ci(iast): update hatch iast envs configuration [backport 2.21] (#12748)

avara1986 · web-flow · commit c1eddeaed74a · 2025-03-18T11:40:29.000+01:00
Backport #12740 to 2.21 Removed environment variables from Python commands in `envs.[scenario].scripts` and moved them to `[envs.[scenario].env-vars]`. This improves command readability. Additionally, the internal variable `_DD_IAST_PATCH_MODULES` has been included to prevent potential conflicts observed in other refactors, such as #12639. This PR is a cherry-pick of one of the commits of this PR #12639 ## Checklist - [x] PR author has checked that all the criteria below are met - The PR description includes an overview of the change - The PR description articulates the motivation for the change - The change includes tests OR the PR description describes a testing strategy - The PR description notes risks associated with the change, if any - Newly-added code is easy to change - The change follows the [library release note guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html) - The change includes or references documentation updates if necessary - Backport labels are set (if [applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)) ## Reviewer Checklist - [x] Reviewer has checked that all the criteria below are met - Title is accurate - All changes are related to the pull request's stated goal - Avoids breaking [API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces) changes - Testing strategy adequately addresses listed risks - Newly-added code is easy to change - Release note makes sense to a user of the library - If necessary, author has acknowledged and discussed the performance implications of this PR as reported in the benchmarks PR comment - Backport labels are set in a manner that is consistent with the [release branch maintenance policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)
diff --git a/hatch.toml b/hatch.toml
@@ -57,7 +57,7 @@ checks = [
     "suitespec-check",
 ]
 spelling = [
-    "codespell -I docs/spelling_wordlist.txt --skip='ddwaf.h,*cassettes*,tests/tracer/fixtures/urls.txt' {args:ddtrace/ tests/ releasenotes/ docs/}",
+    "codespell -I docs/spelling_wordlist.txt --skip='ddwaf.h,*cassettes*,tests/tracer/fixtures/urls.txt,tests/appsec/iast/fixtures/*' {args:ddtrace/ tests/ releasenotes/ docs/}",
 ]
 typing = [
     "mypy {args}",
@@ -185,6 +185,9 @@ DD_CIVISIBILITY_AGENTLESS_ENABLED = "1"
 DD_CIVISIBILITY_CODE_COVERAGE_ENABLED = "1"
 DD_CIVISIBILITY_ITR_ENABLED = "1"
 DD_PATCH_MODULES = "unittest:false"
+CMAKE_BUILD_PARALLEL_LEVEL = "12"
+CARGO_BUILD_JOBS = "12"
+DD_FAST_BUILD = "1"
 
 ## ASM Django
 
@@ -198,9 +201,6 @@ dependencies = [
     "django{matrix:django}"
 ]
 
-[envs.appsec_threats_django.env-vars]
-CMAKE_BUILD_PARALLEL_LEVEL = "12"
-
 [envs.appsec_threats_django.scripts]
 test = [
     "uname -a",
@@ -246,9 +246,6 @@ dependencies = [
     "flask{matrix:flask}"
 ]
 
-[envs.appsec_threats_flask.env-vars]
-CMAKE_BUILD_PARALLEL_LEVEL = "12"
-
 [envs.appsec_threats_flask.scripts]
 test = [
     "uname -a",
@@ -299,11 +296,16 @@ dependencies = [
     "mysqlclient==2.1.1",
 ]
 
+[envs.appsec_iast_default.env-vars]
+_DD_IAST_PATCH_MODULES = "benchmarks.,tests.appsec."
+DD_IAST_REQUEST_SAMPLING = "100"
+DD_IAST_DEDUPLICATION_ENABLED = "false"
+
 [envs.appsec_iast_default.scripts]
 test = [
     "uname -a",
     "pip freeze",
-    "DD_IAST_REQUEST_SAMPLING=100 DD_IAST_DEDUPLICATION_ENABLED=false python -m pytest {args:tests/appsec/iast/}",
+    "python -m pytest --no-ddtrace {args:tests/appsec/iast/}",
 ]
 
 [[envs.appsec_iast_default.matrix]]
@@ -325,6 +327,11 @@ dependencies = [
     "pytest-memray"
 ]
 
+[envs.appsec_iast_memcheck.env-vars]
+_DD_IAST_PATCH_MODULES = "benchmarks.,tests.appsec."
+DD_IAST_REQUEST_SAMPLING = "100"
+DD_IAST_DEDUPLICATION_ENABLED = "false"
+
 [envs.appsec_iast_memcheck.scripts]
 test = [
     "uname -a",
@@ -345,6 +352,11 @@ dependencies = [
     "clang"
 ]
 
+[envs.appsec_iast_native.env-vars]
+_DD_IAST_PATCH_MODULES = "benchmarks.,tests.appsec."
+DD_IAST_REQUEST_SAMPLING = "100"
+DD_IAST_DEDUPLICATION_ENABLED = "false"
+
 [envs.appsec_iast_native.scripts]
 test = [
     "cmake -DCMAKE_BUILD_TYPE=Debug -DPYTHON_EXECUTABLE=python -S ddtrace/appsec/_iast/_taint_tracking -B ddtrace/appsec/_iast/_taint_tracking",
@@ -369,11 +381,16 @@ dependencies = [
     "virtualenv-clone"
 ]
 
+[envs.appsec_iast_packages.env-vars]
+_DD_IAST_PATCH_MODULES = "benchmarks.,tests.appsec."
+DD_IAST_REQUEST_SAMPLING = "100"
+DD_IAST_DEDUPLICATION_ENABLED = "false"
+
 [envs.appsec_iast_packages.scripts]
 test = [
     "uname -a",
     "pip freeze",
-    "DD_CIVISIBILITY_ITR_ENABLED=0 DD_IAST_REQUEST_SAMPLING=100 DD_IAST_DEDUPLICATION_ENABLED=false python -m pytest tests/appsec/iast_packages",
+    "python -m pytest tests/appsec/iast_packages",
 ]
 
 [[envs.appsec_iast_packages.matrix]]
@@ -398,11 +415,17 @@ dependencies = [
     "aiosqlite",
 ]
 
+[envs.iast_tdd_propagation.env-vars]
+_DD_IAST_PATCH_MODULES = "benchmarks.,tests.appsec."
+DD_IAST_REQUEST_SAMPLING = "100"
+DD_IAST_DEDUPLICATION_ENABLED = "false"
+DD_CIVISIBILITY_ITR_ENABLED = "0"
+
 [envs.iast_tdd_propagation.scripts]
 test = [
     "uname -a",
     "pip freeze",
-    "DD_CIVISIBILITY_ITR_ENABLED=0 DD_IAST_REQUEST_SAMPLING=100 DD_IAST_DEDUPLICATION_ENABLED=false python -m pytest tests/appsec/iast_tdd_propagation",
+    "python -m pytest tests/appsec/iast_tdd_propagation",
 ]
 
 [[envs.iast_tdd_propagation.matrix]]
@@ -423,11 +446,18 @@ dependencies = [
     "Django{matrix:django}",
 ]
 
+[envs.appsec_integrations_django.env-vars]
+DD_TRACE_AGENT_URL = "http://testagent:9126"
+_DD_IAST_PATCH_MODULES = "benchmarks.,tests.appsec."
+DD_IAST_REQUEST_SAMPLING = "100"
+DD_IAST_DEDUPLICATION_ENABLED = "false"
+
+
 [envs.appsec_integrations_django.scripts]
 test = [
     "uname -a",
     "pip freeze",
-    "DD_TRACE_AGENT_URL=\"http://testagent:9126\" DD_CIVISIBILITY_ITR_ENABLED=0 DD_IAST_REQUEST_SAMPLING=100 DD_IAST_DEDUPLICATION_ENABLED=false python -m pytest -vvv {args:tests/appsec/integrations/django_tests/}",
+    "python -m pytest -vvv {args:tests/appsec/integrations/django_tests/}",
 ]
 
 [[envs.appsec_integrations_django.matrix]]
@@ -455,11 +485,17 @@ dependencies = [
     "flask{matrix:flask}",
 ]
 
+[envs.appsec_integrations_flask.env-vars]
+DD_TRACE_AGENT_URL = "http://testagent:9126"
+_DD_IAST_PATCH_MODULES = "benchmarks.,tests.appsec."
+DD_IAST_REQUEST_SAMPLING = "100"
+DD_IAST_DEDUPLICATION_ENABLED = "false"
+
 [envs.appsec_integrations_flask.scripts]
 test = [
     "uname -a",
     "pip freeze",
-    "DD_TRACE_AGENT_URL=\"http://testagent:9126\" DD_CIVISIBILITY_ITR_ENABLED=0 DD_IAST_ENABLED=true DD_IAST_REQUEST_SAMPLING=100 DD_IAST_DEDUPLICATION_ENABLED=false python -m pytest -vvv {args:tests/appsec/integrations/flask_tests/}",
+    "python -m pytest -vvv {args:tests/appsec/integrations/flask_tests/}",
 ]
 
 [[envs.appsec_integrations_flask.matrix]]
@@ -506,11 +542,17 @@ dependencies = [
     "fastapi{matrix:fastapi}"
 ]
 
+[envs.appsec_integrations_fastapi.env-vars]
+DD_TRACE_AGENT_URL = "http://testagent:9126"
+_DD_IAST_PATCH_MODULES = "benchmarks.,tests.appsec."
+DD_IAST_REQUEST_SAMPLING = "100"
+DD_IAST_DEDUPLICATION_ENABLED = "false"
+
 [envs.appsec_integrations_fastapi.scripts]
 test = [
     "uname -a",
     "pip freeze",
-    "DD_TRACE_AGENT_URL=\"http://testagent:9126\" DD_CIVISIBILITY_ITR_ENABLED=0 DD_IAST_REQUEST_SAMPLING=100 DD_IAST_DEDUPLICATION_ENABLED=false python -m pytest -vvv {args:tests/appsec/integrations/fastapi_tests/}",
+    "python -m pytest -vvv {args:tests/appsec/integrations/fastapi_tests/}",
 ]
 
 
@@ -529,7 +571,6 @@ fastapi = ["==0.94.1"]
 python = ["3.8", "3.10", "3.13"]
 fastapi = ["~=0.114.2"]
 
-
 ## ASM FastAPI
 
 [envs.appsec_threats_fastapi]
@@ -544,9 +585,6 @@ dependencies = [
     "fastapi{matrix:fastapi}"
 ]
 
-[envs.appsec_threats_fastapi.env-vars]
-CMAKE_BUILD_PARALLEL_LEVEL = "12"
-
 [envs.appsec_threats_fastapi.scripts]
 test = [
     "uname -a",
@@ -570,10 +608,10 @@ fastapi = ["==0.94.1"]
 python = ["3.8", "3.10", "3.13"]
 fastapi = ["~=0.114.2"]
 
-## ASM Appsec Aggregated Leak Testing
+## ASM IAST Aggregated Leak Testing
 
-[envs.appsec_aggregated_leak_testing]
-template = "appsec_aggregated_leak_testing"
+[envs.iast_aggregated_leak_testing]
+template = "iast_aggregated_leak_testing"
 dependencies = [
     "pytest",
     "pytest-cov",
@@ -587,19 +625,19 @@ dependencies = [
 
 [envs.iast_aggregated_leak_testing.env-vars]
 DD_IAST_ENABLED = "true"
-_DD_IAST_PATCH_MODULES = "scripts.iast"
+_DD_IAST_PATCH_MODULES = "benchmarks.,tests.appsec.,scripts.iast."
+DD_FAST_BUILD = "0"
 
-[envs.appsec_aggregated_leak_testing.scripts]
+[envs.iast_aggregated_leak_testing.scripts]
 test = [
     "uname -a",
     "pip freeze",
-    "python -m pytest tests/appsec/iast_aggregated_memcheck/test_aggregated_memleaks.py",
+    # We use --no-cov due to a pytest-cov problem with eval https://github.com/pytest-dev/pytest-cov/issues/676
+    "python -m pytest --no-cov tests/appsec/iast_aggregated_memcheck/test_aggregated_memleaks.py",
 ]
 
-[[envs.appsec_aggregated_leak_testing.matrix]]
-python = ["3.10", "3.11", "3.12", "3.13"]
-
-
+[[envs.iast_aggregated_leak_testing.matrix]]
+python = ["3.10", "3.11", "3.12"]
 
 ## pytorch profiling test
 
@@ -617,7 +655,6 @@ dependencies = [
 [envs.profiling_pytorch.env-vars]
 DD_PROFILING_ENABLED = "true"
 DD_PROFILING_PYTORCH_ENABLED = "true"
-CMAKE_BUILD_PARALLEL_LEVEL = "12"
 
 [envs.profiling_pytorch.scripts]
 test = [
@@ -766,3 +803,4 @@ matrix.tested_pytest_plugin_version.env-vars = [
     { key = "_TESTED_PYTEST_PLUGIN_VERSION", value = "false", if = ["v1"]},
     { key = "_TESTED_PYTEST_PLUGIN_VERSION", value = "true", if = ["v2"]}
 ]
+
diff --git a/scripts/gen_gitlab_config.py b/scripts/gen_gitlab_config.py
@@ -50,7 +50,8 @@ def __str__(self) -> str:
         if wait_for:
             lines.append("  before_script:")
             lines.append(f"    - !reference [{base}, before_script]")
-            lines.append(f"    - riot -v run -s --pass-env wait -- {' '.join(wait_for)}")
+            if self.runner == "riot":
+                lines.append(f"    - riot -v run -s --pass-env wait -- {' '.join(wait_for)}")
 
         env = self.env
         if not env or "SUITE_NAME" not in env:
diff --git a/tests/appsec/integrations/flask_tests/test_flask_remoteconfig.py b/tests/appsec/integrations/flask_tests/test_flask_remoteconfig.py
@@ -187,7 +187,6 @@ def _request_403(client, debug_mode=False, max_retries=40, sleep_time=1):
     raise AssertionError("request_403 failed, max_retries=%d, sleep_time=%f" % (max_retries, sleep_time))
 
 
-@flaky(until=1706677200, reason="TODO(avara1986): We need to migrate testagent to gitlab")
 @pytest.mark.skipif(sys.version_info >= (3, 11), reason="Gunicorn is only supported up to 3.10")
 def test_load_testing_appsec_ip_blocking_gunicorn_rc_disabled():
     token = "test_load_testing_appsec_ip_blocking_gunicorn_rc_disabled_{}".format(str(uuid.uuid4()))
@@ -203,7 +202,6 @@ def test_load_testing_appsec_ip_blocking_gunicorn_rc_disabled():
         _unblock_ip(token)
 
 
-@flaky(until=1706677200, reason="TODO(avara1986): We need to migrate testagent to gitlab")
 @pytest.mark.skipif(sys.version_info >= (3, 11), reason="Gunicorn is only supported up to 3.10")
 def test_load_testing_appsec_ip_blocking_gunicorn_block():
     token = "test_load_testing_appsec_ip_blocking_gunicorn_block_{}".format(str(uuid.uuid4()))
@@ -221,7 +219,6 @@ def test_load_testing_appsec_ip_blocking_gunicorn_block():
         _request_200(gunicorn_client)
 
 
-@flaky(until=1706677200, reason="TODO(avara1986): We need to migrate testagent to gitlab")
 @pytest.mark.skipif(list(sys.version_info[:2]) != [3, 10], reason="Run this tests in python 3.10")
 def test_load_testing_appsec_ip_blocking_gunicorn_block_and_kill_child_worker():
     token = "test_load_testing_appsec_ip_blocking_gunicorn_block_and_kill_child_worker_{}".format(str(uuid.uuid4()))
diff --git a/tests/appsec/suitespec.yml b/tests/appsec/suitespec.yml
@@ -71,14 +71,27 @@ suites:
       - '@remoteconfig'
     retry: 2
     runner: hatch
-  appsec_iast_packages:
-    parallelism: 4
+  iast_aggregated_leak_testing:
+    parallelism: 3
     paths:
       - '@appsec_iast'
-      - tests/appsec/iast_packages/*
-    retry: 2
+      - tests/appsec/iast_aggregated_memcheck/*
     runner: hatch
     timeout: 50m
+  iast_tdd_propagation:
+    parallelism: 5
+    paths:
+      - '@bootstrap'
+      - '@core'
+      - '@tracing'
+      - '@appsec'
+      - '@appsec_iast'
+      - '@remoteconfig'
+      - tests/appsec/iast_tdd_propagation/*
+    retry: 2
+    runner: hatch
+    snapshot: true
+    timeout: 40m
   appsec_integrations_pygoat:
     parallelism: 7
     paths:
@@ -94,7 +107,7 @@ suites:
     runner: riot
     snapshot: true
   appsec_integrations_flask:
-    parallelism: 6
+    parallelism: 17
     paths:
       - '@bootstrap'
       - '@core'
@@ -105,9 +118,11 @@ suites:
       - tests/appsec/integrations/flask_tests/*
     retry: 2
     runner: hatch
-    timeout: 30m
+    services:
+      - testagent
+    timeout: 40m
   appsec_integrations_django:
-    parallelism: 6
+    parallelism: 12
     paths:
       - '@bootstrap'
       - '@core'
@@ -118,6 +133,8 @@ suites:
       - tests/appsec/integrations/django_tests/*
     retry: 2
     runner: hatch
+    services:
+      - testagent
     timeout: 30m
   appsec_threats_django:
     parallelism: 12
