Skip to content

Latest commit

 

History

History
75 lines (57 loc) · 2.62 KB

File metadata and controls

75 lines (57 loc) · 2.62 KB

Prometheus metrics

CVE Radar exposes Prometheus metrics at GET /metrics (root path, not under /api).

Enable / disable

Variable Default Description
METRICS_ENABLED true Set false to disable the endpoint (404)
METRICS_PROTECT false Set true to require API_SECRET (X-Api-Key or Bearer) on /metrics

For in-cluster scraping, leave METRICS_PROTECT off and restrict access with NetworkPolicy. For internet-facing hosts, set METRICS_PROTECT=true or scrape via authenticated reverse proxy.

Metric reference

Metric Type Labels Description
cve_radar_scans_total counter mode, status Scan/watch requests (status: success, partial, failure)
cve_radar_vulns_found gauge severity, source Counts from the last successful scan (no CVE IDs in labels)
cve_radar_scan_duration_seconds histogram mode Scan/watch duration
cve_radar_source_reachable gauge source 1 if upstream reachable (sourceHealth.ts)
cve_radar_cache_entries_total gauge Cache size (memory or Redis)

Implementation: server/lib/metrics.ts. Metrics update from scan handlers and refresh source/cache gauges on each scrape.

Kubernetes scrape (ServiceMonitor)

Pairs with the Kubernetes section in chapter 11. Example for Prometheus Operator:

apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
  name: cve-radar
  labels:
    release: prometheus
spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: cve-radar
  endpoints:
    - port: http
      path: /metrics
      interval: 30s
      scheme: http
      # When METRICS_PROTECT=true, add bearerTokenSecret or basicAuth here

Plain Prometheus scrape_configs:

scrape_configs:
  - job_name: cve-radar
    metrics_path: /metrics
    static_configs:
      - targets: ["cve-radar:3001"]

Grafana

Import grafana/cve-radar-dashboard.json — panels for severity time series, scan success rate, source reachability, and CRITICAL stat with example alert threshold.

Example queries

# Scan success rate (5m)
sum(rate(cve_radar_scans_total{status="success"}[5m]))
  / sum(rate(cve_radar_scans_total[5m]))

# CRITICAL vulns from last scan
sum(cve_radar_vulns_found{severity="CRITICAL"})

# p95 scan duration
histogram_quantile(0.95, sum(rate(cve_radar_scan_duration_seconds_bucket[5m])) by (le, mode))