Skip to content

[APPSEC]: fix Lambda not appearing on the Appsec API Security Endpoint Catalog #654

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 3, 2025
Merged

[APPSEC]: fix Lambda not appearing on the Appsec API Security Endpoint Catalog #654

merged 1 commit into from
Sep 3, 2025

Conversation

florentinl
Copy link
Contributor

@florentinl florentinl commented Sep 2, 2025
edited
Loading

What does this PR do?

This PR adds the span.kind tag with the value server for all events that represent an HTTP Request. The api security backend expects it to be present and omits endpoints that do not have this tag. (documentation for this attribute can be found here)

Additionally API Security should be enabled by default, there is no need to intentionally disable it for Appsec in lambda.

Motivation

The goal of this PR is to make Lambda services with Appsec API Security enabled show up on the API Security Catalog.

Testing Guidelines

Updated existing tests

Additional Notes

  • This issue also impacts API Security when it is enabled through the extension.

  • As of today, the API Security Endpoint Catalog uses the resource_name to display the endpoint and expects it to be in the format GET /path/to/resource but lambda sets it to the function name instead. This should maybe be solved in the backend and will be done at a later time.

Types of Changes

  • Bug fix
  • New feature
  • Breaking change
  • Misc (docs, refactoring, dependency upgrade, etc.)

Check all that apply

  • This PR's description is comprehensive
  • This PR contains breaking changes that are documented in the description
  • This PR introduces new APIs or parameters that are documented and unlikely to change in the foreseeable future
  • This PR impacts documentation, and it has been updated (or a ticket has been logged)
  • This PR's changes are covered by the automated tests
  • This PR collects user input/sensitive content into Datadog
  • This PR passes the integration tests (ask a Datadog member to run the tests)

@florentinl florentinl force-pushed the florentinl/APPSEC-58777/fix-apisec branch from c342a79 to fe56770 Compare September 2, 2025 13:41
@florentinl florentinl marked this pull request as ready for review September 2, 2025 14:19
@florentinl florentinl requested review from a team as code owners September 2, 2025 14:19
@florentinl florentinl mentioned this pull request Sep 2, 2025
Draft
11 tasks
purple4reina
purple4reina reviewed Sep 2, 2025
View reviewed changes
datadog_lambda/__init__.py
@@ -8,8 +8,6 @@
"DD_APPSEC_ENABLED", "false"
)

if os.environ.get("DD_API_SECURITY_ENABLED") is None:
os.environ["DD_API_SECURITY_ENABLED"] = "False"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@florentinl question: what does the DD_API_SECURITY_ENABLED env var do? What impact will there be from removing this?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This env controls the enablement of the API Security feature of Appsec. It extracts the schema of the request and runs additional security rules.
On all tracers, it is enabled by default and discussing it with the security ecosystems team there is no reason to change the default for lambda.

Of course, this feature is a sub feature of Appsec and is automatically disabled when DD_APPSEC_ENABLED is not set to a truthy value (see APIManager enablement in dd-trace-py)

zarirhamza
zarirhamza reviewed Sep 2, 2025
View reviewed changes
datadog_lambda/trigger.py
@@ -288,7 +288,7 @@ def extract_http_tags(event):
"""
Extracts HTTP facet tags from the triggering event
"""
http_tags = {}
http_tags = {"span.kind": "server"}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch, I originally made changes to add this tag to all the related synthetic spans but missed it on the actual aws.lambda span. Is there a plan on the roadmap for getting this done in the Node Layer and the Rust extension as well?

Copy link
Contributor Author

@florentinl florentinl Sep 2, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nothing formally planned yet. But we are interested in having it across all lambda layers to fix API Security in lambda (already available through the go and now rust extension).
I can look into it, if you want.

@florentinl florentinl merged commit b55e538 into main Sep 3, 2025
68 checks passed
@florentinl florentinl deleted the florentinl/APPSEC-58777/fix-apisec branch September 3, 2025 11:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zarirhamza zarirhamza zarirhamza left review comments

@purple4reina purple4reina purple4reina approved these changes

@lucaspimentel lucaspimentel Awaiting requested review from lucaspimentel

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@florentinl @purple4reina @zarirhamza