chore(ci): move IAST leak testing to riot (#13544)

## Checklist
- [X] PR author has checked that all the criteria below are met
- The PR description includes an overview of the change
- The PR description articulates the motivation for the change
- The change includes tests OR the PR description describes a testing
strategy
- The PR description notes risks associated with the change, if any
- Newly-added code is easy to change
- The change follows the [library release note
guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html)
- The change includes or references documentation updates if necessary
- Backport labels are set (if
[applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting))

## Reviewer Checklist
- [ ] Reviewer has checked that all the criteria below are met 
- Title is accurate
- All changes are related to the pull request's stated goal
- Avoids breaking
[API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces)
changes
- Testing strategy adequately addresses listed risks
- Newly-added code is easy to change
- Release note makes sense to a user of the library
- If necessary, author has acknowledged and discussed the performance
implications of this PR as reported in the benchmarks PR comment
- Backport labels are set in a manner that is consistent with the
[release branch maintenance
policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)

---------

Signed-off-by: Juanjo Alvarez <[email protected]>

Author: juanjux

.riot/requirements/6780b6b.txt

@@ -0,0 +1,34 @@
+#
+# This file is autogenerated by pip-compile with Python 3.12
+# by the following command:
+#
+#    pip-compile --no-annotate .riot/requirements/6780b6b.in
+#
+annotated-types==0.7.0
+anyio==4.9.0
+attrs==25.3.0
+certifi==2025.4.26
+charset-normalizer==3.4.2
+coverage[toml]==7.8.2
+hypothesis==6.45.0
+idna==3.10
+iniconfig==2.1.0
+mock==5.2.0
+opentracing==2.4.0
+packaging==25.0
+pluggy==1.6.0
+pydantic==2.11.5
+pydantic-core==2.33.2
+pydantic-settings==2.9.1
+pygments==2.19.1
+pytest==8.4.0
+pytest-asyncio==1.0.0
+pytest-cov==6.1.1
+pytest-mock==3.14.1
+python-dotenv==1.1.0
+requests==2.32.3
+sniffio==1.3.1
+sortedcontainers==2.4.0
+typing-extensions==4.14.0
+typing-inspection==0.4.1
+urllib3==2.4.0

.riot/requirements/73136d3.txt

@@ -0,0 +1,36 @@
+#
+# This file is autogenerated by pip-compile with Python 3.10
+# by the following command:
+#
+#    pip-compile --no-annotate .riot/requirements/73136d3.in
+#
+annotated-types==0.7.0
+anyio==4.9.0
+attrs==25.3.0
+certifi==2025.4.26
+charset-normalizer==3.4.2
+coverage[toml]==7.8.2
+exceptiongroup==1.3.0
+hypothesis==6.45.0
+idna==3.10
+iniconfig==2.1.0
+mock==5.2.0
+opentracing==2.4.0
+packaging==25.0
+pluggy==1.6.0
+pydantic==2.11.5
+pydantic-core==2.33.2
+pydantic-settings==2.9.1
+pygments==2.19.1
+pytest==8.4.0
+pytest-asyncio==1.0.0
+pytest-cov==6.1.1
+pytest-mock==3.14.1
+python-dotenv==1.1.0
+requests==2.32.3
+sniffio==1.3.1
+sortedcontainers==2.4.0
+tomli==2.2.1
+typing-extensions==4.14.0
+typing-inspection==0.4.1
+urllib3==2.4.0

.riot/requirements/ba34840.txt

@@ -0,0 +1,34 @@
+#
+# This file is autogenerated by pip-compile with Python 3.11
+# by the following command:
+#
+#    pip-compile --no-annotate .riot/requirements/ba34840.in
+#
+annotated-types==0.7.0
+anyio==4.9.0
+attrs==25.3.0
+certifi==2025.4.26
+charset-normalizer==3.4.2
+coverage[toml]==7.8.2
+hypothesis==6.45.0
+idna==3.10
+iniconfig==2.1.0
+mock==5.2.0
+opentracing==2.4.0
+packaging==25.0
+pluggy==1.6.0
+pydantic==2.11.5
+pydantic-core==2.33.2
+pydantic-settings==2.9.1
+pygments==2.19.1
+pytest==8.4.0
+pytest-asyncio==1.0.0
+pytest-cov==6.1.1
+pytest-mock==3.14.1
+python-dotenv==1.1.0
+requests==2.32.3
+sniffio==1.3.1
+sortedcontainers==2.4.0
+typing-extensions==4.14.0
+typing-inspection==0.4.1
+urllib3==2.4.0

