Skip to content

feat(appsec): collect security-testing headers on HTTP entry spans#3925

Open
christophe-papazian wants to merge 7 commits into
masterfrom
christophe-papazian/security-testing-headers
Open

feat(appsec): collect security-testing headers on HTTP entry spans#3925
christophe-papazian wants to merge 7 commits into
masterfrom
christophe-papazian/security-testing-headers

Conversation

@christophe-papazian
Copy link
Copy Markdown
Collaborator

@christophe-papazian christophe-papazian commented May 27, 2026

APPSEC-67550

Unconditionally collect x-datadog-endpoint-scan and x-datadog-security-test HTTP request headers as http.request.headers.* span tags on the service entry span, independent of DD_TRACE_HEADER_TAGS and AppSec enablement. Also forwarded to the inferred proxy span.

Covers all PHP SAPIs (Apache/fpm, CLI, FrankenPHP, RoadRunner) via the C extension and Swoole via its PHP integration.

RFC: Security Testing: Trace Attribution for Inventory Enrichment and Pollution Prevention

Test plan

  • tests/ext/root_span_security_testing_headers.phpt — headers captured, independent of DD_TRACE_HEADER_TAGS
  • tests/ext/root_span_security_testing_headers_absent.phpt — tags absent when headers not sent
  • tests/ext/inferred_proxy/security_headers_forwarded.phpt — both spans carry the tags
  • tests/Integrations/Swoole/SecurityTestingHeadersTest.php — Swoole path: present + absent

@datadog-prod-us1-3
Copy link
Copy Markdown

datadog-prod-us1-3 Bot commented May 27, 2026
edited by datadog-prod-us1-5 Bot
Loading

Pipelines  Tests

Fix all issues with BitsAI

⚠️ Warnings

🚦 1070 Pipeline jobs failed

DataDog/apm-reliability/dd-trace-php | ASAN test_c: [8.1, arm64]   View in Datadog   GitLab

See error Assertion error in zend_hash.c:828: order-dependent issue identified. Possible circular reference.

🧪 7 Tests failed

tmp/build_extension/tests/ext/active_span.phpt (DDTrace\active_span basic functionality) from php.tmp.build_extension.tests.ext   View in Datadog (Fix with Cursor) 
Termsig=6
tmp/build_extension/tests/ext/add_global_tag_on_userland_and_internal_spans.phpt (DDTrace\add_global_tag() on all sorts of spans) from php.tmp.build_extension.tests.ext   View in Datadog (Fix with Cursor) 
001+ php: /usr/local/src/php/Zend/zend_hash.c:828: zval *_zend_hash_str_add_or_update_i(HashTable *, const char *, size_t, zend_ulong, zval *, uint32_t): Assertion \`(zend_gc_refcount(&(ht)->gc) == 1) || ((ht)->u.flags & (1<<6))' failed.
002+ Aborted
003+ 
004+ Termsig=6
001- HOOK METHOD arg
002- array(2) {
003-   [0]=>
004-   array(10) {
005-     ["trace_id"]=>
006-     string(%d) "%d"
...
View all 7 test failures

DataDog/apm-reliability/dd-trace-php | appsec integration tests (helper-rust): [test8.3-debug]   View in Datadog   GitLab

See error Failed to execute command in container: container must be running or not stopped. Several tests failed due to this issue.

🧪 10 Tests failed

initializationError from com.datadog.appsec.php.integration.Apache2FpmTests   View in Datadog (Fix with Cursor) 
com.github.dockerjava.api.exception.ConflictException: Status 409: {"message":"container b8a19a1019e24b51f92f1889cc26d21f9876fd4f438f477781f7377c3a250fcd is not running"}

com.github.dockerjava.api.exception.ConflictException: Status 409: {"message":"container b8a19a1019e24b51f92f1889cc26d21f9876fd4f438f477781f7377c3a250fcd is not running"}

