[APPSEC-61865] Add AppSec setup for AWS Lambda#144
Open
Strech wants to merge 8 commits into
Open
Conversation
Strech
commented
May 6, 2026
Strech
commented
May 7, 2026
Strech
commented
May 8, 2026
Strech
force-pushed
the
appsec-61865-add-appsec-setup
branch
from
6cf6883 to
442d864
Compare
zarirhamza
requested changes
May 12, 2026
Contributor
zarirhamza
left a comment
zarirhamza
left a comment
There was a problem hiding this comment.
Nice clean split between this PR (event normalization + gateway push) and the dd-trace-rb side (Contrib::AwsLambda watcher + WAFAddresses). The normalized request schema lines up exactly with what WAFAddresses.from_request consumes — good interface boundary.
Found three bugs in the response-override / cross-invocation state plumbing that are worth fixing before merge. Details inline. Test suite is otherwise strong; just missing a couple of cases that would have caught these.
10 tasks
Strech
force-pushed
the
appsec-61865-add-appsec-setup
branch
from
29ae63b to
db8a2a5
Compare
This comment has been minimized.
This comment has been minimized.
Initialize AppSec context around each Lambda invocation, push request and response events through the AppSec gateway, and record security events on the aws.lambda span. The extension handles tag propagation to inferred spans. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Normalize raw AWS event payloads into a standard key set before passing to DataContainer and Request. This removes v1/v2 detection from Request and aligns with dd-trace-rb's simplified WAFAddresses that consume standard keys. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Rename add_appsec_tags to tag_and_keep, move from create_context to on_start for visibility - Pass cold_start flag from listener through to AppSec.on_start instead of tracking @oneshot_tags_sent module state - Align guard clause with Rack: return unless trace && span - Improve test quality: inline event values, use receive_messages, remove instance_variable_set for @request, relax unrelated assertions Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Strech
force-pushed
the
appsec-61865-add-appsec-setup
branch
from
db8a2a5 to
461c1e8
Compare
* Fix cleanup of AppSec on unsuccessful start
Strech
force-pushed
the
appsec-61865-add-appsec-setup
branch
from
461c1e8 to
2628f40
Compare
Member
Author
|
@zarirhamza I've addressed all of your comments and take an extra mile for response normalization (worth it IMHO) instead of a comment. |
Member
Author
|
Before releasing that new version let me find system-tests I can enable to be sure it's tested there too and I need to update documentation in Ruby tracer too
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Context
This is implementation of Endpoint Discovery & Correlation from Inferred Spans RFC.
What this PR does
Adds AppSec integration for AWS Lambda invocations. On each invocation the library:
aws.lambdaspanInferred spans and AppSec tag propagation to them are handled by the datadog-lambda-extension (
propagate_appsecinspan_inferrer.rs), so this PR does not create inferred spans or copy tags — it only fills in the AppSec data on the service-entry span.Layer build changes
Used latest version of the Tracer with corrected AppSec gateway payload keys
Types of changes
Test plan
bundle exec rubocop— 0 offensesbundle exec rake test— 134 examples, 0 failures