Skip to content

Known Limitations

SecureObs is in private beta. This page lists the important limitations users should understand before evaluating it for production workflows.

Security And Trust

  • No external penetration test has been completed.
  • No SOC 2, ISO 27001, HIPAA, FedRAMP, or similar certification is claimed.
  • Microsoft Entra ID is the only login provider today.
  • The role model is coarse: Owner, Admin, Member.
  • PostgreSQL row-level security protects the core tenant tables, not every table.
  • SCIM provisioning is not implemented.

Product Scope

  • SecureObs is not a Snyk, Wiz, or Semgrep App replacement.
  • CodeQL, SonarQube, Snyk, and OWASP ZAP are not active bundled scanner drivers.
  • Source-code deep links are not fully implemented.
  • PR comments are tier-gated and run from customer CI credentials.

Notifications

  • Email notifications are disabled in private beta.
  • Outbound webhooks to Slack, Teams, PagerDuty, or similar systems are not implemented.

Scale And Reliability

  • The service is not battle-tested at scale.
  • Deployment is single-region.
  • There is no active/active failover.
  • Large finding lists are server-clamped and dashboard pagination is still limited.

Testing

  • Backend tests cover unit, HTTP integration, and PostgreSQL-backed isolation checks.
  • The Angular dashboard does not yet have full automated end-to-end coverage.

Operations

  • No blue/green deployment process is documented.
  • Rollback drills are not yet rehearsed.
  • On-call coverage is private-beta grade.