appsec

package
v1.6.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 28, 2024 License: Apache-2.0 Imports: 9 Imported by: 1

Documentation

Overview

Unless explicitly stated otherwise all files in this repository are licensed under the Apache License Version 2.0. This product includes software developed at Datadog (https://www.datadoghq.com/). Copyright 2023-present Datadog, Inc.

Index

Constants

View Source 
const (
	// EnvAPISecEnabled is the env var used to enable API Security
	EnvAPISecEnabled = "DD_API_SECURITY_ENABLED"
	// EnvAPISecSampleRate is the env var used to set the sampling rate of API Security schema extraction
	EnvAPISecSampleRate = "DD_API_SECURITY_REQUEST_SAMPLE_RATE"
	// EnvObfuscatorKey is the env var used to provide the WAF key obfuscation regexp
	EnvObfuscatorKey = "DD_APPSEC_OBFUSCATION_PARAMETER_KEY_REGEXP"
	// EnvObfuscatorValue is the env var used to provide the WAF value obfuscation regexp
	EnvObfuscatorValue = "DD_APPSEC_OBFUSCATION_PARAMETER_VALUE_REGEXP"
	// EnvWAFTimeout is the env var used to specify the timeout value for a WAF run
	EnvWAFTimeout = "DD_APPSEC_WAF_TIMEOUT"
	// EnvTraceRateLimit is the env var used to set the ASM trace limiting rate
	EnvTraceRateLimit = "DD_APPSEC_TRACE_RATE_LIMIT"
	// EnvRules is the env var used to provide a path to a local security rule file
	EnvRules = "DD_APPSEC_RULES"
	// EnvRASPEnabled is the env var used to enable/disable RASP functionalities for ASM
	EnvRASPEnabled = "DD_APPSEC_RASP_ENABLED"
)

Configuration environment variables

View Source 
const (
	// DefaultAPISecSampleRate is the default rate at which API Security schemas are extracted from requests
	DefaultAPISecSampleRate = .1
	// DefaultObfuscatorKeyRegex is the default regexp used to obfuscate keys
	DefaultObfuscatorKeyRegex = `` /* 155-byte string literal not displayed */
	// DefaultObfuscatorValueRegex is the default regexp used to obfuscate values
	DefaultObfuscatorValueRegex = `` /* 443-byte string literal not displayed */
	// DefaultWAFTimeout is the default time limit past which a WAF run will timeout
	DefaultWAFTimeout = time.Millisecond
	// DefaultTraceRate is the default limit (trace/sec) past which ASM traces are sampled out
	DefaultTraceRate uint = 100 // up to 100 appsec traces/s
)

Configuration constants and default values

Variables

View Source 
var StaticProcessors string

StaticProcessors holds the default processors and scanners used for API Security Not part of the recommended security rules

View Source 
var StaticRecommendedRules string

StaticRecommendedRules holds the recommended AppSec security rules (v1.11.0) Source: https://github.com/DataDog/appsec-event-rules/blob/1.11.0/build/recommended.json

Functions

func DefaultRuleset added in v1.0.2 

func DefaultRuleset() ([]byte, error)

DefaultRuleset returns the marshaled default recommended security rules for AppSec

func DefaultRulesetMap added in v1.2.0 

func DefaultRulesetMap() (map[string]any, error)

DefaultRulesetMap returns the unmarshaled default recommended security rules for AppSec

func RASPEnabled added in v1.6.0 

func RASPEnabled() bool

RASPEnabled returns true if RASP functionalities are enabled through the env, or if DD_APPSEC_RASP_ENABLED is not set

func RateLimitFromEnv added in v1.1.0 

func RateLimitFromEnv() (rate uint)

RateLimitFromEnv reads and parses the trace rate limit set through the env If not set, it defaults to `DefaultTraceRate`

func RulesFromEnv added in v1.1.0 

func RulesFromEnv() ([]byte, error)

RulesFromEnv returns the security rules provided through the environment If the env var is not set, the default recommended rules are returned instead

func WAFTimeoutFromEnv added in v1.1.0 

func WAFTimeoutFromEnv() (timeout time.Duration)

WAFTimeoutFromEnv reads and parses the WAF timeout value set through the env If not set, it defaults to `DefaultWAFTimeout`

Types

type APISecConfig added in v1.1.0 

type APISecConfig struct {
	Enabled    bool
	SampleRate float64
}

APISecConfig holds the configuration for API Security schemas reporting It is used to enabled/disable the feature as well as to configure the rate at which schemas get reported,

func NewAPISecConfig added in v1.1.0 

func NewAPISecConfig() APISecConfig

NewAPISecConfig creates and returns a new API Security configuration by reading the env

type ObfuscatorConfig added in v1.1.0 

type ObfuscatorConfig struct {
	KeyRegex   string
	ValueRegex string
}

ObfuscatorConfig wraps the key and value regexp to be passed to the WAF to perform obfuscation.

func NewObfuscatorConfig added in v1.1.0 

func NewObfuscatorConfig() ObfuscatorConfig

NewObfuscatorConfig creates and returns a new WAF obfuscator configuration by reading the env

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.