Skip to content

Add AppSec Java support for AWS Lambdas#10570

Open
claponcet wants to merge 12 commits intomasterfrom
clara.poncet/appsec-aws-lambda
Open

Add AppSec Java support for AWS Lambdas#10570
claponcet wants to merge 12 commits intomasterfrom
clara.poncet/appsec-aws-lambda

Conversation

@claponcet
Copy link
Copy Markdown

@claponcet claponcet commented Feb 11, 2026
edited
Loading

What Does This Do

Adds AppSec support for Java AWS Lambda functions. When AppSec is active, Lambda invocation data is now parsed and forwarded to the WAF (Web Application Firewall).

How It Works

On the existing enter() instrumentation, before calling the extension, we call LambdaAppSecHandler which then:

  1. Parses the raw ByteArrayInputStream Lambda event JSON to extract HTTP-relevant data (method, path, headers, query parameters, path parameters, body, client IP/port).
  2. Detects the Lambda trigger type and applies the correct extraction logic for:
    • API Gateway REST (v1)
    • API Gateway HTTP (v2), including the cookies array
    • API Gateway WebSocket
    • Application Load Balancer (single and multi-value headers)
    • Lambda Function URLs
  3. Fires the standard AppSec gateway callbacks in order: requestStarted → requestMethodUriRaw → requestHeader → requestClientSocketAddress → requestHeaderDone → requestPathParams → requestBodyProcessed.
  4. Returns a TagContext carrying the AppSec request context, which is then merged with the span context coming from the Datadog Lambda Extension.

At the end of the invocation, notifyAppSecEnd fires the requestEnded callback so that AppSec data (e.g. attack detections) is written to the span before it is finished and sent to the extension. The extension then reports the security findings on to the inferred span.

Additional Notes

Contributor Checklist

Jira ticket: [PROJ-IDENT]

Note: Once your PR is ready to merge, add it to the merge queue by commenting /merge. /merge -c cancels the queue request. /merge -f --reason "reason" skips all merge queue checks; please use this judiciously, as some checks do not run at the PR-level. For more information, see this doc.

@pr-commenter
Copy link
Copy Markdown

pr-commenter bot commented Feb 11, 2026
edited
Loading

Benchmarks

Startup

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master clara.poncet/appsec-aws-lambda
git_commit_date 1775805567 1775828735
git_commit_sha 6564199 008a521
release_version 1.62.0-SNAPSHOT~6564199418 1.62.0-SNAPSHOT~008a52107a
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1775830530 1775830530
ci_job_id 1585434179 1585434179
ci_pipeline_id 107098649 107098649
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-0-xiyhvhom 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-0-xiyhvhom 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
module Agent Agent
parent None None

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 61 metrics, 10 unstable metrics.

Startup time reports for petclinic 
gantt
    title petclinic - global startup overhead: candidate=1.62.0-SNAPSHOT~008a52107a, baseline=1.62.0-SNAPSHOT~6564199418

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.059 s) : 0, 1059318
Total [baseline] (10.985 s) : 0, 10985035
Agent [candidate] (1.054 s) : 0, 1053777
Total [candidate] (11.021 s) : 0, 11020737
section appsec
Agent [baseline] (1.251 s) : 0, 1250741
Total [baseline] (11.121 s) : 0, 11120997
Agent [candidate] (1.248 s) : 0, 1248168
Total [candidate] (11.123 s) : 0, 11123170
section iast
Agent [baseline] (1.224 s) : 0, 1224046
Total [baseline] (11.267 s) : 0, 11266815
Agent [candidate] (1.223 s) : 0, 1222733
Total [candidate] (11.29 s) : 0, 11290206
section profiling
Agent [baseline] (1.185 s) : 0, 1184769
Total [baseline] (11.061 s) : 0, 11061249
Agent [candidate] (1.197 s) : 0, 1197364
Total [candidate] (11.168 s) : 0, 11167672
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.059 s -
Agent appsec 1.251 s 191.423 ms (18.1%)
Agent iast 1.224 s 164.728 ms (15.6%)
Agent profiling 1.185 s 125.451 ms (11.8%)
Total tracing 10.985 s -
Total appsec 11.121 s 135.962 ms (1.2%)
Total iast 11.267 s 281.78 ms (2.6%)
Total profiling 11.061 s 76.214 ms (0.7%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.054 s -
Agent appsec 1.248 s 194.391 ms (18.4%)
Agent iast 1.223 s 168.956 ms (16.0%)
Agent profiling 1.197 s 143.587 ms (13.6%)
Total tracing 11.021 s -
Total appsec 11.123 s 102.433 ms (0.9%)
Total iast 11.29 s 269.469 ms (2.4%)
Total profiling 11.168 s 146.935 ms (1.3%) 
gantt
    title petclinic - break down per module: candidate=1.62.0-SNAPSHOT~008a52107a, baseline=1.62.0-SNAPSHOT~6564199418

