Skip to content

feat: initial support for ASM inside the tracer #621

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Jun 26, 2025
Merged

feat: initial support for ASM inside the tracer #621

merged 7 commits into from
Jun 26, 2025

Conversation

florentinl
Copy link
Contributor

@florentinl florentinl commented Jun 19, 2025
edited
Loading

Adds Application Security Management (ASM) – Threat Detection support to the Python Lambda layer.

What does this PR do?

  • Ship libddwaf.so in the layer

    • Shared library that powers the core security‑rules engine
    • Size: 2.6 MB (adds ≈ 0.8 MB to the compressed layer)
    • Note: This requires to bump the layer size limit in the CI

  • Parse incoming HTTP events and forward enriched data to ASM when enabled

    • Activation flag: DD_APPSEC_ENABLED
    • Note: This is deliberately distinct from DD_SERVERLESS_APPSEC_ENABLED (extension‑level enablement) currently in use by ASM clients in lambda

Motivation

Enable AppSec through the tracer in the context of AWS Lambda

Testing Guidelines

  • unit tests for event information extraction
  • benchmarking (using this repo) with DD_APPSEC_ENABLED=false to ensure that there is no impact with ASM disabled. before is main and after is this branch both using dd-trace-py from main :
image
  • manual testing for now for ASM, integration tests will be done later in system-tests

Additional Notes

With appsec enabled during the benchmarks, I started to see the following logs:

failed to send traces to intake at http://localhost:8126/v0.4/traces: HTTP error status 400, reason Bad Request, message b'msgp: attempted to decode type "float64" with method for "int" at 0/0/Start\n'

The problem comes from a misplaced int cast when setting the start_ns of the lambda-url inferred span.

Types of Changes

  • Bug fix
  • New feature
  • Breaking change
  • Misc (docs, refactoring, dependency upgrade, etc.)

Check all that apply

  • This PR's description is comprehensive
  • This PR contains breaking changes that are documented in the description
  • This PR introduces new APIs or parameters that are documented and unlikely to change in the foreseeable future
  • This PR impacts documentation, and it has been updated (or a ticket has been logged)
  • This PR's changes are covered by the automated tests
  • This PR collects user input/sensitive content into Datadog
  • This PR passes the integration tests (ask a Datadog member to run the tests)

@florentinl florentinl force-pushed the florentin.labelle/APPSEC-57889/enable-asm-for-lambda branch 3 times, most recently from 630bdfc to 10563b4 Compare June 19, 2025 11:56
@florentinl florentinl marked this pull request as ready for review June 19, 2025 12:25
@florentinl florentinl requested review from a team as code owners June 19, 2025 12:25
@florentinl florentinl force-pushed the florentin.labelle/APPSEC-57889/enable-asm-for-lambda branch from 01bbb20 to 236b7ca Compare June 19, 2025 12:26
joeyzhao2018
joeyzhao2018 reviewed Jun 24, 2025
View reviewed changes
datadog_lambda/wrapper.py
self.span,
status_code,
self.event_source,
response=self.response,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the self.response might not be a Dictionary, right?

Copy link
Contributor Author

@florentinl florentinl Jun 25, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes you are right, it happens in two cases:

  • malformed responses
  • For API Gateway HTTP API events with payload version 2 or lambda function url events, the function may return just the body of the response

I pushed a fix, thank you.

@florentinl florentinl force-pushed the florentin.labelle/APPSEC-57889/enable-asm-for-lambda branch from 19ed75a to 6a02cc6 Compare June 25, 2025 11:40
@florentinl florentinl force-pushed the florentin.labelle/APPSEC-57889/enable-asm-for-lambda branch from 6a02cc6 to 095ba6d Compare June 25, 2025 11:49
@florentinl florentinl requested a review from joeyzhao2018 June 25, 2025 11:57
joeyzhao2018
joeyzhao2018 reviewed Jun 25, 2025
View reviewed changes
joeyzhao2018
joeyzhao2018 approved these changes Jun 25, 2025
View reviewed changes
Copy link
Contributor

@joeyzhao2018 joeyzhao2018 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LTGM

joeyzhao2018
joeyzhao2018 reviewed Jun 25, 2025
View reviewed changes
@florentinl florentinl merged commit 555ed5b into main Jun 26, 2025
61 checks passed
@florentinl florentinl deleted the florentin.labelle/APPSEC-57889/enable-asm-for-lambda branch June 26, 2025 07:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joeyzhao2018 joeyzhao2018 joeyzhao2018 approved these changes

@purple4reina purple4reina Awaiting requested review from purple4reina

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@florentinl @joeyzhao2018