CD/CD consolidation
This commit is contained in:
StellaOps Bot
22
devops/vuln/query-hash-metrics.md
Normal file
22
devops/vuln/query-hash-metrics.md
Normal file
@@ -0,0 +1,22 @@
|
||||
# Vuln Explorer query-hash metrics spec (DEVOPS-VULN-29-003)
|
||||
|
||||
## Metrics to emit
|
||||
- `vuln_query_hashes_total{tenant,query_hash,route,cache="hit|miss"}`
|
||||
- `vuln_api_payload_bytes_bucket{direction="request|response"}`
|
||||
|
||||
## Hashing rules
|
||||
- Hash canonicalised query body (sorted keys, trimmed whitespace) with SHA-256.
|
||||
- Salt: deployment-specific (e.g., `Telemetry:QueryHashSalt`), 32 bytes hex.
|
||||
- Store only hash; never log raw filters.
|
||||
- Truncate any string field >128 chars before hashing to control cardinality.
|
||||
|
||||
## Logging filter
|
||||
- Drop fields named `email`, `userId`, `principalName`; replace with `[redacted]` before metrics/logging.
|
||||
- Retain `tenant`, `route`, `status`, `durationMs`, `query_hash`.
|
||||
|
||||
## Prometheus exemplar tags (optional)
|
||||
- Add `trace_id` as exemplar if traces enabled; do not add request bodies.
|
||||
|
||||
## Acceptance checks
|
||||
- Unit test: hashed query string changes when salt changes; raw query not present in logs.
|
||||
- Prometheus snapshot test: scrape and assert presence of `vuln_query_hashes_total` and payload histograms.
|
||||
Reference in New Issue
Block a user