	at app//org.testcontainers.shaded.com.github.dockerjava.core.DefaultInvocationBuilder.execute(DefaultInvocationBuilder.java:245)
	at app//org.testcontainers.shaded.com.github.dockerjava.core.DefaultInvocationBuilder.post(DefaultInvocationBuilder.java:124)
	at app//org.testcontainers.shaded.com.github.dockerjava.core.exec.ExecCreateCmdExec.execute(ExecCreateCmdExec.java:30)
	at app//org.testcontainers.shaded.com.github.dockerjava.core.exec.ExecCreateCmdExec.execute(ExecCreateCmdExec.java:13)
	at app//org.testcontainers.shaded.com.github.dockerjava.core.exec.AbstrSyncDockerCmdExec.exec(AbstrSyncDockerCmdExec.java:21)
	at app//org.testcontainers.shaded.com.github.dockerjava.core.command.AbstrDockerCmd.exec(AbstrDockerCmd.java:33)
...
initializationError from com.datadog.appsec.php.integration.LlmEventsTests   View in Datadog (Fix with Cursor) 
java.lang.RuntimeException: Failed to execute command /bin/bash -c 
            if [[ -f /var/www/initialize.sh ]]; then
                /var/www/initialize.sh
            fi

java.lang.RuntimeException: Failed to execute command /bin/bash -c 
            if [[ -f /var/www/initialize.sh ]]; then
                /var/www/initialize.sh
            fi
        
...
View all 10 test failures

DataDog/apm-reliability/dd-trace-php | appsec integration tests: [test7.0-release-zts]   View in Datadog   GitLab

See error 44 tests failed due to HTTP/1.1 header parser receiving no bytes and multiple segmentation faults in the test containers.

🧪 1 Test failed

executionError from com.datadog.appsec.php.integration.Apache2ModTests   View in Datadog (Fix with Cursor) 
java.lang.AssertionError: Process crash(es) detected in container during test run (1 crash(es)):
Core dump: /tmp/cores/core.php.147.1780499128

java.lang.AssertionError: Process crash(es) detected in container during test run (1 crash(es)):
Core dump: /tmp/cores/core.php.147.1780499128
	at com.datadog.appsec.php.docker.AppSecContainer.close(AppSecContainer.groovy:383)
	at org.codehaus.groovy.vmplugin.v8.IndyInterface.fromCache(IndyInterface.java:321)
	at com.datadog.appsec.php.test.StopContainerExtension.afterAll(StopContainerExtension.groovy:15)
	at java.base/java.util.ArrayList.forEach(ArrayList.java:1511)

View all 1070 failed jobs.

🧪 2 Tests failed

    tmp/build_extension/tests/C2PHP/get_context_distributed_tracing_test.phpt (Distributed tracing context with an origin) from php.tmp.build_extension.tests.C2PHP (Fix with Cursor)

    tmp/build_extension/tests/C2PHP/get_context_distributed_tracing_test.phpt (Distributed tracing context with an origin) from PHP.tmp.build_extension.tests.C2PHP (Fix with Cursor)

ℹ️ Info

No other issues found (see more)

❄️ No new flaky tests detected

🔄 Datadog auto-retried 18 jobs - 0 passed on retry View in Datadog

Useful? React with 👍 / 👎

This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 90d1460 | Docs | Datadog PR Page | Give us feedback!

@pr-commenter
Copy link
Copy Markdown

pr-commenter Bot commented May 27, 2026
edited
Loading

Benchmarks [ tracer ]

Benchmark execution time: 2026-06-03 10:21:30

Comparing candidate commit 7f3ca82 in PR branch christophe-papazian/security-testing-headers with baseline commit b6c8525 in branch master.

Found 1 performance improvements and 1 performance regressions! Performance is the same for 191 metrics, 1 unstable metrics.

Explanation

This is an A/B test comparing a candidate commit's performance against that of a baseline commit. Performance changes are noted in the tables below as:

  • 🟩 = significantly better candidate vs. baseline
  • 🟥 = significantly worse candidate vs. baseline

We compute a confidence interval (CI) over the relative difference of means between metrics from the candidate and baseline commits, considering the baseline as the reference.

