feat: add sensitive data detection rules (RES-010, SPA-006, LOG-003)

[jpkrohling]

Summary

Propose three new Critical rules that detect sensitive data leaking through telemetry:

• RES-010: Resource attribute values do not contain sensitive data (e.g., credentials in process.command_args)
• SPA-006: Span attribute values do not contain sensitive data (e.g., PII in db.query.text, url.full)
• LOG-003: Log record bodies do not contain sensitive data (e.g., user context dumped in application logs)

Each rule covers the same categories of sensitive data — personal identifiers, financial data, credentials & secrets, and health data — with target-specific criteria and examples.

Motivation

Telemetry data is typically stored in observability backends with broader access than production databases. Sensitive data in telemetry creates compliance risks (GDPR, HIPAA, PCI-DSS) and security vulnerabilities. The OTel Semantic Conventions explicitly discourage recording sensitive information, but the spec has no rule flagging it.

Open questions

1. Pattern specificity: Should the spec prescribe specific regex patterns, or leave detection heuristics to implementers?
2. Impact level: Is Critical the right level for all three, or should some be Important given the heuristic nature of pattern matching?
3. Overlap with RES-006–RES-009: RES-009 (Data Sensitivity) from OTEL-99 covers service.data_sensitivity — complementary but distinct.

Test plan

• Verify rule IDs don't conflict with existing or proposed rules
• Confirm rule format matches _template.md
• Review criteria for clarity and implementability
• Community discussion on open questions above

Closes #51

🤖 Generated with Claude Code

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 75d607c7-9171-4b17-9808-1106ff375300

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[mmanciop]

I think this is a case for "Ad Omnia" rules: you should not have sensitive data anywhere in your telemetry. For example, why would it be acceptable to have PII in log attributes or metrics datapoint attributes (or metrics name or unit!)