    dateFormat X
    axisFormat %s
section tracing
crashtracking [baseline] (1.235 ms) : 0, 1235
crashtracking [candidate] (1.214 ms) : 0, 1214
BytebuddyAgent [baseline] (633.501 ms) : 0, 633501
BytebuddyAgent [candidate] (630.6 ms) : 0, 630600
AgentMeter [baseline] (29.351 ms) : 0, 29351
AgentMeter [candidate] (29.486 ms) : 0, 29486
GlobalTracer [baseline] (248.879 ms) : 0, 248879
GlobalTracer [candidate] (248.3 ms) : 0, 248300
AppSec [baseline] (32.005 ms) : 0, 32005
AppSec [candidate] (31.857 ms) : 0, 31857
Debugger [baseline] (60.21 ms) : 0, 60210
Debugger [candidate] (60.036 ms) : 0, 60036
Remote Config [baseline] (600.401 µs) : 0, 600
Remote Config [candidate] (593.862 µs) : 0, 594
Telemetry [baseline] (8.04 ms) : 0, 8040
Telemetry [candidate] (8.081 ms) : 0, 8081
Flare Poller [baseline] (9.095 ms) : 0, 9095
Flare Poller [candidate] (7.541 ms) : 0, 7541
section appsec
crashtracking [baseline] (1.225 ms) : 0, 1225
crashtracking [candidate] (1.238 ms) : 0, 1238
BytebuddyAgent [baseline] (663.002 ms) : 0, 663002
BytebuddyAgent [candidate] (661.885 ms) : 0, 661885
AgentMeter [baseline] (12.077 ms) : 0, 12077
AgentMeter [candidate] (12.086 ms) : 0, 12086
GlobalTracer [baseline] (249.754 ms) : 0, 249754
GlobalTracer [candidate] (249.235 ms) : 0, 249235
IAST [baseline] (24.683 ms) : 0, 24683
IAST [candidate] (24.548 ms) : 0, 24548
AppSec [baseline] (184.648 ms) : 0, 184648
AppSec [candidate] (184.26 ms) : 0, 184260
Debugger [baseline] (66.099 ms) : 0, 66099
Debugger [candidate] (65.748 ms) : 0, 65748
Remote Config [baseline] (603.635 µs) : 0, 604
Remote Config [candidate] (609.087 µs) : 0, 609
Telemetry [baseline] (8.59 ms) : 0, 8590
Telemetry [candidate] (8.657 ms) : 0, 8657
Flare Poller [baseline] (3.567 ms) : 0, 3567
Flare Poller [candidate] (3.554 ms) : 0, 3554
section iast
crashtracking [baseline] (1.236 ms) : 0, 1236
crashtracking [candidate] (1.219 ms) : 0, 1219
BytebuddyAgent [baseline] (800.783 ms) : 0, 800783
BytebuddyAgent [candidate] (800.388 ms) : 0, 800388
AgentMeter [baseline] (11.417 ms) : 0, 11417
AgentMeter [candidate] (11.39 ms) : 0, 11390
GlobalTracer [baseline] (239.343 ms) : 0, 239343
GlobalTracer [candidate] (239.404 ms) : 0, 239404
IAST [baseline] (25.897 ms) : 0, 25897
IAST [candidate] (25.785 ms) : 0, 25785
AppSec [baseline] (32.612 ms) : 0, 32612
AppSec [candidate] (33.097 ms) : 0, 33097
Debugger [baseline] (59.048 ms) : 0, 59048
Debugger [candidate] (57.307 ms) : 0, 57307
Remote Config [baseline] (526.29 µs) : 0, 526
Remote Config [candidate] (527.364 µs) : 0, 527
Telemetry [baseline] (13.37 ms) : 0, 13370
Telemetry [candidate] (14.009 ms) : 0, 14009
Flare Poller [baseline] (3.45 ms) : 0, 3450
Flare Poller [candidate] (3.41 ms) : 0, 3410
section profiling
crashtracking [baseline] (1.177 ms) : 0, 1177
crashtracking [candidate] (1.205 ms) : 0, 1205
BytebuddyAgent [baseline] (691.281 ms) : 0, 691281
BytebuddyAgent [candidate] (699.717 ms) : 0, 699717
AgentMeter [baseline] (9.079 ms) : 0, 9079
AgentMeter [candidate] (9.283 ms) : 0, 9283
GlobalTracer [baseline] (207.497 ms) : 0, 207497
GlobalTracer [candidate] (209.618 ms) : 0, 209618
AppSec [baseline] (32.661 ms) : 0, 32661
AppSec [candidate] (33.029 ms) : 0, 33029
Debugger [baseline] (65.888 ms) : 0, 65888
Debugger [candidate] (66.082 ms) : 0, 66082
Remote Config [baseline] (589.411 µs) : 0, 589
Remote Config [candidate] (571.589 µs) : 0, 572
Telemetry [baseline] (7.901 ms) : 0, 7901
Telemetry [candidate] (7.878 ms) : 0, 7878
Flare Poller [baseline] (3.547 ms) : 0, 3547
Flare Poller [candidate] (3.584 ms) : 0, 3584
ProfilingAgent [baseline] (93.951 ms) : 0, 93951
ProfilingAgent [candidate] (94.744 ms) : 0, 94744
Profiling [baseline] (94.516 ms) : 0, 94516
Profiling [candidate] (95.319 ms) : 0, 95319
Loading
Startup time reports for insecure-bank 
gantt
    title insecure-bank - global startup overhead: candidate=1.62.0-SNAPSHOT~008a52107a, baseline=1.62.0-SNAPSHOT~6564199418