If the CI is entirely outside the configured SIGNIFICANT_IMPACT_THRESHOLD (or the deprecated UNCONFIDENCE_THRESHOLD), the change is considered significant.

Feel free to reach out to #apm-benchmarking-platform on Slack if you have any questions.

More details about the CI and significant changes

You can imagine this CI as a range of values that is likely to contain the true difference of means between the candidate and baseline commits.

CIs of the difference of means are often centered around 0%, because often changes are not that big:

---------------------------------(------|---^--------)-------------------------------->
                              -0.6%    0%  0.3%     +1.2%
                                 |          |        |
         lower bound of the CI --'          |        |
sample mean (center of the CI) -------------'        |
         upper bound of the CI ----------------------'

As described above, a change is considered significant if the CI is entirely outside the configured SIGNIFICANT_IMPACT_THRESHOLD (or the deprecated UNCONFIDENCE_THRESHOLD).

For instance, for an execution time metric, this confidence interval indicates a significantly worse performance:

----------------------------------------|---------|---(---------^---------)---------->
                                       0%        1%  1.3%      2.2%      3.1%
                                                  |   |         |         |
       significant impact threshold --------------'   |         |         |
                      lower bound of CI --------------'         |         |
       sample mean (center of the CI) --------------------------'         |
                      upper bound of CI ----------------------------------'

scenario:MessagePackSerializationBench/benchMessagePackSerialization-opcache

  • 🟩 execution_time [-5.778µs; -3.242µs] or [-5.321%; -2.986%]

scenario:SamplingRuleMatchingBench/benchRegexMatching4

  • 🟥 execution_time [+65.488ns; +138.912ns] or [+4.503%; +9.552%]

estringana
estringana reviewed May 28, 2026
View reviewed changes
Comment thread CHANGELOG.md Outdated
estringana
estringana reviewed May 28, 2026
View reviewed changes
Comment thread tests/ext/root_span_security_testing_headers.phpt Outdated
estringana
estringana reviewed May 28, 2026
View reviewed changes
Comment thread tracer/serializer.c Outdated
estringana
estringana reviewed May 28, 2026
View reviewed changes
Comment thread ext/serializer.c Outdated
@pr-commenter
Copy link
Copy Markdown

pr-commenter Bot commented May 28, 2026
edited
Loading

Benchmarks [ appsec ]

Benchmark execution time: 2026-05-29 14:34:32

Comparing candidate commit abd3a53 in PR branch christophe-papazian/security-testing-headers with baseline commit 095538e in branch master.

Found 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 0 unstable metrics.

@christophe-papazian christophe-papazian force-pushed the christophe-papazian/security-testing-headers branch from 374fb58 to abd3a53 Compare May 29, 2026 13:53
estringana
estringana reviewed Jun 1, 2026
View reviewed changes
Comment thread appsec/src/extension/tags.c Outdated
cataphract
cataphract reviewed Jun 1, 2026
View reviewed changes
Comment thread ext/serializer.c Outdated
Comment thread tracer/serializer.c
Comment thread tracer/serializer.c Outdated
@estringana
Copy link
Copy Markdown
Contributor

estringana commented Jun 1, 2026

LGTM. @bwoebi do you mind to review it as well?

@christophe-papazian christophe-papazian marked this pull request as ready for review June 1, 2026 13:49
@christophe-papazian christophe-papazian requested review from a team as code owners June 1, 2026 13:49
@christophe-papazian christophe-papazian requested review from tabgok and removed request for a team June 1, 2026 13:49
christophe-papazian and others added 6 commits June 3, 2026 11:03
@christophe-papazian @claude
feat(appsec): collect security-testing headers on HTTP entry spans (A…
6881f35 
…PPSEC-62412)

Unconditionally collect x-datadog-endpoint-scan and x-datadog-security-test
HTTP request headers as http.request.headers.* tags on the service entry span,
independent of DD_TRACE_HEADER_TAGS and AppSec enablement. Also forwarded to
the inferred proxy span. Covers all PHP SAPIs (Apache/fpm, CLI, FrankenPHP,
RoadRunner) via the C extension and Swoole via its PHP integration.

