feat(appsec): collect Datadog security-testing headers on entry spans by christophe-papazian · Pull Request #8463 · DataDog/dd-trace-js

christophe-papazian · 2026-05-13T15:18:13Z

APPSEC-63246

What does this PR do?

Tags two Datadog markers — x-datadog-endpoint-scan and x-datadog-security-test — on incoming HTTP server spans as http.request.headers.<name>. Collection is unconditional: independent of DD_TRACE_HEADER_TAGS and AppSec enablement.

Motivation

Lets the API endpoint reducer distinguish Datadog scan/test traffic from real user traffic and keep it out of the API inventory.

RFC: API Security Testing — Trace Attribution for Inventory Enrichment
Reference tracer (Python): feat(tracing): collect Datadog security-testing headers on entry spans dd-trace-py#18049
System tests: Add system-tests for API Security Testing - Headers collection RFC system-tests#6915

Additional Notes

Implemented in packages/dd-trace/src/plugins/util/web.js so it fires on every in-tree HTTP server entry path (http, http2, Azure Functions, Express, Fastify, Hapi, Koa, Next.js, …). Inferred proxy span is tagged too.
Headers are not propagated downstream: dd-trace-js only injects tracer headers into outgoing requests via tracer.inject(); nothing copies arbitrary incoming headers into outgoing ones.
Tag name is dd-style (http.request.headers.<name>), matching dd-trace-py. The OTel-style variant is handled by the reducer, not by tracers.

Test plan

Unit tests in packages/dd-trace/test/plugins/util/web.spec.js (6 new): collected when present, absent when missing, unconditional vs DD_TRACE_HEADER_TAGS, empty value still tagged, lowercase-normalization regression, inferred proxy span coverage.
System tests: Add system-tests for API Security Testing - Headers collection RFC system-tests#6915

🤖 Generated with Claude Code

codecov · 2026-05-13T15:19:19Z

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 89.68%. Comparing base (934f932) to head (e6c4720).

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #8463   +/-   ##
=======================================
  Coverage   89.68%   89.68%           
=======================================
  Files         844      844           
  Lines       45403    45409    +6     
  Branches     8447     8449    +2     
=======================================
+ Hits        40718    40727    +9     
+ Misses       4685     4682    -3

