Skip to content

Add support for inline GraphQL fragments for AppSec#5916

Merged
y9v merged 2 commits into
masterfrom
appsec-inline-graphql-fragments-support
Jun 19, 2026
Merged

Add support for inline GraphQL fragments for AppSec#5916
y9v merged 2 commits into
masterfrom
appsec-inline-graphql-fragments-support

Conversation

@y9v

@y9v y9v commented Jun 17, 2026

Copy link
Copy Markdown
Member

What does this PR do?
This PR adds support for inline GraphQL fragments for AppSec WAF check.

Motivation:
This is a fix for an issue reported by Codex.

Change log entry
Yes. AppSec: Add detection of attacks inside inline fragments of GraphQL queries.

Additional Notes:
APMSP-3160

How to test the change?
CI and manual testing

@y9v y9v self-assigned this Jun 17, 2026
@y9v
y9v requested review from a team as code owners June 17, 2026 14:46
@dd-octo-sts dd-octo-sts Bot added integrations Involves tracing integrations appsec Application Security monitoring product labels Jun 17, 2026

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 510cac7c78

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread lib/datadog/appsec/contrib/graphql/gateway/multiplex.rb Outdated
@datadog-prod-us1-4

datadog-prod-us1-4 Bot commented Jun 17, 2026

Copy link
Copy Markdown

Tests

🎉 All green!

🧪 All tests passed
❄️ No new flaky tests detected

🎯 Code Coverage (details)
Patch Coverage: 100.00%
Overall Coverage: 89.86% (+0.02%)

This comment will be updated automatically if new data arrives.
🔗 Commit SHA: ee8d9c9 | Docs | Datadog PR Page | Give us feedback!

@pr-commenter

pr-commenter Bot commented Jun 17, 2026

Copy link
Copy Markdown

Benchmarks

Benchmark execution time: 2026-06-18 15:08:49

Comparing candidate commit ee8d9c9 in PR branch appsec-inline-graphql-fragments-support with baseline commit 925eb55 in branch master.

Found 1 performance improvements and 0 performance regressions! Performance is the same for 47 metrics, 1 unstable metrics.

Explanation

This is an A/B test comparing a candidate commit's performance against that of a baseline commit. Performance changes are noted in the tables below as:

  • 🟩 = significantly better candidate vs. baseline
  • 🟥 = significantly worse candidate vs. baseline

We compute a confidence interval (CI) over the relative difference of means between metrics from the candidate and baseline commits, considering the baseline as the reference.

If the CI is entirely outside the configured SIGNIFICANT_IMPACT_THRESHOLD (or the deprecated UNCONFIDENCE_THRESHOLD), the change is considered significant.

Feel free to reach out to #apm-benchmarking-platform on Slack if you have any questions.

More details about the CI and significant changes

You can imagine this CI as a range of values that is likely to contain the true difference of means between the candidate and baseline commits.

CIs of the difference of means are often centered around 0%, because often changes are not that big:

---------------------------------(------|---^--------)-------------------------------->
                              -0.6%    0%  0.3%     +1.2%
                                 |          |        |
         lower bound of the CI --'          |        |
sample mean (center of the CI) -------------'        |
         upper bound of the CI ----------------------'

As described above, a change is considered significant if the CI is entirely outside the configured SIGNIFICANT_IMPACT_THRESHOLD (or the deprecated UNCONFIDENCE_THRESHOLD).

For instance, for an execution time metric, this confidence interval indicates a significantly worse performance:

----------------------------------------|---------|---(---------^---------)---------->
                                       0%        1%  1.3%      2.2%      3.1%
                                                  |   |         |         |
       significant impact threshold --------------'   |         |         |
                      lower bound of CI --------------'         |         |
       sample mean (center of the CI) --------------------------'         |
                      upper bound of CI ----------------------------------'

scenario:profiling - Allocations ()

  • 🟩 throughput [+208365.272op/s; +248756.839op/s] or [+6.822%; +8.144%]

@y9v
y9v force-pushed the appsec-inline-graphql-fragments-support branch 2 times, most recently from 030fcb5 to 425d7c9 Compare June 18, 2026 13:10
@y9v
y9v force-pushed the appsec-inline-graphql-fragments-support branch 2 times, most recently from bd41a42 to 76dab28 Compare June 18, 2026 14:07
@y9v
y9v force-pushed the appsec-inline-graphql-fragments-support branch from 76dab28 to ee8d9c9 Compare June 18, 2026 14:43
@y9v
y9v merged commit f5d5c42 into master Jun 19, 2026
585 of 587 checks passed
@y9v
y9v deleted the appsec-inline-graphql-fragments-support branch June 19, 2026 08:13
@dd-octo-sts dd-octo-sts Bot added this to the 2.36.0 milestone Jun 19, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

appsec Application Security monitoring product integrations Involves tracing integrations

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants