Skip to content

Observability, air-gap & hardening

Keep a production deployment observable, deployable without internet, and locked down.

Observability

Signal Where Use
Health GET /health Liveness / readiness probes
Metrics /metrics (Prometheus format) Scan throughput, queue depth, error rate
Logs stdout (JSON) Ship to your log stack; audit events included
Tracing OpenTelemetry (opt-in, OTEL_ENABLED=true) Latency across API → worker

Recommended alerts: worker queue depth rising, scan failure rate, 5xx rate, PostgreSQL/Redis availability, and daily-quota exhaustion per org.

Air-gapped deployment

Vex Raptor runs fully offline.

  1. Mirror the container images into your internal registry.
  2. Provide the license via VEX_LICENSE_KEY (offline-validated).
  3. Use a self-hosted or local LLM (ollama) for AI depth so no prompt data leaves the network — or run at Recon/Full depth without AI.
  4. Serve the docs internally: mkdocs build and host site/ on an internal vhost.

Disable optional outbound integrations (threat-intel enrichment) in an air-gap.

Hardening checklist

Work through this before exposing a deployment.

  • [ ] ENVIRONMENT=prod set (never dev on an internet-facing host).
  • [ ] Strong, unique SECRET_KEY (64+ hex chars); stored in a secret manager.
  • [ ] TLS end-to-end to the origin (Cloudflare Full (strict), not Flexible).
  • [ ] ALLOW_INTERNAL_SCANNING off in production.
  • [ ] Domain verification required for external targets.
  • [ ] SSO enforced; password login disabled where possible; admin role minimized.
  • [ ] API keys scoped, named, and rotated; none committed to source.
  • [ ] PostgreSQL and Redis not exposed to the public internet.
  • [ ] Backups scheduled and restore tested.
  • [ ] Image tags pinned; docker compose down -v never used in prod.
  • [ ] /metrics and /health scraped; alerts configured.
  • [ ] Audit log shipped to your SIEM.
  • [ ] Dependency scanning in CI (pip-audit) green.

Run Vex Raptor against itself

A staging instance is a valid authorized target. Scanning your own deployment is a fast way to validate the hardening above.