[APPSEC-62616] Add inferred proxy spans#5681
Conversation
🎉 All green!❄️ No new flaky tests detected 🎯 Code Coverage (details) 🔗 Commit SHA: 0fb0d0d | Docs | Datadog PR Page | Give us feedback! |
BenchmarksBenchmark execution time: 2026-05-12 16:04:25 Comparing candidate commit 0fb0d0d in PR branch Found 0 performance improvements and 0 performance regressions! Performance is the same for 45 metrics, 1 unstable metrics.
|
cbf4f0e to
98704bb
Compare
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 98704bb977
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
Add tests for: unknown proxy type, absent request timing, partial optional headers, user_agent propagation, quoted region (API Gateway v1), and missing HTTP method fallback. Fix double invocation in apigateway context and strengthen priority test assertions. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
- Replace AppSec::Ext constant with string literals to avoid module coupling between tracing and appsec layers - Strip single quotes from region header (API Gateway v1 format) - Guard resource construction when HTTP method header is absent - Only pass start_time to trace when present (avoid nil in options) - Restore original comments in request_queuing code path - Mark new proxy constants as @!visibility private Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
All other tracers (Go, .NET, PHP, Python, Java) propagate exceptions to the inferred proxy parent span. Add rescue Exception matching the pattern in Rack::TraceMiddleware so the proxy span carries error tags. Force inferred proxy system-tests in CI via forced-tests-list.cfg. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
Respects user-configured http_error_statuses by copying the rack span's status directly rather than re-evaluating the status code. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
…1970 Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
Skip inferred span entirely when x-dd-proxy-request-time-ms is missing or non-numeric instead of defaulting to current time. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
Only set trace resource to proxy resource when no framework (Rails, Sinatra) has already claimed it, using resource_override? guard matching Rack::TraceMiddleware behavior. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
…riable Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
adce2c3 to
e11ef3b
Compare
|
System tests require update to the latest SHA. I did an update via workflow |
zarirhamza
left a comment
There was a problem hiding this comment.
From a functionality POV, the PR creates the desired experience for APIGW. Serverless approves!
What does this PR do?
It's adding inferred spans for apps behind the AWS Gateway.
Motivation:
This is missing part for the tracer that comes to from Endpoint Discovery & Correlation from Inferred Spans RFC.
Change log entry
Yes. Add inferred proxy spans for AWS Gateway.
Additional Notes:
How to test the change?
CI + ST