Ch 6 — The Developer Fix

Governance Active
Chapter 6 of 8 — The Developer Fix

How does a developer fix a violation?

Governance detects and records the problem automatically. But the fix always belongs to the developer. This chapter shows the exact code change that closes all three violations from our checkout log — and explains why each change matters.

1

Step 1 of 3

Understand what needs to change before writing any code

There are three violations open. Each one requires a specific change to the log statement. It is important to understand why each change is needed — not just copy a fix mechanically — because the same pattern might exist in other log statements elsewhere in the codebase.
creditCardNumberCriticalVIO-0041

The problem

This field is in disallowedFields. It must be removed from the log statement entirely. Do not mask it in code — governance already redacts it at runtime, but the violation will keep occurring until the field is removed from the source.

The fix

Remove creditCardNumber from the log statement. If you need to record payment context, log amount instead — it is not in disallowedFields.

correlationIdMediumVIO-0042

The problem

This field is in requiredFields but was absent. Without it, this log line cannot be linked to a request trace in your APM or observability platform.

The fix

Add correlationId: Activity.Current?.Id ?? request.Headers["x-correlation-id"] to the log statement.

eventNameMediumVIO-0043

The problem

This field is in requiredFields but was absent. Without it, log analysis tools cannot identify what kind of event this is, which breaks alerting rules and dashboards.

The fix

Add eventName: "CheckoutStarted" to the log statement as a string literal.

2

Step 2 of 3

Before and after — the complete code change

Before — 3 violations
logger.LogInformation(
    "Checkout started for {userId} paying with {creditCardNumber}",
    request.UserId,
    request.CreditCardNumber);   // ← Critical: disallowed field
// Missing: correlationId        // ← Medium: required, absent
// Missing: eventName            // ← Medium: required, absent
After — 0 violations
logger.LogInformation(
    "Checkout started {eventName} for {userId} {correlationId} amount {amount}",
    "CheckoutStarted",           // ← eventName: now present
    request.UserId,              // ← userId: was already correct
    Activity.Current?.Id,        // ← correlationId: now present
    request.Amount);             // ← amount: safe, not disallowed
// creditCardNumber removed entirely — no longer logged
3

Step 3 of 3

What happens after the fix is deployed

Once the developer deploys the fixed code, the next checkout log event will pass all governance rules. The runtime will create a GovernanceCheckPassed audit record. The open violations in the dashboard will be marked Resolved. The governance score for the application will increase — in this case from 82 to 96.
82

Governance Score

At Risk

3 open violations — 1 Critical, 2 Medium

CriticalcreditCardNumberVIO-0041
Open
MediumcorrelationIdVIO-0042
Open
MediumeventNameVIO-0043
Open

Chapter 7 of 8

Try It Yourself — paste any log and see what governance does

Continue
Cerbi | Logging Governance for Your Stack