feat(aap): collect security testing headers

[e-n-0]

What does this PR do?

Collects Datadog security-testing request headers on HTTP service-entry spans. (RFC)

When an incoming request includes x-datadog-endpoint-scan or x-datadog-security-test, the HTTP instrumentation now sets these span tags:

• http.request.headers.x-datadog-endpoint-scan
• http.request.headers.x-datadog-security-test

The collection is unconditional: it does not depend on DD_TRACE_HEADER_TAGS or AppSec being enabled. The headers are also not propagated downstream.

This PR keeps the header/tag mapping in internal/appsec, then calls it from instrumentation/httptrace when starting HTTP request spans.

Motivation

These markers let the API inventory pipeline distinguish Datadog endpoint scans and security tests from real user traffic.

Related system-tests coverage: DataDog/system-tests#6915

Reviewer's Checklist

• Changed code has unit tests for its functionality at or near 100% coverage.
• System-Tests covering this feature have been added and enabled with the va.b.c-dev version tag.
• There is a benchmark for any new code, or changes to existing code. N/A, this only adds a small request-header lookup on HTTP entry spans.
• If this interacts with the agent in a new way, a system test has been added. N/A, no new agent interaction.
• New code is free of linting errors. go vet ./instrumentation/httptrace ./internal/appsec/listener/httpsec
• New code doesn't break existing tests. go test -count=1 ./instrumentation/httptrace ./internal/appsec/listener/httpsec
• Add an appropriate team label so this PR gets put in the right place for the release notes.
• All generated files are up to date. No generated files touched.
• Non-trivial go.mod changes, e.g. adding new modules, are reviewed by @DataDog/dd-trace-go-guild. N/A, no module changes.

---

https://datadoghq.atlassian.net/browse/APPSEC-64418

[codecov]

Codecov Report

❌ Patch coverage is 62.74510% with 19 lines in your changes missing coverage. Please review.
✅ Project coverage is 62.59%. Comparing base (080bac9) to head (7cdd215).

Files with missing lines	Patch %	Lines
instrumentation/appsec/httpsec/span.go	0.00%	14 Missing ⚠️
internal/appsec/listener/httpsec/request.go	85.71%	3 Missing and 2 partials ⚠️

Additional details and impacted files

Files with missing lines	Coverage Δ
instrumentation/httptrace/httptrace.go	91.27% <100.00%> (-2.65%)	⬇️
internal/appsec/listener/httpsec/request.go	82.65% <85.71%> (+0.11%)	⬆️
instrumentation/appsec/httpsec/span.go	0.00% <0.00%> (ø)

... and 278 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[datadog-datadog-prod-us1]

🎉 All green!

🧪 All tests passed
❄️ No new flaky tests detected

🎯 Code Coverage (details)
• Patch Coverage: 65.91%
• Overall Coverage: 61.83% (-0.08%)

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 7cdd215 | Docs | Datadog PR Page | Give us feedback!}

[pr-commenter]

Benchmarks

Benchmark execution time: 2026-05-20 12:55:29

Comparing candidate commit 7cdd215 in PR branch flavien.darche/apisec-testing-headers with baseline commit 080bac9 in branch main.

Found 0 performance improvements and 1 performance regressions! Performance is the same for 272 metrics, 2 unstable metrics, 1 flaky benchmarks without significant changes.

Explanation

This is an A/B test comparing a candidate commit's performance against that of a baseline commit. Performance changes are noted in the tables below as:

• 🟩 = significantly better candidate vs. baseline
• 🟥 = significantly worse candidate vs. baseline

We compute a confidence interval (CI) over the relative difference of means between metrics from the candidate and baseline commits, considering the baseline as the reference.

If the CI is entirely outside the configured SIGNIFICANT_IMPACT_THRESHOLD (or the deprecated UNCONFIDENCE_THRESHOLD), the change is considered significant.

Feel free to reach out to #apm-benchmarking-platform on Slack if you have any questions.

More details about the CI and significant changes

You can imagine this CI as a range of values that is likely to contain the true difference of means between the candidate and baseline commits.

CIs of the difference of means are often centered around 0%, because often changes are not that big:

---------------------------------(------|---^--------)-------------------------------->
                              -0.6%    0%  0.3%     +1.2%
                                 |          |        |
         lower bound of the CI --'          |        |
sample mean (center of the CI) -------------'        |
         upper bound of the CI ----------------------'

As described above, a change is considered significant if the CI is entirely outside the configured SIGNIFICANT_IMPACT_THRESHOLD (or the deprecated UNCONFIDENCE_THRESHOLD).

For instance, for an execution time metric, this confidence interval indicates a significantly worse performance:

----------------------------------------|---------|---(---------^---------)---------->
                                       0%        1%  1.3%      2.2%      3.1%
                                                  |   |         |         |
       significant impact threshold --------------'   |         |         |
                      lower bound of CI --------------'         |         |
       sample mean (center of the CI) --------------------------'         |
                      upper bound of CI ----------------------------------'

scenario:BenchmarkHttpServeTrace

• 🟥 execution_time [+324.713ns; +478.087ns] or [+2.252%; +3.315%]

Known flaky benchmarks

These benchmarks are marked as flaky and will not trigger a failure. Modify FLAKY_BENCHMARKS_REGEX to control which benchmarks are marked as flaky.

Known flaky benchmarks without significant changes:

• scenario:BenchmarkOTLPTraceWriterFlush

[e-n-0]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 5556a8818c

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[e-n-0]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: c758cbc3c9

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[e-n-0]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 56ea950ad6

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[e-n-0]

@codex review

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. Breezy!

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".