feat(appsec): enable api security

florentinl · florentinl · commit d506ee56a7f4 · 2025-07-24T09:45:15.000+02:00
diff --git a/ddtrace/appsec/_handlers.py b/ddtrace/appsec/_handlers.py
@@ -4,13 +4,15 @@
 from typing import Any
 from typing import Dict
 from typing import Optional
+from typing import Union
 
 import xmltodict
 
 from ddtrace._trace.span import Span
 from ddtrace.appsec._asm_request_context import _call_waf
 from ddtrace.appsec._asm_request_context import _call_waf_first
 from ddtrace.appsec._asm_request_context import get_blocked
+from ddtrace.appsec._asm_request_context import set_body_response
 from ddtrace.appsec._constants import SPAN_DATA_NAMES
 from ddtrace.appsec._http_utils import extract_cookies_from_headers
 from ddtrace.appsec._http_utils import normalize_headers
@@ -157,6 +159,14 @@ def _on_lambda_start_response(
     _call_waf(("aws_lambda",))
 
 
+def _on_lambda_parse_body(
+    response_body: Optional[Union[str, Dict[str, Any]]],
+):
+    if asm_config._api_security_feature_active:
+        if response_body:
+            set_body_response(response_body)
+
+
 # ASGI
 
 
@@ -408,6 +418,7 @@ def listen():
 
     core.on("aws_lambda.start_request", _on_lambda_start_request)
     core.on("aws_lambda.start_response", _on_lambda_start_response)
+    core.on("aws_lambda.parse_body", _on_lambda_parse_body)
 
     core.on("grpc.server.response.message", _on_grpc_server_response)
     core.on("grpc.server.data", _on_grpc_server_data)
diff --git a/ddtrace/appsec/_processor.py b/ddtrace/appsec/_processor.py
@@ -189,7 +189,7 @@ def on_span_start(self, span: Span) -> None:
             if skip_event:
                 core.discard_item("appsec_skip_next_lambda_event")
                 log.debug(
-                    "appsec: ignoring unsupported lamdba event",
+                    "appsec: ignoring unsupported lambda event",
                 )
                 span.set_metric(APPSEC.UNSUPPORTED_EVENT_TYPE, 1.0)
                 return
diff --git a/ddtrace/settings/asm.py b/ddtrace/settings/asm.py
@@ -246,9 +246,8 @@ def __init__(self):
             self._asm_processed_span_types.add(SpanTypes.SERVERLESS)
             self._asm_http_span_types.add(SpanTypes.SERVERLESS)
 
-            # As a first step, only Threat Management in monitoring mode should be enabled in AWS Lambda
+            # Disable all features that are not supported in Lambda
             tracer_config._remote_config_enabled = False
-            self._api_security_enabled = False
             self._ep_enabled = False
             self._iast_supported = False
 

Original file line number	Diff line number	Diff line change
`@@ -189,7 +189,7 @@ def on_span_start(self, span: Span) -> None:`
`189`	`189`	`if skip_event:`
`190`	`190`	`core.discard_item("appsec_skip_next_lambda_event")`
`191`	`191`	`log.debug(`
`192`		`- "appsec: ignoring unsupported lamdba event",`
	`192`	`+ "appsec: ignoring unsupported lambda event",`
`193`	`193`	`)`
`194`	`194`	`span.set_metric(APPSEC.UNSUPPORTED_EVENT_TYPE, 1.0)`
`195`	`195`	`return`