require-audit-logging
ESLint rule documentation for require-audit-logging
📡 Live from GitHub — This documentation is fetched directly from require-audit-logging.md and cached for 6 hours.
Suggests audit logging for AI SDK operations.
This rule identifies AI SDK calls that aren't preceded by logging statements
📊 Rule Details
| Property | Value |
|---|---|
| Type | suggestion |
| Severity | ⚪ LOW |
| OWASP Agentic | ASI10: Logging & Monitoring |
| CWE | CWE-778: Insufficient Logging |
| CVSS | 4.0 |
| Config Default | off (recommended, strict) |
🔍 What This Rule Detects
This rule identifies AI SDK calls that aren't preceded by logging statements. Audit logging is important for security monitoring and debugging.
❌ Incorrect Code
// No logging
async function handler() {
const result = await generateText({
prompt: userInput,
});
return result.text;
}
// Missing audit trail
export async function processRequest(req) {
await streamText({
prompt: req.body.message,
});
}✅ Correct Code
// With logging
async function handler() {
logger.info('AI generation started', { userId, promptHash });
try {
const result = await generateText({
prompt: userInput,
});
logger.info('AI generation completed', { userId, tokens: result.usage });
return result.text;
} catch (error) {
logger.error('AI generation failed', { userId, error });
throw error;
}
}
// Console log (acceptable)
export async function processRequest(req) {
console.log('Processing AI request', { requestId });
await streamText({
prompt: req.body.message,
});
}⚙️ Options
| Option | Type | Default | Description |
|---|---|---|---|
allowInTests | boolean | true | Skip rule in test files |
🛡️ Why This Matters
Insufficient logging makes it impossible to:
- Detect abuse - Identify malicious usage patterns
- Debug issues - Trace problems in production
- Audit compliance - Prove regulatory compliance
- Monitor costs - Track API usage
🔗 Related Rules
require-error-handling- Handle errorsrequire-tool-confirmation- Log destructive operations
Known False Negatives
The following patterns are not detected due to static analysis limitations:
Logging in Wrapper Function
Why: Logging in called functions is not visible.
// ❌ NOT DETECTED - Logging in wrapper
await myGenerateText(prompt); // Wrapper has loggingMitigation: Apply rule to wrapper implementations.
Custom Logger Methods
Why: Non-standard logger methods may not be recognized.
// ❌ NOT DETECTED - Custom logger
myLogger.audit('AI call', { prompt }); // Not in default patterns
await generateText({ prompt });Mitigation: Configure rule for custom logger method names.
Centralized Logging Middleware
Why: Framework-level logging is not linked.
// ❌ NOT DETECTED (correctly) - Middleware logs all AI calls
app.use(aiAuditMiddleware);Mitigation: Document centralized logging. Consider rule exception.
Async Logging
Why: Logging scheduled for later may not be detected.
// ❌ NOT DETECTED - Deferred logging
const result = await generateText({ prompt });
queueAuditLog({ prompt, result }); // Async loggingMitigation: Use synchronous logging before AI calls.
📚 References
Error Message Format
The rule provides LLM-optimized error messages (Compact 2-line format) with actionable security guidance:
⚠️ CWE-778 OWASP:A09 CVSS:5.3 | Insufficient Logging detected | MEDIUM [SOC2,ISO27001,PCI-DSS,NIST-CSF]
Fix: Review and apply the recommended fix | https://owasp.org/Top10/A09_2021/Message Components
| Component | Purpose | Example |
|---|---|---|
| Risk Standards | Security benchmarks | CWE-778 OWASP:A09 CVSS:5.3 |
| Issue Description | Specific vulnerability | Insufficient Logging detected |
| Severity & Compliance | Impact assessment | MEDIUM [SOC2,ISO27001,PCI-DSS,NIST-CSF] |
| Fix Instruction | Actionable remediation | Follow the remediation steps below |
| Technical Truth | Official reference | OWASP Top 10 |