prod-guard-oss

Frequently Asked Questions (FAQ)

This document answers the most common questions about prod-guard, its purpose, behavior, licensing model, and how it compares to existing solutions.

General

What is prod-guard?

prod-guard is a startup-time production readiness validation framework for Spring Boot applications.

It detects common misconfigurations, risky defaults, and production anti-patterns before the application begins serving traffic.

Unlike monitoring tools, prod-guard focuses on prevention, not observation.

Is prod-guard a monitoring or security tool?

No.

prod-guard is not:

A monitoring platform
An APM
A vulnerability scanner
A runtime security agent

It complements those tools by ensuring the application is correctly configured before startup.

When does prod-guard run?

Exactly once, during application startup.

After startup completes, prod-guard has zero runtime overhead.

Adoption & Usage

Does prod-guard block application startup?

It can, but only if you want it to.

Blocking behavior depends on:

Check severity
Severity overrides
prodguard.report-only configuration

This allows gradual adoption without breaking existing systems.

Can prod-guard run outside production?

Yes.

By default, prod-guard runs only when a production profile is active (prod or production).

To force execution in other environments:

prodguard:
  force: true

This is commonly used in CI pipelines and staging environments.

Can we disable specific checks?

Yes.

Any check can be:

Disabled
Downgraded
Upgraded

Example:

prodguard:
  severity:
    PG-011: DISABLED
    PG-012: WARN

Licensing

Is prod-guard free?

prod-guard offers two tiers:

FREE – Core production readiness checks
PREMIUM – Advanced checks requiring a license

FREE checks work without any license.

How does licensing work?

prod-guard uses offline, cryptographically signed licenses.

No network calls
No SaaS dependency
No callbacks

A license is verified locally at startup using an embedded public key.

What happens if no license is present?

FREE checks are executed
PREMIUM checks are skipped
Explicit warnings are logged

The application continues to start normally.

What happens if the license is expired?

An expired license is treated as invalid.

PREMIUM checks are disabled
A warning is logged indicating expiration

No application functionality is blocked.

Does prod-guard “phone home”?

No. Never.

prod-guard does not:

Send telemetry
Contact license servers
Collect usage data

This is a deliberate architectural decision.

Security

How secure is the licensing mechanism?

Licenses are signed using Ed25519 asymmetric cryptography.

Private key is used only for license generation
Public key is embedded in the runtime
Licenses cannot be forged without the private key

Comparison

How is prod-guard different from monitoring tools?

Monitoring tools:

Detect issues after deployment
Generate alerts
Require operational effort

prod-guard:

Prevents issues before deployment
Fails fast
Requires no runtime operation

How does prod-guard compare to static analysis?

Static analysis:

Analyzes code
Cannot see runtime configuration

prod-guard:

Analyzes runtime configuration
Detects environment-specific issues

Support & Roadmap

Is prod-guard production ready?

Yes.

prod-guard is designed for:

Enterprise Spring Boot applications
Regulated environments
Offline deployments

Will more checks be added?

Yes.

The check catalog is expected to grow, especially in:

Security hardening
Cloud-native best practices
Compliance-oriented checks

Next Steps

← Back to index