Flag	Coverage Δ
aiguard-integration-active	`41.22% <66.66%> (?)`
aiguard-integration-latest	`41.17% <66.66%> (+<0.01%)`	⬆️
aiguard-integration-maintenance	`41.22% <66.66%> (+<0.01%)`	⬆️
aiguard-macos	`35.36% <0.00%> (-0.11%)`	⬇️
aiguard-ubuntu	`35.46% <0.00%> (-0.11%)`	⬇️
aiguard-windows	`35.27% <0.00%> (-0.11%)`	⬇️
apm-capabilities-tracing-macos	`49.03% <100.00%> (+0.03%)`	⬆️
apm-capabilities-tracing-ubuntu-active	`49.06% <100.00%> (+0.03%)`	⬆️
apm-capabilities-tracing-ubuntu-latest	`49.03% <100.00%> (+0.03%)`	⬆️
apm-capabilities-tracing-ubuntu-maintenance	`49.06% <100.00%> (+0.03%)`	⬆️
apm-capabilities-tracing-ubuntu-oldest	`49.23% <100.00%> (+0.21%)`	⬆️
apm-capabilities-tracing-windows	`48.99% <100.00%> (-0.03%)`	⬇️
apm-integrations-aerospike-18-gte.5.2.0	`34.40% <0.00%> (-0.11%)`	⬇️
apm-integrations-aerospike-20-gte.5.5.0	`34.42% <0.00%> (-0.11%)`	⬇️
apm-integrations-aerospike-22-gte.5.12.1	`34.42% <0.00%> (?)`
apm-integrations-aerospike-22-gte.6.0.0	`34.42% <0.00%> (-0.11%)`	⬇️
apm-integrations-aerospike-eol-	`34.32% <0.00%> (-0.11%)`	⬇️
apm-integrations-child-process	`35.40% <0.00%> (-0.11%)`	⬇️
apm-integrations-confluentinc-kafka-javascript-18	`41.29% <0.00%> (-0.11%)`	⬇️
apm-integrations-confluentinc-kafka-javascript-20	`41.30% <0.00%> (-0.11%)`	⬇️
apm-integrations-confluentinc-kafka-javascript-22	`41.30% <0.00%> (-0.11%)`	⬇️
apm-integrations-confluentinc-kafka-javascript-24	`41.24% <0.00%> (-0.11%)`	⬇️
apm-integrations-couchbase-18	`34.44% <0.00%> (-0.32%)`	⬇️
apm-integrations-couchbase-eol	`34.60% <0.00%> (-0.19%)`	⬇️
apm-integrations-dns	`34.28% <0.00%> (-0.12%)`	⬇️
apm-integrations-elasticsearch	`35.04% <0.00%> (-0.10%)`	⬇️
apm-integrations-http-latest	`42.21% <66.66%> (-0.07%)`	⬇️
apm-integrations-http-maintenance	`42.27% <66.66%> (-0.07%)`	⬇️
apm-integrations-http-oldest	`42.28% <66.66%> (-0.07%)`	⬇️
apm-integrations-http2	`39.59% <66.66%> (-0.18%)`	⬇️
apm-integrations-kafkajs-latest	`41.13% <0.00%> (-0.12%)`	⬇️
apm-integrations-kafkajs-oldest	`41.18% <0.00%> (-0.12%)`	⬇️
apm-integrations-net	`34.98% <0.00%> (-0.11%)`	⬇️
apm-integrations-next-11.1.4	`29.08% <0.00%> (-0.09%)`	⬇️
apm-integrations-next-12.3.7	`30.77% <0.00%> (-0.10%)`	⬇️
apm-integrations-next-13.0.0	`30.77% <0.00%> (-0.10%)`	⬇️
apm-integrations-next-13.2.0	`30.76% <0.00%> (-0.10%)`	⬇️
apm-integrations-next-13.5.11	`30.90% <0.00%> (-0.12%)`	⬇️
apm-integrations-next-14.0.0	`30.84% <0.00%> (-0.10%)`	⬇️
apm-integrations-next-14.2.35	`30.84% <0.00%> (-0.10%)`	⬇️
apm-integrations-next-14.2.6	`30.84% <0.00%> (-0.10%)`	⬇️
apm-integrations-next-14.2.7	`30.84% <0.00%> (-0.10%)`	⬇️
apm-integrations-next-15.0.0	`30.84% <0.00%> (-0.10%)`	⬇️
apm-integrations-next-15.4.0	`30.90% <0.00%> (-0.10%)`	⬇️
apm-integrations-oracledb	`34.68% <0.00%> (-0.10%)`	⬇️
apm-integrations-prisma-18-gte.6.16.0.and.lt.7.0.0	`36.67% <0.00%> (-0.10%)`	⬇️
