Database query performance is monitored

Why it matters

NIST AU-2 requires that systems log events necessary to support performance analysis. Database query performance is the most common hidden cause of SaaS slowdowns at scale: N+1 query patterns that execute in milliseconds against a development database with 100 rows execute in seconds against production with 100,000 rows. Without slow query monitoring, these regressions are invisible until P99 latency degrades or the database CPU spikes. Unlike application-level performance monitoring, query monitoring requires either ORM-level hooks or database-level configuration — the application server cannot observe query timing without instrumenting the database client directly.

Remediation

Enable query logging at the ORM level with a duration threshold so only slow queries emit events — not every query.

For Prisma:

const prisma = new PrismaClient({
  log: [
    { emit: 'event', level: 'query' }
  ]
})
prisma.$on('query', (e) => {
  if (e.duration > 1000) { // queries slower than 1 second
    logger.warn(
      { query: e.query, duration: e.duration },
      'Slow query detected'
    )
  }
})

For Supabase, the Query Performance page in the Supabase dashboard shows slow queries automatically — check it after any deploy that touches database access patterns. No code changes required for Supabase's built-in query insights.

Detection

ID: saas-logging.observability.db-query-performance
Severity: low
What to look for: Enumerate all relevant files and Check for slow query logging or query performance monitoring. Look for: Prisma query logging configuration (log: ['query', 'slow_query'] in PrismaClient), Drizzle query logging, ORM-level query timing hooks, database-level slow query log configuration (if self-hosted Postgres), Supabase slow query log integration, or APM tools with database query tracing (Datadog DB monitoring, Sentry DB spans, New Relic DB tracing). Supabase provides query performance insights in the dashboard — check for mention of using this in documentation.
Pass criteria: At least 1 implementation must be present. Slow database queries are either logged or tracked through an ORM hook, database log, or APM integration. At minimum, query durations above a threshold are visible somewhere.
Fail criteria: No query performance monitoring found. Queries run without any timing tracking.
Skip (N/A) when: No database detected. Signal: no database dependency in package.json (no pg, mysql2, mongodb, @supabase/supabase-js, firebase-admin, etc.) and no ORM config file.
Detail on fail: "No database query performance monitoring found — Prisma is configured without query logging and no APM database tracing is active"
Remediation: N+1 queries and missing indexes are the most common cause of SaaS performance degradation as data grows. Without query monitoring, these problems are invisible until users start complaining.

For Prisma, enable query logging:
```
const prisma = new PrismaClient({
  log: [
    { emit: 'event', level: 'query' },
    { emit: 'stdout', level: 'slow_query' }
  ]
})
prisma.$on('query', (e) => {
  if (e.duration > 1000) { // log queries slower than 1 second
    logger.warn({ query: e.query, duration: e.duration }, 'Slow query detected')
  }
})
```
For Supabase, the dashboard's Query Performance page shows slow queries automatically — no configuration needed.

Why it matters

Remediation

Enable query logging at the ORM level with a duration threshold so only slow queries emit events — not every query.

For Prisma:

const prisma = new PrismaClient({
  log: [
    { emit: 'event', level: 'query' }
  ]
})
prisma.$on('query', (e) => {
  if (e.duration > 1000) { // queries slower than 1 second
    logger.warn(
      { query: e.query, duration: e.duration },
      'Slow query detected'
    )
  }
})

Detection

ID: saas-logging.observability.db-query-performance
Severity: low
What to look for: Enumerate all relevant files and Check for slow query logging or query performance monitoring. Look for: Prisma query logging configuration (log: ['query', 'slow_query'] in PrismaClient), Drizzle query logging, ORM-level query timing hooks, database-level slow query log configuration (if self-hosted Postgres), Supabase slow query log integration, or APM tools with database query tracing (Datadog DB monitoring, Sentry DB spans, New Relic DB tracing). Supabase provides query performance insights in the dashboard — check for mention of using this in documentation.
Pass criteria: At least 1 implementation must be present. Slow database queries are either logged or tracked through an ORM hook, database log, or APM integration. At minimum, query durations above a threshold are visible somewhere.
Fail criteria: No query performance monitoring found. Queries run without any timing tracking.
Skip (N/A) when: No database detected. Signal: no database dependency in package.json (no pg, mysql2, mongodb, @supabase/supabase-js, firebase-admin, etc.) and no ORM config file.
Detail on fail: "No database query performance monitoring found — Prisma is configured without query logging and no APM database tracing is active"
Remediation: N+1 queries and missing indexes are the most common cause of SaaS performance degradation as data grows. Without query monitoring, these problems are invisible until users start complaining.

For Prisma, enable query logging:
```
const prisma = new PrismaClient({
  log: [
    { emit: 'event', level: 'query' },
    { emit: 'stdout', level: 'slow_query' }
  ]
})
prisma.$on('query', (e) => {
  if (e.duration > 1000) { // log queries slower than 1 second
    logger.warn({ query: e.query, duration: e.duration }, 'Slow query detected')
  }
})
```
For Supabase, the dashboard's Query Performance page shows slow queries automatically — no configuration needed.

Database query performance is monitored

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History

Database query performance is monitored

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History