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.06 s) : 0, 1060441
Total [baseline] (8.917 s) : 0, 8917197
Agent [candidate] (1.06 s) : 0, 1060481
Total [candidate] (8.825 s) : 0, 8824984
section iast
Agent [baseline] (1.23 s) : 0, 1229827
Total [baseline] (9.558 s) : 0, 9557880
Agent [candidate] (1.23 s) : 0, 1230101
Total [candidate] (9.552 s) : 0, 9552073
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.06 s -
Agent iast 1.23 s 169.386 ms (16.0%)
Total tracing 8.917 s -
Total iast 9.558 s 640.684 ms (7.2%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.06 s -
Agent iast 1.23 s 169.62 ms (16.0%)
Total tracing 8.825 s -
Total iast 9.552 s 727.09 ms (8.2%) 
gantt
    title insecure-bank - break down per module: candidate=1.62.0-SNAPSHOT~008a52107a, baseline=1.62.0-SNAPSHOT~6564199418

    dateFormat X
    axisFormat %s
section tracing
crashtracking [baseline] (1.231 ms) : 0, 1231
crashtracking [candidate] (1.218 ms) : 0, 1218
BytebuddyAgent [baseline] (636.362 ms) : 0, 636362
BytebuddyAgent [candidate] (637.161 ms) : 0, 637161
AgentMeter [baseline] (29.521 ms) : 0, 29521
AgentMeter [candidate] (29.61 ms) : 0, 29610
GlobalTracer [baseline] (249.754 ms) : 0, 249754
GlobalTracer [candidate] (250.063 ms) : 0, 250063
AppSec [baseline] (32.301 ms) : 0, 32301
AppSec [candidate] (32.2 ms) : 0, 32200
Debugger [baseline] (59.499 ms) : 0, 59499
Debugger [candidate] (59.371 ms) : 0, 59371
Remote Config [baseline] (610.031 µs) : 0, 610
Remote Config [candidate] (588.68 µs) : 0, 589
Telemetry [baseline] (8.122 ms) : 0, 8122
Telemetry [candidate] (8.131 ms) : 0, 8131
Flare Poller [baseline] (6.745 ms) : 0, 6745
Flare Poller [candidate] (5.957 ms) : 0, 5957
section iast
crashtracking [baseline] (1.236 ms) : 0, 1236
crashtracking [candidate] (1.23 ms) : 0, 1230
BytebuddyAgent [baseline] (804.264 ms) : 0, 804264
BytebuddyAgent [candidate] (806.213 ms) : 0, 806213
AgentMeter [baseline] (11.455 ms) : 0, 11455
AgentMeter [candidate] (11.608 ms) : 0, 11608
GlobalTracer [baseline] (240.99 ms) : 0, 240990
GlobalTracer [candidate] (239.705 ms) : 0, 239705
IAST [baseline] (26.011 ms) : 0, 26011
IAST [candidate] (26.035 ms) : 0, 26035
AppSec [baseline] (33.187 ms) : 0, 33187
AppSec [candidate] (30.497 ms) : 0, 30497
Debugger [baseline] (60.745 ms) : 0, 60745
Debugger [candidate] (62.909 ms) : 0, 62909
Remote Config [baseline] (1.121 ms) : 0, 1121
Remote Config [candidate] (531.56 µs) : 0, 532
Telemetry [baseline] (10.989 ms) : 0, 10989
Telemetry [candidate] (11.54 ms) : 0, 11540
Flare Poller [baseline] (3.483 ms) : 0, 3483
Flare Poller [candidate] (3.607 ms) : 0, 3607
Loading

Load

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master clara.poncet/appsec-aws-lambda
git_commit_date 1775805567 1775828735
git_commit_sha 6564199 008a521
release_version 1.62.0-SNAPSHOT~6564199418 1.62.0-SNAPSHOT~008a52107a
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1775831011 1775831011
ci_job_id 1585434181 1585434181
ci_pipeline_id 107098649 107098649
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-1-t6j8ce2f 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-1-t6j8ce2f 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 1 performance improvements and 2 performance regressions! Performance is the same for 15 metrics, 18 unstable metrics.