apm-integrations-prisma-latest-all	`35.51% <0.00%> (-0.10%)`	⬇️
apm-integrations-restify	`36.48% <66.66%> (-0.14%)`	⬇️
apm-integrations-sharedb	`33.96% <0.00%> (-0.11%)`	⬇️
apm-integrations-tedious	`34.49% <0.00%> (-0.10%)`	⬇️
appsec-express	`51.96% <66.66%> (-0.06%)`	⬇️
appsec-fastify	`48.67% <66.66%> (-0.06%)`	⬇️
appsec-graphql	`48.90% <66.66%> (-0.06%)`	⬇️
appsec-integration-active	`36.79% <66.66%> (+<0.01%)`	⬆️
appsec-integration-latest	`36.77% <66.66%> (+<0.01%)`	⬆️
appsec-integration-maintenance	`36.79% <66.66%> (+<0.01%)`	⬆️
appsec-integration-oldest	`36.78% <66.66%> (+<0.01%)`	⬆️
appsec-kafka	`41.54% <0.00%> (-0.14%)`	⬇️
appsec-ldapjs	`40.75% <66.66%> (-0.06%)`	⬇️
appsec-lodash	`40.86% <66.66%> (-0.06%)`	⬇️
appsec-macos	`55.67% <66.66%> (-0.06%)`	⬇️
appsec-mongodb-core	`45.18% <66.66%> (-0.07%)`	⬇️
appsec-mongoose	`46.01% <66.66%> (-0.06%)`	⬇️
appsec-mysql	`48.06% <66.66%> (-0.06%)`	⬇️
appsec-next-latest-11.1.4	`29.21% <0.00%> (-0.09%)`	⬇️
appsec-next-latest-12.3.7	`30.90% <0.00%> (-0.10%)`	⬇️
appsec-next-latest-13.0.0	`30.90% <0.00%> (-0.10%)`	⬇️
appsec-next-latest-13.2.0	`30.92% <0.00%> (-0.10%)`	⬇️
appsec-next-latest-13.5.11	`31.00% <0.00%> (-0.10%)`	⬇️
appsec-next-latest-14.0.0	`30.94% <0.00%> (-0.10%)`	⬇️
appsec-next-latest-14.2.35	`30.94% <0.00%> (-0.10%)`	⬇️
appsec-next-latest-14.2.6	`30.94% <0.00%> (-0.10%)`	⬇️
appsec-next-latest-14.2.7	`30.94% <0.00%> (-0.10%)`	⬇️
appsec-next-latest-15.0.0	`30.94% <0.00%> (-0.10%)`	⬇️
appsec-next-latest-latest	`30.94% <0.00%> (-0.10%)`	⬇️
appsec-next-oldest-11.1.4	`29.22% <0.00%> (-0.08%)`	⬇️
appsec-next-oldest-12.3.7	`30.92% <0.00%> (-0.10%)`	⬇️
appsec-next-oldest-13.0.0	`30.92% <0.00%> (-0.10%)`	⬇️
appsec-next-oldest-13.2.0	`31.20% <0.00%> (-0.10%)`	⬇️
appsec-next-oldest-13.5.11	`31.29% <0.00%> (-0.10%)`	⬇️
appsec-next-oldest-14.0.0	`31.23% <0.00%> (-0.10%)`	⬇️
appsec-next-oldest-14.2.35	`31.23% <0.00%> (-0.10%)`	⬇️
appsec-next-oldest-14.2.6	`31.23% <0.00%> (-0.10%)`	⬇️
appsec-next-oldest-14.2.7	`31.23% <0.00%> (-0.10%)`	⬇️
appsec-next-oldest-15.0.0	`31.23% <0.00%> (-0.10%)`	⬇️
appsec-next-oldest-latest	`29.35% <0.00%> (-0.08%)`	⬇️
appsec-node-serialize	`40.08% <66.66%> (-0.06%)`	⬇️
appsec-passport	`43.78% <66.66%> (-0.07%)`	⬇️
appsec-postgres	`47.64% <66.66%> (-0.08%)`	⬇️
appsec-sourcing	`39.43% <66.66%> (-0.06%)`	⬇️
appsec-stripe	`41.70% <66.66%> (-0.07%)`	⬇️
appsec-template	`40.24% <66.66%> (-0.06%)`	⬇️
appsec-ubuntu	`55.75% <66.66%> (-0.06%)`	⬇️
appsec-windows	`55.61% <66.66%> (-0.07%)`	⬇️
debugger-ubuntu-active	`43.27% <66.66%> (-0.05%)`	⬇️
debugger-ubuntu-latest	`43.22% <66.66%> (+<0.01%)`	⬆️
debugger-ubuntu-maintenance	`43.28% <66.66%> (+<0.01%)`	⬆️
debugger-ubuntu-oldest	`43.72% <66.66%> (+<0.01%)`	⬆️
instrumentations-instrumentation-bluebird	`29.32% <0.00%> (-0.10%)`	⬇️
instrumentations-instrumentation-body-parser	`37.01% <66.66%> (-0.07%)`	⬇️
