Feature flags or toggles configured for high-risk deployments; toggleable without code redeployment

Why it matters

Deploying a high-risk feature without a feature flag means the only remediation for a bad release is a full rollback — redeploying old code, re-running migrations in reverse, and potentially incurring downtime. NIST CM-3 covers controlled configuration changes; feature flags implement that control at runtime without touching infrastructure. A flag that can be toggled in a dashboard in seconds is vastly safer than a rollback that takes 15 minutes. Teams without feature flags tie their deployment risk directly to their rollback speed.

Remediation

Integrate a feature flag service such as LaunchDarkly (free tier) or self-hosted Unleash for high-risk or experimental features.

npm install @launchdarkly/react-client-sdk

Wrap high-risk features in a flag check:

import { useFlag } from '@launchdarkly/react-client-sdk';

export function CheckoutFlow() {
  const newCheckout = useFlag('new-checkout-flow', false);
  return newCheckout ? <NewCheckout /> : <LegacyCheckout />;
}

Configure the flag default to false (off) and enable it incrementally: 1% → 10% → 50% → 100% of traffic. If error rates spike at any stage, toggle the flag off in the LaunchDarkly dashboard — no code change, no deployment, no downtime.

Detection

ID: deployment-readiness.monitoring-alerting.feature-flags
Severity: medium
What to look for: Enumerate every relevant item. Look for feature flag library in dependencies: launchdarkly, unleash, split.io, or custom implementation. Check for feature flag usage in code (conditional logic based on flags). Verify flags can be toggled in a dashboard or configuration service without redeployment.
Pass criteria: At least 1 of the following conditions is met. Feature flags are implemented for high-risk or experimental features. Flags are toggleable via a control panel or configuration service without code redeployment.
Fail criteria: No feature flags found, or flags exist but require code changes to toggle.
Skip (N/A) when: The project is simple with low-risk deployments, or no high-risk features are being developed.
Detail on fail: "No feature flag library detected in dependencies." or "Feature flag library installed but no flags configured. Feature toggles require code changes."

Remediation: Integrate a feature flag service. Using LaunchDarkly (free tier) or Unleash (open source):

npm install @launchdarkly/js-client-sdk

Then in your app:

import { useFlag } from '@launchdarkly/react-client-sdk';

export function MyComponent() {
  const newCheckoutFlow = useFlag('new-checkout-flow');

  return newCheckoutFlow ? <NewCheckout /> : <OldCheckout />;
}

Configure flags in the LaunchDarkly dashboard to toggle high-risk features without redeployment.

Why it matters

Remediation

Integrate a feature flag service such as LaunchDarkly (free tier) or self-hosted Unleash for high-risk or experimental features.

npm install @launchdarkly/react-client-sdk

Wrap high-risk features in a flag check:

import { useFlag } from '@launchdarkly/react-client-sdk';

export function CheckoutFlow() {
  const newCheckout = useFlag('new-checkout-flow', false);
  return newCheckout ? <NewCheckout /> : <LegacyCheckout />;
}

Detection

ID: deployment-readiness.monitoring-alerting.feature-flags
Severity: medium
What to look for: Enumerate every relevant item. Look for feature flag library in dependencies: launchdarkly, unleash, split.io, or custom implementation. Check for feature flag usage in code (conditional logic based on flags). Verify flags can be toggled in a dashboard or configuration service without redeployment.
Pass criteria: At least 1 of the following conditions is met. Feature flags are implemented for high-risk or experimental features. Flags are toggleable via a control panel or configuration service without code redeployment.
Fail criteria: No feature flags found, or flags exist but require code changes to toggle.
Skip (N/A) when: The project is simple with low-risk deployments, or no high-risk features are being developed.
Detail on fail: "No feature flag library detected in dependencies." or "Feature flag library installed but no flags configured. Feature toggles require code changes."

Remediation: Integrate a feature flag service. Using LaunchDarkly (free tier) or Unleash (open source):

npm install @launchdarkly/js-client-sdk

Then in your app:

import { useFlag } from '@launchdarkly/react-client-sdk';

export function MyComponent() {
  const newCheckoutFlow = useFlag('new-checkout-flow');

  return newCheckoutFlow ? <NewCheckout /> : <OldCheckout />;
}

Configure flags in the LaunchDarkly dashboard to toggle high-risk features without redeployment.

Feature flags or toggles configured for high-risk deployments; toggleable without code redeployment

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History

Feature flags or toggles configured for high-risk deployments; toggleable without code redeployment

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History