scenario Δ mean agg_http_req_duration_p50 Δ mean agg_http_req_duration_p95 Δ mean throughput candidate mean agg_http_req_duration_p50 candidate mean agg_http_req_duration_p95 candidate mean throughput baseline mean agg_http_req_duration_p50 baseline mean agg_http_req_duration_p95 baseline mean throughput
scenario:load:insecure-bank:iast:high_load worse
[+91.182µs; +190.880µs] or [+3.603%; +7.542%]		 unstable
[+264.930µs; +1093.675µs] or [+3.611%; +14.907%]		 unstable
[-231.857op/s; +68.732op/s] or [-16.460%; +4.879%]		 2.672ms 8.016ms 1327.031op/s 2.531ms 7.336ms 1408.594op/s
scenario:load:insecure-bank:iast_GLOBAL:high_load better
[-176.689µs; -63.235µs] or [-6.145%; -2.199%]		 unsure
[-428.595µs; -25.751µs] or [-5.328%; -0.320%]		 unstable
[-78.201op/s; +182.826op/s] or [-6.231%; +14.566%]		 2.756ms 7.816ms 1307.438op/s 2.876ms 8.044ms 1255.125op/s
scenario:load:petclinic:code_origins:high_load worse
[+0.644ms; +1.443ms] or [+3.719%; +8.330%]		 unsure
[+0.492ms; +2.160ms] or [+1.722%; +7.563%]		 unstable
[-39.281op/s; +10.968op/s] or [-14.884%; +4.156%]		 18.363ms 29.888ms 249.750op/s 17.320ms 28.562ms 263.906op/s
Request duration reports for petclinic 
gantt
    title petclinic - request duration [CI 0.99] : candidate=1.62.0-SNAPSHOT~008a52107a, baseline=1.62.0-SNAPSHOT~6564199418
    dateFormat X
    axisFormat %s
section baseline
no_agent (18.081 ms) : 17898, 18265
.   : milestone, 18081,
appsec (18.631 ms) : 18447, 18815
.   : milestone, 18631,
code_origins (17.676 ms) : 17500, 17851
.   : milestone, 17676,
iast (17.866 ms) : 17691, 18041
.   : milestone, 17866,
profiling (18.161 ms) : 17983, 18340
.   : milestone, 18161,
tracing (17.734 ms) : 17563, 17906
.   : milestone, 17734,
section candidate
no_agent (18.186 ms) : 18008, 18364
.   : milestone, 18186,
appsec (18.805 ms) : 18613, 18997
.   : milestone, 18805,
code_origins (18.684 ms) : 18495, 18873
.   : milestone, 18684,
iast (18.061 ms) : 17886, 18236
.   : milestone, 18061,
profiling (18.303 ms) : 18119, 18487
.   : milestone, 18303,
tracing (18.251 ms) : 18068, 18435
.   : milestone, 18251,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 18.081 ms [17.898 ms, 18.265 ms] -
appsec 18.631 ms [18.447 ms, 18.815 ms] 550.069 µs (3.0%)