instrumentations-instrumentation-child_process	`34.89% <0.00%> (-0.11%)`	⬇️
instrumentations-instrumentation-cookie-parser	`31.14% <0.00%> (-0.10%)`	⬇️
instrumentations-instrumentation-express	`31.36% <0.00%> (-0.10%)`	⬇️
instrumentations-instrumentation-express-mongo-sanitize	`31.26% <0.00%> (-0.10%)`	⬇️
instrumentations-instrumentation-express-session	`36.71% <66.66%> (-0.07%)`	⬇️
instrumentations-instrumentation-fs	`29.01% <0.00%> (-0.10%)`	⬇️
instrumentations-instrumentation-generic-pool	`29.15% <ø> (ø)`
instrumentations-instrumentation-http	`36.34% <0.00%> (-0.10%)`	⬇️
instrumentations-instrumentation-knex	`29.29% <0.00%> (-0.10%)`	⬇️
instrumentations-instrumentation-light-my-request	`36.64% <66.66%> (-0.07%)`	⬇️
instrumentations-instrumentation-mongoose	`30.40% <0.00%> (-0.10%)`	⬇️
instrumentations-instrumentation-multer	`36.80% <66.66%> (-0.07%)`	⬇️
instrumentations-instrumentation-mysql2	`34.92% <0.00%> (-0.11%)`	⬇️
instrumentations-instrumentation-passport	`40.45% <66.66%> (-0.07%)`	⬇️
instrumentations-instrumentation-passport-http	`40.22% <66.66%> (-0.07%)`	⬇️
instrumentations-instrumentation-passport-local	`40.70% <66.66%> (-0.07%)`	⬇️
instrumentations-instrumentation-pg	`34.52% <0.00%> (-0.11%)`	⬇️
instrumentations-instrumentation-promise	`29.26% <0.00%> (-0.10%)`	⬇️
instrumentations-instrumentation-promise-js	`29.26% <0.00%> (-0.10%)`	⬇️
instrumentations-instrumentation-q	`29.29% <0.00%> (-0.10%)`	⬇️
instrumentations-instrumentation-url	`29.26% <0.00%> (-0.11%)`	⬇️
instrumentations-instrumentation-when	`29.28% <0.00%> (-0.10%)`	⬇️
instrumentations-integration-esbuild-0.16.12-active	`19.37% <0.00%> (-0.01%)`	⬇️
instrumentations-integration-esbuild-0.16.12-latest	`19.35% <0.00%> (-0.01%)`	⬇️
instrumentations-integration-esbuild-0.16.12-maintenance	`19.37% <0.00%> (-0.01%)`	⬇️
instrumentations-integration-esbuild-0.16.12-oldest	`19.36% <0.00%> (-0.01%)`	⬇️
instrumentations-integration-esbuild-latest-active	`19.37% <0.00%> (-0.01%)`	⬇️
instrumentations-integration-esbuild-latest-latest	`19.35% <0.00%> (-0.01%)`	⬇️
instrumentations-integration-esbuild-latest-maintenance	`19.37% <0.00%> (-0.01%)`	⬇️
instrumentations-integration-esbuild-latest-oldest	`19.36% <0.00%> (-0.01%)`	⬇️
llmobs-ai	`37.81% <0.00%> (-0.10%)`	⬇️
llmobs-anthropic	`37.86% <0.00%> (-0.10%)`	⬇️
llmobs-bedrock	`36.58% <0.00%> (-0.09%)`	⬇️
llmobs-google-genai	`36.88% <0.00%> (-0.10%)`	⬇️
llmobs-langchain	`38.16% <0.00%> (-0.09%)`	⬇️
llmobs-openai-latest	`40.55% <0.00%> (-0.10%)`	⬇️
llmobs-openai-oldest	`40.60% <0.00%> (-0.10%)`	⬇️
llmobs-sdk-active	`45.46% <0.00%> (-0.11%)`	⬇️
llmobs-sdk-latest	`45.40% <0.00%> (-0.11%)`	⬇️
llmobs-sdk-maintenance	`45.46% <0.00%> (-0.11%)`	⬇️
llmobs-sdk-oldest	`45.45% <0.00%> (-0.11%)`	⬇️
llmobs-vertex-ai	`37.03% <0.00%> (-0.10%)`	⬇️
openfeature-macos	`38.05% <66.66%> (+0.01%)`	⬆️
