appsec: RFC-1012 metrics improvements (duration distributions, rule_variant, tag fixes)#3850
Open
cataphract wants to merge 17 commits intomasterfrom
Open
appsec: RFC-1012 metrics improvements (duration distributions, rule_variant, tag fixes)#3850cataphract wants to merge 17 commits intomasterfrom
cataphract wants to merge 17 commits intomasterfrom
Conversation
Benchmarks [ appsec ]Benchmark execution time: 2026-05-05 15:24:47 Comparing candidate commit d4bf924 in PR branch Found 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 0 unstable metrics. |
Benchmarks [ tracer ]Benchmark execution time: 2026-05-05 16:02:48 Comparing candidate commit d4bf924 in PR branch Found 0 performance improvements and 4 performance regressions! Performance is the same for 189 metrics, 1 unstable metrics. scenario:SamplingRuleMatchingBench/benchRegexMatching1
scenario:SamplingRuleMatchingBench/benchRegexMatching2
scenario:SamplingRuleMatchingBench/benchRegexMatching3
scenario:SamplingRuleMatchingBench/benchRegexMatching4
|
cataphract
force-pushed
the
glopes/metrics-improv
branch
3 times, most recently
from
da0489c to
a6d4548
Compare
|
✨ Fix all issues with BitsAI or with Cursor
|
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: a6d4548ef6
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: a6d4548ef6
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
cataphract
force-pushed
the
glopes/metrics-improv
branch
from
a6d4548 to
50a1739
Compare
cataphract
force-pushed
the
glopes/metrics-improv
branch
from
50a1739 to
435d2b6
Compare
… for bundled rules
- report_diagnostics_errors now takes rc_path as Option<&rc::RcPath> and an
explicit action tag, so both the init path (action:init) and the update path
(action:update) submit the waf.config_errors metric.
- The init path passes None for rc_path and constructs a synthetic
ParsedConfigKey{product:"bundled_rules", config_id:"bundled_rules"} so
diagnostic telemetry logs are also emitted for errors in the bundled rules.
- The init-path TelemetryLogsCollector is reused as the service's
logs_collector so those logs are flushed on the first request.
- Integration test @order(21) verifies the metric (action:init,
event_rules_version:9.9.9) and the diagnostic log
(rc::bundled_rules::diagnostic) in a single drain loop, since
drainTelemetry is destructive.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Replaces rasp.c/h with duration_acc.c/h to accumulate both WAF and RASP round-trip times measured by the extension. Sends them in request_shutdown (now 6 args). Rust helper emits waf.duration, waf.duration_ext, and rasp.duration_ext as DDSketch distributions, and _dd.appsec.waf.duration_ext as a span metric. Adds integration tests with a Groovy DDSketch protobuf decoder to cross-check span metric values against distribution bins.
…sql_injection
Adds rule_variant as a new optional field in the request_exec protocol
(msgpack map key "rule_variant", sent only when non-empty). The PHP
extension parses an optional third argument to push_addresses() and
packs it when present.
FilesystemIntegration passes "request" for SSRF pre-hooks. PDO and
Mysqli integrations rename "sqli" to "sql_injection" for consistency
with other tracers.
In the Rust helper, WafRunType::RaspRule becomes a struct variant
{ rule_type, rule_variant: Option<String> }. The rasp_per_rule HashMap
is keyed on (rule_type, rule_variant); the rule_variant tag is emitted
only when non-empty (the sidecar rejects tags ending with a bare colon).
Also adds event_rules_version to the three RASP per-rule metrics
(rasp.rule.eval, rasp.rule.match, rasp.timeout).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
It changed the clang-tidy version we were looking for locally but this introduces new errors reported by clang-tidy, which were not handled.
…but was rate limited
This way request shutdown roundtrip can be accounted for in the waf.duration_ext
cataphract
force-pushed
the
glopes/metrics-improv
branch
from
435d2b6 to
1ec9641
Compare
cataphract
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Implements and completes the RFC-1012 appsec telemetry metric improvements.
Duration metrics
waf.duration,waf.duration_ext,rasp.duration_extare now submitted asDDSketch distributions (µs).
_dd.appsec.waf.duration_extis added as a span metric (µs).waf.duration_ext/rasp.duration_extare measured by the PHP extension(not the helper) so that the request-shutdown round-trip is included in the
value. The extension accumulates WAF + RASP round-trip durations in
duration_acc.c/hand submits them directly to telemetry and as span metricsat request shutdown — rather than passing them through the helper — so the
helper's own processing time is excluded from the measurement.
microseconds.
Tag fixes and additions
waf.requests: fixrate_limitedtag value when the request was rate-limiteddespite having an event.
waf.config_errors: addactiontag (init/update); emit the metric anddiagnostic logs for errors in bundled rules (previously only remote-config
updates were covered).
rasp.rule.{eval,match,timeout}: addevent_rules_versiontag.rasp.rule.*metrics: add optionalrule_varianttag (e.g. distinguishessubtypes within a rule type). Protocol extended with a new optional msgpack
field; PHP extension passes it as a third argument to
push_addresses().sqli→sql_injectionin PDO/Mysqli/Filesystem integrations forconsistency with other tracers.
Other
values against distribution bins.
appsec.waf.input_truncatedandappsec.waf.truncated_value_size.Reviewer checklist