mipo
Menu
ProductFeaturesArchitectureSecurityComplianceDocsGitHub

Execution Proof

Shows the execution-proof receipts for a single scan — one receipt per job (per scanner vantage). Each receipt is durable, hash-anchored evidence that the scanner was assigned a specific target and port set and attempted the probes, recorded even when nothing changed. This lets GRC teams prove "we scanned and found no change" rather than relying on the absence of results. The summary line reports how many jobs ran, how many were fully attempted, and how many reported no change versus baseline. Click a receipt to open the full job receipt detail (hashes, probe counts, scanner version, forensic JSON).

Fields & columns

NameDescription
JobThe job (per-scanner unit of work) this receipt proves. Links to the full job receipt detail.
StatusFinal job status the receipt was written for: completed, failed, partial, cancelled, or timed_out. Only completed receipts can assert no-change.
No change vs baselineTrue when the scanner verified full coverage and the observed open set is byte-identical to the baseline (result hash equals baseline hash). The headline "nothing changed, and we proved it" outcome.
ChangesCount of port-state transitions (opened/closed) this job recorded versus its baseline. Zero on a no-change or incomplete receipt.
Open portsNumber of open ports the job observed (the size of the result set used to compute the result hash).
Probes (attempted / planned)How many probes the scanner attempted versus how many the server planned. A completed receipt requires full coverage (attempted equals planned); an incomplete receipt shows attempted below planned.
Result hashServer-recomputed SHA-256 over the sorted observed-open set. The proof anchor — the same value surfaced as evidenceHash on the linked port-state-change rows.
Scanner versionThe scanner binary version that produced the receipt, for fleet-version auditing.

How to

Prove a no-change scan actually ran

  1. Open the scan from Recent Scans or History and follow the "View execution proof" link.
  2. Confirm the summary line reports every job was attempted.
  3. Verify each receipt shows "No change vs baseline" with a result hash equal to its baseline hash.
  4. Open an individual receipt to inspect the hashes and probe counts for forensic evidence.

Trace a recorded change back to its execution receipt

  1. On Port State Changes, click a change row's job link to open its job receipt.
  2. Cross-check the change row's evidenceHash against the receipt's result hash — they must match.
  3. Use the receipt's probe counts and scanner version to confirm the change came from a fully-attempted job.

Gotchas

  • A receipt exists per JOB, not per scan. A scan that fans out across several scanners (or scanner groups) has one receipt per scanner vantage — the list shows them all.
  • Only a "completed" receipt can assert "No change vs baseline". An incomplete receipt (failed, partial, cancelled, timed_out) never claims no-change because partial coverage cannot rule out a transition on a probe that was never attempted.
  • The result hash is server-recomputed, not trusted from the scanner. If a scanner-reported hash does not match the server recomputation, the submission is rejected — so a receipt you can see is one the server already verified.
  • Execution proof lives in the jobs database, which is independent of the results and change-history surfaces. If it is temporarily unreachable, this view shows "execution proof temporarily unavailable" while the rest of the scan UI keeps working — that is a transient backend state, not a failed scan.
  • A very large scan can produce more receipts than the page loads at once; when that happens the view tells you it was truncated and shows the applied limit rather than silently hiding rows. Full pagination is a planned follow-on.
  • Receipts are forward-only evidence introduced with the scan-proof system. Scans completed before it shipped have no receipts; their change history is still derived by the reconciler (those change rows carry no job link).

API calls (3)

MethodPathDescription
GET /api/scans/:id/receipts All execution-proof receipts for a scan (the per-job proof list)
GET /api/jobs/:jobId/receipt A single job receipt detail, including the verbatim forensic receiptJson
GET /api/scans/:id Scan metadata (name, status) shown in the page header

Related

  • Job Receipt — The full single-receipt detail (hashes, probe counts, forensic JSON) opened from a receipt row
  • Results — The discovered hosts and ports for the same scan; execution proof shows the run happened, results show what it found
  • Port State Changes — Change rows now link to their execution receipt via job id, with the receipt result hash as the evidence anchor