code_origins 17.676 ms [17.5 ms, 17.851 ms] -405.429 µs (-2.2%)
iast 17.866 ms [17.691 ms, 18.041 ms] -215.251 µs (-1.2%)
profiling 18.161 ms [17.983 ms, 18.34 ms] 80.252 µs (0.4%)
tracing 17.734 ms [17.563 ms, 17.906 ms] -346.787 µs (-1.9%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 18.186 ms [18.008 ms, 18.364 ms] -
appsec 18.805 ms [18.613 ms, 18.997 ms] 618.551 µs (3.4%)
code_origins 18.684 ms [18.495 ms, 18.873 ms] 497.67 µs (2.7%)
iast 18.061 ms [17.886 ms, 18.236 ms] -125.349 µs (-0.7%)
profiling 18.303 ms [18.119 ms, 18.487 ms] 116.629 µs (0.6%)
tracing 18.251 ms [18.068 ms, 18.435 ms] 65.211 µs (0.4%)
Request duration reports for insecure-bank 
gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.62.0-SNAPSHOT~008a52107a, baseline=1.62.0-SNAPSHOT~6564199418
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.238 ms) : 1226, 1250
.   : milestone, 1238,
iast (3.247 ms) : 3201, 3294
.   : milestone, 3247,
iast_FULL (6.094 ms) : 6032, 6157
.   : milestone, 6094,
iast_GLOBAL (3.655 ms) : 3590, 3721
.   : milestone, 3655,
profiling (2.329 ms) : 2306, 2352
.   : milestone, 2329,
tracing (1.844 ms) : 1830, 1859
.   : milestone, 1844,
section candidate
no_agent (1.23 ms) : 1218, 1242
.   : milestone, 1230,
iast (3.452 ms) : 3398, 3507
.   : milestone, 3452,
iast_FULL (5.974 ms) : 5913, 6035
.   : milestone, 5974,
iast_GLOBAL (3.504 ms) : 3455, 3554
.   : milestone, 3504,
profiling (2.259 ms) : 2235, 2282
.   : milestone, 2259,
tracing (1.877 ms) : 1861, 1892
.   : milestone, 1877,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.238 ms [1.226 ms, 1.25 ms] -
iast 3.247 ms [3.201 ms, 3.294 ms] 2.009 ms (162.3%)
iast_FULL 6.094 ms [6.032 ms, 6.157 ms] 4.856 ms (392.3%)
iast_GLOBAL 3.655 ms [3.59 ms, 3.721 ms] 2.417 ms (195.3%)
profiling 2.329 ms [2.306 ms, 2.352 ms] 1.091 ms (88.1%)
tracing 1.844 ms [1.83 ms, 1.859 ms] 606.359 µs (49.0%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.23 ms [1.218 ms, 1.242 ms] -
iast 3.452 ms [3.398 ms, 3.507 ms] 2.222 ms (180.7%)
iast_FULL 5.974 ms [5.913 ms, 6.035 ms] 4.744 ms (385.7%)
iast_GLOBAL 3.504 ms [3.455 ms, 3.554 ms] 2.274 ms (184.9%)
profiling 2.259 ms [2.235 ms, 2.282 ms] 1.029 ms (83.6%)
tracing 1.877 ms [1.861 ms, 1.892 ms] 646.563 µs (52.6%)

