appsec

package
v1.14.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 18, 2025 License: Apache-2.0 Imports: 11 Imported by: 1

Documentation

Index

Constants

View Source 
const (
	// EnvAPISecEnabled is the env var used to enable API Security
	EnvAPISecEnabled = "DD_API_SECURITY_ENABLED"
	// EnvAPISecSampleRate is the env var used to set the sampling rate of API Security schema extraction.
	// Deprecated: a new [APISecConfig.Sampler] is now used instead of this.
	EnvAPISecSampleRate = "DD_API_SECURITY_REQUEST_SAMPLE_RATE"
	// EnvAPISecProxySampleRate is the env var used to set the sampling rate of API Security schema extraction for proxies.
	// The value represents the number of schemas extracted per minute (samples per minute).
	EnvAPISecProxySampleRate = "DD_API_SECURITY_PROXY_SAMPLE_RATE"
	// EnvObfuscatorKey is the env var used to provide the WAF key obfuscation regexp
	EnvObfuscatorKey = "DD_APPSEC_OBFUSCATION_PARAMETER_KEY_REGEXP"
	// EnvObfuscatorValue is the env var used to provide the WAF value obfuscation regexp
	EnvObfuscatorValue = "DD_APPSEC_OBFUSCATION_PARAMETER_VALUE_REGEXP"
	// EnvWAFTimeout is the env var used to specify the timeout value for a WAF run
	EnvWAFTimeout = "DD_APPSEC_WAF_TIMEOUT"
	// EnvTraceRateLimit is the env var used to set the ASM trace limiting rate
	EnvTraceRateLimit = "DD_APPSEC_TRACE_RATE_LIMIT"
	// EnvRules is the env var used to provide a path to a local security rule file
	EnvRules = "DD_APPSEC_RULES"
	// EnvRASPEnabled is the env var used to enable/disable RASP functionalities for ASM
	EnvRASPEnabled = "DD_APPSEC_RASP_ENABLED"
)

Configuration environment variables

View Source 
const (
	// DefaultAPISecSampleRate is the default rate at which API Security schemas are extracted from requests
	DefaultAPISecSampleRate = .1
	// DefaultAPISecSampleInterval is the default interval between two samples being taken.
	DefaultAPISecSampleInterval = 30 * time.Second
	// DefaultAPISecProxySampleRate is the default rate (schemas per minute) at which API Security schemas are extracted from requests
	DefaultAPISecProxySampleRate = 300
	// DefaultAPISecProxySampleInterval is the default time window for the API Security proxy sampler rate limiter.
	DefaultAPISecProxySampleInterval = time.Minute
	// DefaultObfuscatorKeyRegex is the default regexp used to obfuscate keys
	DefaultObfuscatorKeyRegex = `` /* 190-byte string literal not displayed */
	// DefaultObfuscatorValueRegex is the default regexp used to obfuscate values
	DefaultObfuscatorValueRegex = `` /* 578-byte string literal not displayed */
	// DefaultWAFTimeout is the default time limit past which a WAF run will timeout
	DefaultWAFTimeout = time.Millisecond
	// DefaultTraceRate is the default limit (trace/sec) past which ASM traces are sampled out
	DefaultTraceRate uint = 100 // up to 100 appsec traces/s
)

Configuration constants and default values

Variables

View Source 
var (

	// StaticRecommendedRules holds the recommended AppSec security rules (v1.15.1)
	// Source: https://github.com/DataDog/appsec-event-rules/blob/1.15.1/build/recommended.json
	StaticRecommendedRules = unsafe.String(&staticRecommendedRules[0], len(staticRecommendedRules))
)

Functions

func DefaultRuleset added in v1.0.2 

func DefaultRuleset() ([]byte, error)

DefaultRuleset returns the marshaled default recommended security rules for AppSec

func DefaultRulesetMap added in v1.2.0 

func DefaultRulesetMap() (map[string]any, error)

DefaultRulesetMap returns the unmarshaled default recommended security rules for AppSec

func RASPEnabled added in v1.6.0 

func RASPEnabled() bool

RASPEnabled returns true if RASP functionalities are enabled through the env, or if DD_APPSEC_RASP_ENABLED is not set

func RateLimitFromEnv added in v1.1.0 

func RateLimitFromEnv() (rate uint)

RateLimitFromEnv reads and parses the trace rate limit set through the env If not set, it defaults to `DefaultTraceRate`

func RulesFromEnv added in v1.1.0 

func RulesFromEnv() ([]byte, error)

RulesFromEnv returns the security rules provided through the environment If the env var is not set, the default recommended rules are returned instead

func WAFTimeoutFromEnv added in v1.1.0 

func WAFTimeoutFromEnv() (timeout time.Duration)

WAFTimeoutFromEnv reads and parses the WAF timeout value set through the env If not set, it defaults to `DefaultWAFTimeout`

Types

type APISecConfig added in v1.1.0 

type APISecConfig struct {
	Sampler apisec.Sampler
	Enabled bool
	IsProxy bool
	// Deprecated: use the new [APISecConfig.Sampler] instead.
	SampleRate float64
}

APISecConfig holds the configuration for API Security schemas reporting. It is used to enabled/disable the feature.

func NewAPISecConfig added in v1.1.0 

func NewAPISecConfig(opts ...APISecOption) APISecConfig

NewAPISecConfig creates and returns a new API Security configuration by reading the env

type APISecOption added in v1.11.0 

type APISecOption func(*APISecConfig)

func WithAPISecSampler added in v1.11.0 

func WithAPISecSampler(sampler apisec.Sampler) APISecOption

WithAPISecSampler sets the sampler for the API Security configuration. This is useful for testing purposes.

func WithProxy added in v1.13.0 

func WithProxy() APISecOption

WithProxy configures API Security for a proxy environment.

type ObfuscatorConfig added in v1.1.0 

type ObfuscatorConfig struct {
	KeyRegex   string
	ValueRegex string
}

ObfuscatorConfig wraps the key and value regexp to be passed to the WAF to perform obfuscation.

func NewObfuscatorConfig added in v1.1.0 

func NewObfuscatorConfig() ObfuscatorConfig

NewObfuscatorConfig creates and returns a new WAF obfuscator configuration by reading the env

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.