Documentation
¶
Overview ¶
Unless explicitly stated otherwise all files in this repository are licensed under the Apache License Version 2.0. This product includes software developed at Datadog (https://www.datadoghq.com/). Copyright 2023-present Datadog, Inc.
Index ¶
Constants ¶
const ( // EnvAPISecEnabled is the env var used to enable API Security EnvAPISecEnabled = "DD_API_SECURITY_ENABLED" // EnvAPISecSampleRate is the env var used to set the sampling rate of API Security schema extraction EnvAPISecSampleRate = "DD_API_SECURITY_REQUEST_SAMPLE_RATE" // EnvObfuscatorKey is the env var used to provide the WAF key obfuscation regexp EnvObfuscatorKey = "DD_APPSEC_OBFUSCATION_PARAMETER_KEY_REGEXP" // EnvObfuscatorValue is the env var used to provide the WAF value obfuscation regexp EnvObfuscatorValue = "DD_APPSEC_OBFUSCATION_PARAMETER_VALUE_REGEXP" // EnvWAFTimeout is the env var used to specify the timeout value for a WAF run EnvWAFTimeout = "DD_APPSEC_WAF_TIMEOUT" // EnvTraceRateLimit is the env var used to set the ASM trace limiting rate EnvTraceRateLimit = "DD_APPSEC_TRACE_RATE_LIMIT" // EnvRules is the env var used to provide a path to a local security rule file EnvRules = "DD_APPSEC_RULES" )
Configuration environment variables
const ( // DefaultAPISecSampleRate is the default rate at which API Security schemas are extracted from requests DefaultAPISecSampleRate = .1 // DefaultObfuscatorKeyRegex is the default regexp used to obfuscate keys DefaultObfuscatorKeyRegex = `` /* 155-byte string literal not displayed */ // DefaultObfuscatorValueRegex is the default regexp used to obfuscate values DefaultObfuscatorValueRegex = `` /* 443-byte string literal not displayed */ // DefaultWAFTimeout is the default time limit past which a WAF run will timeout DefaultWAFTimeout = time.Millisecond // DefaultTraceRate is the default limit (trace/sec) past which ASM traces are sampled out DefaultTraceRate uint = 100 // up to 100 appsec traces/s )
Configuration constants and default values
Variables ¶
var StaticProcessors string
StaticProcessors holds the default processors and scanners used for API Security Not part of the recommended security rules
var StaticRecommendedRules string
StaticRecommendedRules holds the recommended AppSec security rules (v1.11.0) Source: https://github.com/DataDog/appsec-event-rules/blob/1.11.0/build/recommended.json
Functions ¶
func DefaultRuleset ¶ added in v1.0.2
DefaultRuleset returns the marshaled default recommended security rules for AppSec
func DefaultRulesetMap ¶ added in v1.2.0
DefaultRulesetMap returns the unmarshaled default recommended security rules for AppSec
func RateLimitFromEnv ¶ added in v1.1.0
func RateLimitFromEnv() (rate uint)
RateLimitFromEnv reads and parses the trace rate limit set through the env If not set, it defaults to `DefaultTraceRate`
func RulesFromEnv ¶ added in v1.1.0
RulesFromEnv returns the security rules provided through the environment If the env var is not set, the default recommended rules are returned instead
func WAFTimeoutFromEnv ¶ added in v1.1.0
WAFTimeoutFromEnv reads and parses the WAF timeout value set through the env If not set, it defaults to `DefaultWAFTimeout`
Types ¶
type APISecConfig ¶ added in v1.1.0
APISecConfig holds the configuration for API Security schemas reporting It is used to enabled/disable the feature as well as to configure the rate at which schemas get reported,
func NewAPISecConfig ¶ added in v1.1.0
func NewAPISecConfig() APISecConfig
NewAPISecConfig creates and returns a new API Security configuration by reading the env
type ObfuscatorConfig ¶ added in v1.1.0
ObfuscatorConfig wraps the key and value regexp to be passed to the WAF to perform obfuscation.
func NewObfuscatorConfig ¶ added in v1.1.0
func NewObfuscatorConfig() ObfuscatorConfig
NewObfuscatorConfig creates and returns a new WAF obfuscator configuration by reading the env
Source Files