Dacapo

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master clara.poncet/appsec-aws-lambda
git_commit_date 1775805567 1775828735
git_commit_sha 6564199 008a521
release_version 1.62.0-SNAPSHOT~6564199418 1.62.0-SNAPSHOT~008a52107a
See matching parameters
Baseline Candidate
application biojava biojava
ci_job_date 1775830759 1775830759
ci_job_id 1585434182 1585434182
ci_pipeline_id 107098649 107098649
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-2-epe38n5t 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-2-epe38n5t 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 10 metrics, 2 unstable metrics.

Execution time for biojava 
gantt
    title biojava - execution time [CI 0.99] : candidate=1.62.0-SNAPSHOT~008a52107a, baseline=1.62.0-SNAPSHOT~6564199418
    dateFormat X
    axisFormat %s
section baseline
no_agent (15.566 s) : 15566000, 15566000
.   : milestone, 15566000,
appsec (14.747 s) : 14747000, 14747000
.   : milestone, 14747000,
iast (17.985 s) : 17985000, 17985000
.   : milestone, 17985000,
iast_GLOBAL (18.084 s) : 18084000, 18084000
.   : milestone, 18084000,
profiling (15.225 s) : 15225000, 15225000
.   : milestone, 15225000,
tracing (15.081 s) : 15081000, 15081000
.   : milestone, 15081000,
section candidate
no_agent (15.541 s) : 15541000, 15541000
.   : milestone, 15541000,
appsec (14.725 s) : 14725000, 14725000
.   : milestone, 14725000,
iast (18.444 s) : 18444000, 18444000
.   : milestone, 18444000,
iast_GLOBAL (17.842 s) : 17842000, 17842000
.   : milestone, 17842000,
profiling (15.034 s) : 15034000, 15034000
.   : milestone, 15034000,
tracing (14.972 s) : 14972000, 14972000
.   : milestone, 14972000,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 15.566 s [15.566 s, 15.566 s] -
appsec 14.747 s [14.747 s, 14.747 s] -819.0 ms (-5.3%)
iast 17.985 s [17.985 s, 17.985 s] 2.419 s (15.5%)
iast_GLOBAL 18.084 s [18.084 s, 18.084 s] 2.518 s (16.2%)
profiling 15.225 s [15.225 s, 15.225 s] -341.0 ms (-2.2%)
tracing 15.081 s [15.081 s, 15.081 s] -485.0 ms (-3.1%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 15.541 s [15.541 s, 15.541 s] -
appsec 14.725 s [14.725 s, 14.725 s] -816.0 ms (-5.3%)
iast 18.444 s [18.444 s, 18.444 s] 2.903 s (18.7%)
iast_GLOBAL 17.842 s [17.842 s, 17.842 s] 2.301 s (14.8%)
profiling 15.034 s [15.034 s, 15.034 s] -507.0 ms (-3.3%)
tracing 14.972 s [14.972 s, 14.972 s] -569.0 ms (-3.7%)
Execution time for tomcat 
gantt
    title tomcat - execution time [CI 0.99] : candidate=1.62.0-SNAPSHOT~008a52107a, baseline=1.62.0-SNAPSHOT~6564199418
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.481 ms) : 1470, 1493
.   : milestone, 1481,
appsec (3.78 ms) : 3560, 4001
.   : milestone, 3780,
iast (2.266 ms) : 2197, 2336
.   : milestone, 2266,
iast_GLOBAL (2.311 ms) : 2241, 2381
.   : milestone, 2311,
profiling (2.105 ms) : 2050, 2160
.   : milestone, 2105,
tracing (2.076 ms) : 2022, 2129
.   : milestone, 2076,
section candidate
no_agent (1.483 ms) : 1471, 1494
.   : milestone, 1483,
appsec (3.834 ms) : 3613, 4055
.   : milestone, 3834,
iast (2.264 ms) : 2196, 2333
.   : milestone, 2264,
iast_GLOBAL (2.311 ms) : 2242, 2380
.   : milestone, 2311,
profiling (2.511 ms) : 2347, 2675
.   : milestone, 2511,
tracing (2.072 ms) : 2018, 2125
.   : milestone, 2072,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.481 ms [1.47 ms, 1.493 ms] -
appsec 3.78 ms [3.56 ms, 4.001 ms] 2.299 ms (155.2%)
iast 2.266 ms [2.197 ms, 2.336 ms] 785.139 µs (53.0%)
iast_GLOBAL 2.311 ms [2.241 ms, 2.381 ms] 829.935 µs (56.0%)
profiling 2.105 ms [2.05 ms, 2.16 ms] 623.99 µs (42.1%)
tracing 2.076 ms [2.022 ms, 2.129 ms] 594.447 µs (40.1%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.483 ms [1.471 ms, 1.494 ms] -
appsec 3.834 ms [3.613 ms, 4.055 ms] 2.351 ms (158.6%)
iast 2.264 ms [2.196 ms, 2.333 ms] 781.809 µs (52.7%)
iast_GLOBAL 2.311 ms [2.242 ms, 2.38 ms] 828.48 µs (55.9%)
profiling 2.511 ms [2.347 ms, 2.675 ms] 1.028 ms (69.3%)
tracing 2.072 ms [2.018 ms, 2.125 ms] 589.011 µs (39.7%)

@claponcet claponcet force-pushed the clara.poncet/appsec-aws-lambda branch from 305fba2 to e92444d Compare March 23, 2026 16:00
@claponcet claponcet mentioned this pull request Mar 25, 2026
Open
@claponcet claponcet force-pushed the clara.poncet/appsec-aws-lambda branch from d2b5bdb to 0e04913 Compare March 27, 2026 16:20
@claponcet claponcet marked this pull request as ready for review March 30, 2026 11:39
@claponcet claponcet requested review from a team as code owners March 30, 2026 11:39
@claponcet claponcet requested review from jandro996, manuel-alvarez-alvarez and mtoffl01 and removed request for a team March 30, 2026 11:39
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 30, 2026
edited
Loading

⚠️ New Groovy Test Files Added

The following files add Groovy tests to modules that are candidates for migration to Java / JUnit 5:

  • dd-trace-core/src/test/groovy/datadog/trace/lambda/LambdaAppSecHandlerTest.groovy (module: dd-trace-core)

Consider writing these tests in Java / JUnit 5 instead to help with the ongoing migration effort.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 30, 2026
edited
Loading

Hi! 👋 Thanks for your pull request! 🎉

To help us review it, please make sure to:

  • Add at least one type, and one component or instrumentation label to the pull request

If you need help, please check our contributing guidelines.

@manuel-alvarez-alvarez manuel-alvarez-alvarez added the comp: asm waf Application Security Management (WAF) label Mar 30, 2026
@claponcet claponcet added the type: enhancement Enhancements and improvements label Mar 30, 2026
jandro996
jandro996 reviewed Apr 10, 2026
View reviewed changes
dd-trace-core/src/main/java/datadog/trace/lambda/LambdaAppSecHandler.java
Copy link
Copy Markdown
Member

@jandro996 jandro996 Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I’m not fully convinced the log levels are right. I’m seeing quite a few warnings and even some errors. Are we sure this is what we want? Do we use similar levels in APM?

