Skip to content

AppSec Lambda: Analyze HTTP response#11750

Merged
gh-worker-dd-mergequeue-cf854d[bot] merged 24 commits into
masterfrom
clara.poncet/appsec-lambda-response
Jul 10, 2026
Merged

AppSec Lambda: Analyze HTTP response#11750
gh-worker-dd-mergequeue-cf854d[bot] merged 24 commits into
masterfrom
clara.poncet/appsec-lambda-response

Conversation

@claponcet

@claponcet claponcet commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

What Does This Do

Adds AppSec response analysis for AWS Lambda: LambdaAppSecHandler.processResponseData
parses the Lambda response object and fires the WAF gateway events (responseStarted,
responseHeader, responseHeaderDone, responseBody) with the extracted status code,
headers, and body.

Trigger-type detection (API Gateway v1/v2, ALB, Lambda URL, WebSocket) is added to
processRequestStart and stored in a ThreadLocal. processResponseData uses it to
decide whether to parse the response as an API-GW envelope or fall back to treating the
whole payload as a plain response body, matching how non-envelope HTTP triggers behave.

CoreTracer.notifyAppSecEnd is extended to receive the raw result object so it can be
forwarded to processResponseData from the Lambda handler instrumentation.

Additional extraction improvements:

  • Response header keys are lowercased (Locale.ROOT) to normalise casing across API GW / ALB variants
  • isBase64Encoded accepts "true" (string) in addition to Boolean.TRUE

LambdaHandlerInstrumentationTest and LambdaAppSecHandlerTest migrated from Spock/Groovy
to JUnit 5 Java, with new test cases for response analysis and trigger-type gating.

processRequestEnd now propagates ASM_KEEP for traces where the WAF set isManuallyKept() via a trace-tagging rule but produced no WAF events. In Lambda the WAF runs before the span exists, so GatewayBridge's existing guard (which gates the tag on non-empty events) never fires for this case; the fix applies the tags directly in processRequestEnd. A minimal AppSecContext interface is introduced in internal-api to expose isManuallyKept() across module boundaries.

Motivation

Allows the WAF to inspect Lambda HTTP responses for threats.

Additional Notes

Contributor Checklist

Jira ticket: APPSEC-60532

@claponcet claponcet force-pushed the clara.poncet/appsec-lambda-response branch from 090da74 to 65bb844 Compare June 26, 2026 09:08
@claponcet claponcet changed the title AppSec Lambda: HTTP trigger type detection and resource name fix for extension dedup AppSec Lambda: Analyze HTTP response Jun 26, 2026
@dd-octo-sts

dd-octo-sts Bot commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

🟢 Java Benchmark SLOs — All performance SLOs passed

Suite Status
Startup 🟢 pass

SLO thresholds are defined here based on automatically generated metrics. A warning is raised when results are within 5% of the threshold.

PR vs. master results
Scenario Candidate master Δ (95% CI of mean)
startup:insecure-bank:iast:Agent 14.01 s 13.96 s [-0.4%; +1.1%] (no difference)
startup:insecure-bank:tracing:Agent 12.93 s 13.05 s [-1.8%; -0.1%] (maybe better)
startup:petclinic:appsec:Agent 16.89 s 16.73 s [-0.1%; +1.9%] (no difference)
startup:petclinic:iast:Agent 16.87 s 16.88 s [-0.9%; +0.8%] (no difference)
startup:petclinic:profiling:Agent 16.59 s 16.76 s [-2.2%; +0.2%] (no difference)
startup:petclinic:sca:Agent 16.89 s 16.88 s [-0.9%; +1.0%] (no difference)
startup:petclinic:tracing:Agent 16.03 s 16.06 s [-1.0%; +0.6%] (no difference)

Commit: 4476be49 · CI Pipeline · Benchmarking Platform UI


Load and DaCapo benchmarks can be triggered manually in the GitLab pipeline. Results will appear in the Benchmarking Platform UI after completion.

@claponcet

Copy link
Copy Markdown
Contributor Author

@codex review

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 3d2a12a4fb

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

Comment thread dd-trace-core/src/main/java/datadog/trace/lambda/LambdaAppSecHandler.java Outdated
@claponcet claponcet added type: feature Enhancements and improvements comp: asm waf Application Security Management (WAF) labels Jun 29, 2026
@claponcet claponcet marked this pull request as ready for review June 29, 2026 11:44
@claponcet claponcet requested review from a team as code owners June 29, 2026 11:44
@claponcet claponcet requested review from PerfectSlayer and mtoffl01 and removed request for a team June 29, 2026 11:44
@dd-octo-sts dd-octo-sts Bot added the tag: ai generated Largely based on code generated by an AI or LLM label Jun 29, 2026

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 868f9a139e

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

@claponcet claponcet requested a review from jandro996 June 29, 2026 14:37
@claponcet claponcet force-pushed the clara.poncet/appsec-lambda-response branch from 868f9a1 to 7e4ae3e Compare June 30, 2026 11:26
Comment thread dd-trace-core/src/main/java/datadog/trace/lambda/LambdaAppSecHandler.java Outdated
Comment thread dd-trace-core/src/main/java/datadog/trace/lambda/LambdaAppSecHandler.java Outdated
@jandro996

Copy link
Copy Markdown
Member

While reviewing the changes in this file, I noticed a few pre-existing lines (not touched by this PR) that also use fully-qualified names for classes already imported (List, Collections, Collectors): lines 669, 670, 675, 824, 853, 901, 902, 908. Not blocking this PR, just flagging in case you want to clean them up while you're in this file.

@claponcet claponcet requested a review from jandro996 July 2, 2026 08:44
@claponcet claponcet requested a review from a team as a code owner July 3, 2026 13:27

@jandro996 jandro996 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@datadog-prod-us1-6

datadog-prod-us1-6 Bot commented Jul 9, 2026

Copy link
Copy Markdown

🎯 Code Coverage (details)
Patch Coverage: 86.18%
Overall Coverage: 56.56% (-0.38%)

This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 4476be4 | Docs | Datadog PR Page | Give us feedback!

@claponcet claponcet added this pull request to the merge queue Jul 10, 2026
@dd-octo-sts

dd-octo-sts Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

/merge

@gh-worker-devflow-routing-ef8351

gh-worker-devflow-routing-ef8351 Bot commented Jul 10, 2026

Copy link
Copy Markdown

View all feedbacks in Devflow UI.

2026-07-10 08:42:34 UTC ℹ️ Start processing command /merge


2026-07-10 08:42:39 UTC ℹ️ MergeQueue: pull request added to the queue

The expected merge time in master is approximately 2h (p90).


2026-07-10 09:42:04 UTC ℹ️ MergeQueue: This merge request was merged

@github-merge-queue github-merge-queue Bot removed this pull request from the merge queue due to failed status checks Jul 10, 2026
@gh-worker-dd-mergequeue-cf854d gh-worker-dd-mergequeue-cf854d Bot merged commit 0ec0f9a into master Jul 10, 2026
588 checks passed
@gh-worker-dd-mergequeue-cf854d gh-worker-dd-mergequeue-cf854d Bot deleted the clara.poncet/appsec-lambda-response branch July 10, 2026 09:42
@github-actions github-actions Bot added this to the 1.65.0 milestone Jul 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

comp: asm waf Application Security Management (WAF) tag: ai generated Largely based on code generated by an AI or LLM type: feature Enhancements and improvements

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants