Skip to content

Injection Quality Governance

Date: 2026-03-04

Rule Ownership

  • INJ-SQL-001: AppSec Detection owner.
  • INJ-CMD-001: AppSec Detection owner.
  • INJ-TPL-001: AppSec Detection owner.

Owner responsibilities: - Approve fixture or threshold changes for owned rules. - Triage regressions from CI metrics gates. - Review suppression trends that indicate rule quality drift.

Change Review Checklist

For any scanner/rule change: 1. Update or add fixtures under tests/fixtures/diffs/. 2. Run python -m pytest -q tests/test_injection_fixtures.py. 3. Export metrics: - python -m diffver.injection_metrics --fixtures tests/fixtures/diffs --output artifacts/injection_rule_metrics.json 4. Compare against baseline: - python -m diffver.injection_metrics_compare --current artifacts/injection_rule_metrics.json --baseline tests/fixtures/metrics_baseline.json 5. If baseline update is required, include PR label metrics-baseline-update and reviewer sign-off from rule owner.

Threshold Policy

  • CI requires no precision/recall/f1 regression versus baseline.
  • Additional static thresholds:
  • Per-rule precision >= 0.95
  • Per-rule recall >= 0.95
  • Overall precision >= 0.98
  • Overall recall >= 0.98

Monthly Trend Snapshot

  • On the first business day of each month:
  • Run metrics export on main.
  • Publish JSON + markdown summary artifacts.
  • Record trends and exceptions in security engineering notes.