Skip to content

[CSPM] implement runInSystemProbe to allow the CSPM code to run in system-probe #2480

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
paulcacheux wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[CSPM] implement runInSystemProbe to allow the CSPM code to run in system-probe #2480

paulcacheux wants to merge 1 commit into from

Conversation

@paulcacheux
Copy link
Contributor

@paulcacheux paulcacheux commented Jan 12, 2026
edited
Loading

What does this PR do?

This PR adds a new config flag for the CSPM feature allowing it to run in system-probe instead of the security-agent. Everything else is the same, and this PR can be reduced as simply applying all the feature work to a variable container (mounts, env vars, annotations etc) instead of always the security agent.

The way this is done is similar to:

  • the directSendFromSystemProbe config of the CWS feature
  • the runInCoreAgent feature of the process code

Motivation

We are in the process of deprecating the security agent, the CWS code is going to run fully in the system probe and the CSPM code is going to migrate to the system-probe. This PR is part of the last point.

Additional Notes

Anything else we should know when reviewing?

Minimum Agent Versions

This new feature will require at least agent version 7.75 (this might be revised to some higher value if we find some critical issues with this feature).

Describe your test plan

This was tested manually on some local kind clusters, and on staging on stingchameleon.

Checklist

  • PR has at least one valid label: bug, enhancement, refactoring, documentation, tooling, and/or dependencies
  • PR has a milestone or the qa/skip-qa label
  • All commits are signed (see: signing commits)

@codecov-commenter
Copy link

codecov-commenter commented Jan 12, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 38.40%. Comparing base (cab4ef9) to head (0950bc4).

Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##             main    #2480      +/-   ##
==========================================
+ Coverage   38.38%   38.40%   +0.02%     
==========================================
  Files         300      300              
  Lines       25555    25564       +9     
==========================================
+ Hits         9809     9818       +9     
  Misses      15002    15002              
  Partials      744      744
Flag Coverage Δ
unittests 38.40% <100.00%> (+0.02%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines Coverage Δ
...al/controller/datadogagent/feature/cspm/feature.go 75.80% <100.00%> (+1.23%) ⬆️

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update cab4ef9...0950bc4. Read the comment docs.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@paulcacheux paulcacheux added the enhancement New feature or request label Jan 12, 2026
@paulcacheux paulcacheux modified the milestones: v1.24.0, v1.23.0 Jan 12, 2026
@tbavelier tbavelier modified the milestones: v1.23.0, v1.24.0 Jan 12, 2026
@paulcacheux paulcacheux changed the title [CSPM] implement directSendFromSystemProbeFeature [CSPM] implement runInSystemProbe Jan 13, 2026
@paulcacheux paulcacheux force-pushed the paulcacheux/cspm-direct-send-from-sysprobe branch from 64788a0 to 29ee8c0 Compare January 13, 2026 08:42
@paulcacheux paulcacheux changed the title [CSPM] implement runInSystemProbe [CSPM] implement runInSystemProbe to allow the CSPM code to run in system-probe Jan 15, 2026
@paulcacheux paulcacheux marked this pull request as ready for review January 15, 2026 14:12
@paulcacheux paulcacheux requested review from a team as code owners January 15, 2026 14:12
@paulcacheux paulcacheux force-pushed the paulcacheux/cspm-direct-send-from-sysprobe branch from 29ee8c0 to 0950bc4 Compare January 15, 2026 16:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lebauce lebauce lebauce approved these changes

@joepeeples joepeeples joepeeples approved these changes

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

enhancement New feature or request

Projects

None yet

Milestone

v1.24.0

Development

Successfully merging this pull request may close these issues.

6 participants

@paulcacheux @codecov-commenter @lebauce @joepeeples @tbavelier