hatch.toml

@@ -626,37 +626,6 @@ fastapi = ["==0.94.1"]
 python = ["3.8", "3.10", "3.13"]
 fastapi = ["~=0.114.2"]
 
-## ASM Appsec Aggregated Leak Testing
-
-[envs.iast_aggregated_leak_testing]
-template = "iast_aggregated_leak_testing"
-dependencies = [
-    "pytest",
-    "pytest-cov",
-    "hypothesis",
-    "requests",
-    "pytest-asyncio",
-    "anyio",
-    "pydantic",
-    "pydantic-settings",
-]
-
-[envs.iast_aggregated_leak_testing.env-vars]
-DD_IAST_ENABLED = "true"
-_DD_IAST_PATCH_MODULES = "benchmarks.,tests.appsec.,scripts.iast."
-DD_FAST_BUILD = "0"
-
-[envs.iast_aggregated_leak_testing.scripts]
-test = [
-    "uname -a",
-    "pip freeze",
-    # We use --no-cov due to a pytest-cov problem with eval https://github.com/pytest-dev/pytest-cov/issues/676
-    "python -m pytest --no-cov tests/appsec/iast_aggregated_memcheck/test_aggregated_memleaks.py",
-]
-
-[[envs.iast_aggregated_leak_testing.matrix]]
-python = ["3.10", "3.11", "3.12"]
-
 ## pytorch profiling test
 
 [envs.profiling_pytorch]

lib-injection/sources/min_compatible_versions.csv

@@ -132,6 +132,8 @@ psycopg,0
 psycopg2-binary,~=2.8.0
 py-cpuinfo,~=8.0.0
 pycryptodome,0
+pydantic,0
+pydantic-settings,0
 pyfakefs,0
 pylibmc,~=1.6.2
 pymemcache,~=3.4.2

min_compatible_versions.csv

@@ -132,6 +132,8 @@ psycopg,0
 psycopg2-binary,~=2.8.0
 py-cpuinfo,~=8.0.0
 pycryptodome,0
+pydantic,0
+pydantic-settings,0
 pyfakefs,0
 pylibmc,~=1.6.2
 pymemcache,~=3.4.2

riotfile.py

@@ -144,6 +144,24 @@ def select_pys(min_version: str = MIN_PYTHON_VERSION, max_version: str = MAX_PYT
                 "DD_IAST_REQUEST_SAMPLING": "100",
             },
         ),
+        Venv(
+            name="iast_aggregated_leak_testing",
+            pys=["3.10", "3.11", "3.12"],
+            # We use --no-cov due to a pytest-cov problem with eval https://github.com/pytest-dev/pytest-cov/issues/676
+            command="pytest --no-cov {cmdargs} tests/appsec/iast_aggregated_memcheck/test_aggregated_memleaks.py",
+            pkgs={
+                "requests": latest,
+                "pytest-asyncio": latest,
+                "anyio": latest,
+                "pydantic": latest,
+                "pydantic-settings": latest,
+            },
+            env={
+                "DD_IAST_ENABLED": "true",
+                "_DD_IAST_PATCH_MODULES": "benchmarks.,tests.appsec.,scripts.iast.",
+                "DD_FAST_BUILD": "0",
+            },
+        ),
         Venv(
             name="profile-diff",
             command="python scripts/diff.py {cmdargs}",

tests/appsec/suitespec.yml

@@ -70,8 +70,8 @@ suites:
     paths:
       - '@appsec_iast'
       - tests/appsec/iast_aggregated_memcheck/*
-    runner: hatch
-    timeout: 50m
+    runner: riot
+    timeout: 60m
   appsec_iast_packages:
     paths:
       - '@appsec_iast'