Copy link
Copy Markdown
Author

@claponcet claponcet Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've downgraded everything to debug to be coherent with the rest of the repo

jandro996
jandro996 reviewed Apr 10, 2026
View reviewed changes
dd-trace-core/src/main/java/datadog/trace/lambda/LambdaAppSecHandler.java
final Map<String, List<String>> queryParameters;
final Object body;

LambdaEventData(
Copy link
Copy Markdown
Member

@jandro996 jandro996 Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What do you think about overloading the constructor? It looks like it’s being used multiple times with at least four nulls

Copy link
Copy Markdown
Member

@jandro996 jandro996 Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Even better if we only use the call with nulls for errors or empty appsec events add a

static final LambdaEventData EMPTY = new LambdaEventData(
          Collections.emptyMap(), null, null, null, null,
          LambdaTriggerType.UNKNOWN,
          Collections.emptyMap(), Collections.emptyMap(), null);

and then return LambdaEventData.EMPTY;

with this approach you can do something like:

LambdaEventData eventData = extractEventData((ByteArrayInputStream) event);
  if (eventData == LambdaEventData.EMPTY) {
      return null;
  }
  return processAppSecRequestData(eventData);

What do you think?

jandro996
jandro996 reviewed Apr 10, 2026
View reviewed changes
dd-trace-core/src/main/java/datadog/trace/lambda/LambdaAppSecHandler.java
return null;
}

if (!(event instanceof ByteArrayInputStream)) {
Copy link
Copy Markdown
Member

@jandro996 jandro996 Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I assume APM only works with ByteArrayInputStream. Is that documented anywhere? We can silence it by setting the log level to debug, which feels fine as long as that limitation is clearly documented for clients.

Copy link
Copy Markdown
Author

@claponcet claponcet Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LambdaHandlerInstrumentation comment states:

// lambda under the hood converts all handlers to streaming handlers via
// lambdainternal.EventHandlerLoader$PojoHandlerAsStreamHandler.handleRequest
// full spec here : https://docs.aws.amazon.com/lambda/latest/dg/java-handler.html

and the LambdaHandler already assumes the InputStream can only be a ByteArrayInputStream

@claponcet claponcet force-pushed the clara.poncet/appsec-aws-lambda branch from 315aa55 to 240b5ab Compare April 10, 2026 08:26
jandro996
jandro996 reviewed Apr 10, 2026
View reviewed changes
dd-trace-core/src/main/java/datadog/trace/lambda/LambdaAppSecHandler.java Outdated

String method = (String) event.get("httpMethod");
String path = (String) event.get("path");
String sourceIp = headers.get("x-forwarded-for");
Copy link
Copy Markdown
Member

@jandro996 jandro996 Apr 10, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I recall correctly X-Forwarded-For can be "203.0.113.1, 10.0.0.1, 172.16.0.1" for proxy chains. Only the first entry is the real client IP right? Can you check this?

Maybe String sourceIp = xff != null ? xff.split(",")[0].trim() : null; is enough in that case

jandro996
jandro996 reviewed Apr 10, 2026
View reviewed changes
dd-trace-core/src/main/java/datadog/trace/lambda/LambdaAppSecHandler.java Outdated

@Override
public int port() {
return 443;
Copy link
Copy Markdown
Member

@jandro996 jandro996 Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just out of curiosity, are we hardcoding the port and scheme? Is that expected?

WAF rules that check the scheme or port could produce incorrect results if requests come in through a different port or scheme and we override them.

Copy link
Copy Markdown
Author

@claponcet claponcet Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some trigger type are enforced with https/443 but not all of them, i've changed it to retrieve the value from the headers or default to https/443

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jandro996 jandro996 jandro996 left review comments

@manuel-alvarez-alvarez manuel-alvarez-alvarez Awaiting requested review from manuel-alvarez-alvarez manuel-alvarez-alvarez is a code owner automatically assigned from DataDog/asm-java

@mtoffl01 mtoffl01 Awaiting requested review from mtoffl01 mtoffl01 is a code owner automatically assigned from DataDog/apm-sdk-capabilities-java

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

comp: asm waf Application Security Management (WAF) type: enhancement Enhancements and improvements

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@claponcet @jandro996 @manuel-alvarez-alvarez