openfeature-ubuntu	`38.13% <66.66%> (+0.01%)`	⬆️
openfeature-unit-active	`48.86% <ø> (ø)`
openfeature-unit-latest	`48.70% <ø> (ø)`
openfeature-unit-maintenance	`48.86% <ø> (ø)`
openfeature-unit-oldest	`48.86% <ø> (ø)`
openfeature-windows	`37.93% <66.66%> (+0.01%)`	⬆️
platform-core	`36.49% <ø> (ø)`
platform-esbuild	`39.87% <ø> (ø)`
platform-instrumentations-misc	`30.87% <0.00%> (-0.02%)`	⬇️
platform-integration-active	`47.08% <66.66%> (+<0.01%)`	⬆️
platform-integration-latest	`47.04% <66.66%> (?)`
platform-integration-maintenance	`47.04% <66.66%> (-0.05%)`	⬇️
platform-integration-oldest	`47.25% <66.66%> (+<0.01%)`	⬆️
platform-shimmer	`41.68% <ø> (ø)`
platform-unit-guardrails	`35.56% <ø> (ø)`
platform-webpack	`20.50% <0.00%> (-0.01%)`	⬇️
plugins-azure-durable-functions	`36.88% <66.66%> (+0.01%)`	⬆️
plugins-azure-event-hubs	`34.88% <0.00%> (-0.02%)`	⬇️
plugins-azure-service-bus	`35.34% <0.00%> (-0.02%)`	⬇️
plugins-bullmq	`40.12% <0.00%> (-0.11%)`	⬇️
plugins-cassandra	`34.70% <0.00%> (-0.23%)`	⬇️
plugins-cookie	`28.72% <ø> (ø)`
plugins-cookie-parser	`28.53% <ø> (ø)`
plugins-crypto	`27.19% <ø> (ø)`
plugins-dd-trace-api	`34.80% <0.00%> (-0.11%)`	⬇️
plugins-express-mongo-sanitize	`28.64% <ø> (ø)`
plugins-express-session	`28.49% <ø> (ø)`
plugins-fastify	`38.77% <66.66%> (-0.07%)`	⬇️
plugins-fetch	`35.06% <0.00%> (-0.10%)`	⬇️
plugins-fs	`35.18% <0.00%> (-0.11%)`	⬇️
plugins-generic-pool	`27.69% <ø> (ø)`
plugins-google-cloud-pubsub	`42.46% <66.66%> (-0.05%)`	⬇️
plugins-grpc	`37.50% <0.00%> (-0.10%)`	⬇️
plugins-handlebars	`28.68% <ø> (ø)`
plugins-hapi	`36.68% <66.66%> (-0.07%)`	⬇️
plugins-hono	`36.96% <66.66%> (-0.07%)`	⬇️
plugins-ioredis	`35.27% <0.00%> (-0.11%)`	⬇️
plugins-knex	`28.29% <ø> (ø)`
plugins-langgraph	`34.52% <0.00%> (-0.10%)`	⬇️
plugins-ldapjs	`26.30% <ø> (ø)`
plugins-light-my-request	`28.09% <ø> (ø)`
plugins-limitd-client	`29.56% <0.00%> (-0.16%)`	⬇️
plugins-lodash	`27.78% <ø> (ø)`
plugins-mariadb	`36.12% <0.00%> (-0.11%)`	⬇️
plugins-memcached	`34.89% <0.00%> (-0.11%)`	⬇️
plugins-microgateway-core	`35.81% <66.66%> (-0.07%)`	⬇️
plugins-modelcontextprotocol-sdk	`33.81% <0.00%> (-0.11%)`	⬇️
plugins-moleculer	`37.58% <0.00%> (-0.10%)`	⬇️
plugins-mongodb	`36.10% <0.00%> (-0.24%)`	⬇️
plugins-mongodb-core	`35.83% <0.00%> (-0.11%)`	⬇️
plugins-mongoose	`35.59% <0.00%> (-0.10%)`	⬇️
plugins-multer	`28.49% <ø> (ø)`
plugins-mysql	`35.91% <0.00%> (-0.11%)`	⬇️
plugins-mysql2	`35.99% <0.00%> (-0.11%)`	⬇️
plugins-node-serialize	`28.76% <ø> (ø)`
plugins-opensearch	`34.58% <0.00%> (-0.10%)`	⬇️
plugins-passport-http	`28.51% <ø> (ø)`
plugins-pino	`31.26% <0.00%> (-0.11%)`	⬇️
plugins-postgres	`33.95% <0.00%> (-0.10%)`	⬇️
plugins-process	`27.19% <ø> (ø)`
plugins-pug	`28.72% <ø> (ø)`
plugins-redis	`35.32% <0.00%> (-0.05%)`	⬇️
plugins-router	`39.11% <66.66%> (-0.07%)`	⬇️
plugins-sequelize	`27.48% <ø> (ø)`
