the replay produced ambiguous output, or the new artifact could not be replayed the same way. The outcome is recorded as indeterminate. It is not auto-promoted to fixed.

Step 4

Record the round.

The fix verification record carries the replay artifact hash, the outcome, the policy version, and the action that triggered the verification round.

Step 5

Treat operator action as evidence input.

A developer marking a finding fixed is recorded as a CONFIRM / FALSE_POSITIVE / FIXED / ACCEPT_RISK action — and that action becomes an input to the next verification round, not a terminal closure.

What is produced

Artifact

What it carries

Fix verification record

Outcome (ABSENT / PRESENT / INDETERMINATE), replay artifact hash, policy version

Action ledger entry

The operator or AI action that triggered the round, recorded as evidence input

Updated finding state

The finding's evidence state is updated only if the outcome supports the transition

Which claims this proof supports

GoSentrix verifies whether a claimed fix changed the evidence state.

Operator actions are evidence inputs, not terminal closure.

Indeterminate outcomes remain first-class.

Disproval, not dismissal

Some findings are not fixed because they were never applicable. GoSentrix distinguishes disproval from suppression structurally: disproval requires either an artifact reference or a reviewer attestation that evidences the finding does not apply in context. A finding cannot be marked disproven without that evidence.

Suppression dismisses a finding from view. Disproval refutes it with evidence. The two are different terminal states.

What this does not do

Fix verification does not guarantee remediation worked in every case. It does not eliminate false positives. It does not auto-mark findings fixed on the strength of a re-run that did not fail — a re-run that does not fail is one piece of evidence; it is not closure.

Indeterminate outcomes are evidence, not closure. They remain indeterminate until further evidence supports a state transition.

See a Verification Decision Read the Doctrine