Add enable_debug_observability scanner feature flag#344
Open
Add enable_debug_observability scanner feature flag#344
Conversation
When enabled, the false_positive.multipass.excluded_match metric is emitted with an additional sds_namespace tag containing the JsonPath-formatted path where the false positive was found. This allows operators to enable the tag per-org on demand for debugging without incurring high-cardinality metrics in production. Defaults to false for backward compatibility.
fuchsnj
approved these changes
Apr 7, 2026
Contributor
fuchsnj
left a comment
fuchsnj
left a comment
There was a problem hiding this comment.
I'm not sure if we want to start supporting this kind of debug logic, when the "intended" way to debug this is the new debug_scan endpoints. Ideally during a support investigation we could initiate a "debug scan" for an existing log and get more detailed information (which would indicate multipass-v0 matches). The UI for this isn't available though, so this is a reasonable temporary solution.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What does this PR do?
Adds a new
enable_debug_observabilityfeature flag (default:false) to the scanner. When enabled, thefalse_positive.multipass.excluded_matchmetric is emitted with an additionalsds_namespacetag containing the JsonPath-formatted path where the false positive was found.This is motivated by a support investigation where matches were silently discarded by the multipass v0 exclusion logic and it was impossible to tell from existing metrics which attribute was responsible. The flag allows operators to enable the extra tag per-org on demand for debugging, without incurring high-cardinality metric series in production.
Jira: SDS-2471
Changes
ScannerFeatures.enable_debug_observabilitydefaults tofalse— no behavior change for existing callersRuleMetricsstoresbase_labelsonly for use on the debug path; the fast path continues to use the pre-initializedCounterwith no allocationCreateScanneris unchanged (delegates toCreateScannerWithOptionswith zero-value options), fully backward compatibleshould_submit_excluded_match_metric_with_debug_observabilityverifies the metric is emitted with thesds_namespacelabel when the flag is on