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
@christophe-papazian @claude
Address review: move header collection to tags.c, drop CHANGELOG
213245c 
- Move x-datadog-endpoint-scan and x-datadog-security-test collection
  to appsec/src/extension/tags.c via _relevant_basic_headers, following
  the existing pattern for http.request.headers.* tags
- Remove duplicate logic from ext/serializer.c (keep transfer_meta_data
  calls for inferred proxy span forwarding)
- Replace tracer phpt tests with an AppSec extension test using
  add_all/add_basic_ancillary_tags
- Remove CHANGELOG entry (added at release time)

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
@christophe-papazian @claude
Address review comments on security-testing headers
798aef9 
- Add DD_TAG_HTTP_REQH_ENDPOINT_SCAN / DD_TAG_HTTP_REQH_SECURITY_TEST
  constants so tag-name strings are not duplicated across the sec_headers
  table and the transfer_meta_data calls
- Add DD_UNCONDITIONAL_SERVER_HEADER macro to reduce verbosity of the
  struct initializer, following reviewer suggestion
- Restore serializer.c collection (unconditional, per RFC) alongside
  tags.c which covers the AppSec-loaded path
- Remove CHANGELOG entry (added at release time per reviewer)
- Remove --GET-- from phpt tests (unnecessary)
- Add AppSec extension test using add_all/add_basic_ancillary_tags
- Update ancillary_tags.phpt canonical test to include the two new headers

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
@christophe-papazian @claude
Remove redundant AppSec tags.c collection
4c5519d 
Since the headers are already collected unconditionally by
ext/serializer.c (always loaded), adding them to AppSec's
_relevant_basic_headers is unnecessary. Remove both the
tags.c addition and its dedicated test.

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
@christophe-papazian @claude
Revert ancillary_tags.phpt to master state
77e7c81 
The x-datadog headers were removed from tags.c _relevant_basic_headers,
so ancillary_tags.phpt no longer expects them in the output.

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
@christophe-papazian @claude
Fix stale comment in serializer.c
7f3ca82 
Remove reference to appsec/src/extension/tags.c that was reverted.

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
@christophe-papazian christophe-papazian force-pushed the christophe-papazian/security-testing-headers branch from a99f53e to 7f3ca82 Compare June 3, 2026 09:04
@christophe-papazian @claude
Inject security-testing headers into DD_TRACE_HEADER_TAGS at startup
90d1460 
Instead of two dedicated zend_hash_str_find calls per request, inject
x-datadog-endpoint-scan and x-datadog-security-test into the
DD_TRACE_HEADER_TAGS hash table at module startup. They then ride the
existing HTTP_* header loop in dd_add_header_to_meta with zero extra
per-request overhead, and also scale automatically to any future SAPI
integration that honours DD_TRACE_HEADER_TAGS.

- Remove ddtrace_alter_DD_TRACE_HEADER_TAGS from INI_CHANGE_DYNAMIC_CONFIG
  and implement it manually so it re-injects the headers after any
  runtime config change (ini_set / remote config)
- Remove the sec_headers block and DD_UNCONDITIONAL_SERVER_HEADER macro
  from serializer.c; keep DD_TAG_HTTP_REQH_* constants and the
  transfer_meta_data calls for the inferred proxy span
- Remove the explicit isset checks from SwooleIntegration.php; the
  existing DD_TRACE_HEADER_TAGS loop now covers the Swoole path too

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cataphract cataphract cataphract left review comments

@estringana estringana estringana left review comments

@bwoebi bwoebi bwoebi left review comments

@datadog-official datadog-official[bot] datadog-official[bot] left review comments

@datadog-datadog-prod-us1-2 datadog-datadog-prod-us1-2[bot] datadog-datadog-prod-us1-2[bot] left review comments

@tabgok tabgok Awaiting requested review from tabgok tabgok was automatically assigned from DataDog/apm-idm-php

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@christophe-papazian @estringana @cataphract @bwoebi