Skip to content

feat: initial support for ASM inside the tracer#621

Merged
florentinl merged 7 commits intomainfrom
florentin.labelle/APPSEC-57889/enable-asm-for-lambda
Jun 26, 2025
Merged

feat: initial support for ASM inside the tracer#621
florentinl merged 7 commits intomainfrom
florentin.labelle/APPSEC-57889/enable-asm-for-lambda

Conversation

@florentinl
Copy link
Contributor

@florentinl florentinl commented Jun 19, 2025
edited
Loading

Adds Application Security Management (ASM) – Threat Detection support to the Python Lambda layer.

What does this PR do?

  • Ship libddwaf.so in the layer

    • Shared library that powers the core security‑rules engine
    • Size: 2.6 MB (adds ≈ 0.8 MB to the compressed layer)
    • Note: This requires to bump the layer size limit in the CI

  • Parse incoming HTTP events and forward enriched data to ASM when enabled

    • Activation flag: DD_APPSEC_ENABLED
    • Note: This is deliberately distinct from DD_SERVERLESS_APPSEC_ENABLED (extension‑level enablement) currently in use by ASM clients in lambda

Motivation

Enable AppSec through the tracer in the context of AWS Lambda

Testing Guidelines

  • unit tests for event information extraction
  • benchmarking (using this repo) with DD_APPSEC_ENABLED=false to ensure that there is no impact with ASM disabled. before is main and after is this branch both using dd-trace-py from main :
image
  • manual testing for now for ASM, integration tests will be done later in system-tests

Additional Notes

With appsec enabled during the benchmarks, I started to see the following logs:

failed to send traces to intake at http://localhost:8126/v0.4/traces: HTTP error status 400, reason Bad Request, message b'msgp: attempted to decode type "float64" with method for "int" at 0/0/Start\n'

The problem comes from a misplaced int cast when setting the start_ns of the lambda-url inferred span.

Types of Changes

  • Bug fix
  • New feature
  • Breaking change
  • Misc (docs, refactoring, dependency upgrade, etc.)

Check all that apply

  • This PR's description is comprehensive
  • This PR contains breaking changes that are documented in the description
  • This PR introduces new APIs or parameters that are documented and unlikely to change in the foreseeable future
  • This PR impacts documentation, and it has been updated (or a ticket has been logged)
  • This PR's changes are covered by the automated tests
  • This PR collects user input/sensitive content into Datadog
  • This PR passes the integration tests (ask a Datadog member to run the tests)

@florentinl florentinl force-pushed the florentin.labelle/APPSEC-57889/enable-asm-for-lambda branch 3 times, most recently from 630bdfc to 10563b4 Compare June 19, 2025 11:56
@florentinl florentinl marked this pull request as ready for review June 19, 2025 12:25
@florentinl florentinl requested review from a team as code owners June 19, 2025 12:25
@florentinl florentinl force-pushed the florentin.labelle/APPSEC-57889/enable-asm-for-lambda branch from 01bbb20 to 236b7ca Compare June 19, 2025 12:26
joeyzhao2018
joeyzhao2018 reviewed Jun 24, 2025
View reviewed changes
datadog_lambda/wrapper.py
self.span,
status_code,
self.event_source,
response=self.response,
Copy link
Contributor

@joeyzhao2018 joeyzhao2018 Jun 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the self.response might not be a Dictionary, right?

Copy link
Contributor Author

@florentinl florentinl Jun 25, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes you are right, it happens in two cases:

  • malformed responses
  • For API Gateway HTTP API events with payload version 2 or lambda function url events, the function may return just the body of the response

I pushed a fix, thank you.

@florentinl florentinl force-pushed the florentin.labelle/APPSEC-57889/enable-asm-for-lambda branch from 19ed75a to 6a02cc6 Compare June 25, 2025 11:40
@florentinl florentinl force-pushed the florentin.labelle/APPSEC-57889/enable-asm-for-lambda branch from 6a02cc6 to 095ba6d Compare June 25, 2025 11:49
@florentinl florentinl requested a review from joeyzhao2018 June 25, 2025 11:57
joeyzhao2018
joeyzhao2018 reviewed Jun 25, 2025
View reviewed changes
joeyzhao2018
joeyzhao2018 approved these changes Jun 25, 2025
View reviewed changes
Copy link
Contributor

@joeyzhao2018 joeyzhao2018 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LTGM

joeyzhao2018
joeyzhao2018 reviewed Jun 25, 2025
View reviewed changes
@florentinl florentinl merged commit 555ed5b into main Jun 26, 2025
61 checks passed
@florentinl florentinl deleted the florentin.labelle/APPSEC-57889/enable-asm-for-lambda branch June 26, 2025 07:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@joeyzhao2018 joeyzhao2018 joeyzhao2018 approved these changes

@purple4reina purple4reina Awaiting requested review from purple4reina

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@florentinl @joeyzhao2018