plugins-test-and-upstream-amqp10	`34.99% <0.00%> (-0.24%)`	⬇️
plugins-test-and-upstream-amqplib	`40.26% <0.00%> (-0.13%)`	⬇️
plugins-test-and-upstream-apollo	`36.06% <0.00%> (-0.09%)`	⬇️
plugins-test-and-upstream-avsc	`34.50% <0.00%> (-0.11%)`	⬇️
plugins-test-and-upstream-bunyan	`30.63% <0.00%> (-0.11%)`	⬇️
plugins-test-and-upstream-connect	`37.29% <66.66%> (-0.13%)`	⬇️
plugins-test-and-upstream-graphql	`37.07% <0.00%> (-0.13%)`	⬇️
plugins-test-and-upstream-koa	`36.94% <66.66%> (-0.07%)`	⬇️
plugins-test-and-upstream-protobufjs	`34.70% <0.00%> (-0.11%)`	⬇️
plugins-test-and-upstream-rhea	`40.30% <0.00%> (-0.11%)`	⬇️
plugins-undici	`35.79% <0.00%> (-0.10%)`	⬇️
plugins-url	`27.19% <ø> (?)`
plugins-valkey	`34.91% <0.00%> (-0.11%)`	⬇️
plugins-vm	`27.19% <ø> (ø)`
plugins-winston	`31.14% <0.00%> (-0.10%)`	⬇️
plugins-ws	`38.42% <0.00%> (-0.10%)`	⬇️
profiling-macos	`42.79% <66.66%> (-0.06%)`	⬇️
profiling-ubuntu	`43.15% <66.66%> (-0.06%)`	⬇️
profiling-windows	`40.06% <66.66%> (-0.06%)`	⬇️
serverless-aws-sdk-latest-aws-sdk	`34.66% <0.00%> (-0.09%)`	⬇️
serverless-aws-sdk-latest-bedrockruntime	`33.13% <0.00%> (-0.09%)`	⬇️
serverless-aws-sdk-latest-client	`24.35% <ø> (ø)`
serverless-aws-sdk-latest-dynamodb	`35.74% <0.00%> (-0.09%)`	⬇️
serverless-aws-sdk-latest-eventbridge	`28.73% <0.00%> (-0.09%)`	⬇️
serverless-aws-sdk-latest-kinesis	`38.62% <0.00%> (-0.09%)`	⬇️
serverless-aws-sdk-latest-lambda	`35.90% <0.00%> (-0.09%)`	⬇️
serverless-aws-sdk-latest-s3	`33.88% <0.00%> (-0.09%)`	⬇️
serverless-aws-sdk-latest-serverless-peer-service	`39.99% <0.00%> (-0.11%)`	⬇️
serverless-aws-sdk-latest-sns	`39.71% <0.00%> (-0.09%)`	⬇️
serverless-aws-sdk-latest-sqs	`38.99% <0.00%> (-0.09%)`	⬇️
serverless-aws-sdk-latest-stepfunctions	`34.50% <0.00%> (-0.09%)`	⬇️
serverless-aws-sdk-latest-util	`48.37% <ø> (ø)`
serverless-aws-sdk-oldest-aws-sdk	`34.76% <0.00%> (-0.09%)`	⬇️
serverless-aws-sdk-oldest-bedrockruntime	`33.40% <0.00%> (-0.09%)`	⬇️
serverless-aws-sdk-oldest-client	`24.70% <ø> (ø)`
serverless-aws-sdk-oldest-dynamodb	`35.81% <0.00%> (-0.09%)`	⬇️
serverless-aws-sdk-oldest-eventbridge	`28.77% <0.00%> (-0.09%)`	⬇️
serverless-aws-sdk-oldest-kinesis	`38.75% <0.00%> (-0.09%)`	⬇️
serverless-aws-sdk-oldest-lambda	`35.98% <0.00%> (-0.09%)`	⬇️
serverless-aws-sdk-oldest-s3	`33.94% <0.00%> (-0.09%)`	⬇️
serverless-aws-sdk-oldest-serverless-peer-service	`40.05% <0.00%> (-0.11%)`	⬇️
serverless-aws-sdk-oldest-sns	`39.91% <0.00%> (-0.09%)`	⬇️
serverless-aws-sdk-oldest-sqs	`38.89% <0.00%> (-0.09%)`	⬇️
serverless-aws-sdk-oldest-stepfunctions	`34.57% <0.00%> (-0.09%)`	⬇️
serverless-aws-sdk-oldest-util	`48.68% <ø> (ø)`
serverless-azure-functions-eventhubs	`38.52% <66.66%> (+0.01%)`	⬆️
serverless-azure-functions-servicebus	`38.58% <66.66%> (+0.01%)`	⬆️
serverless-lambda	`34.47% <0.00%> (-0.11%)`	⬇️
test-optimization-cucumber-latest-7.0.0	`50.26% <0.00%> (-0.01%)`	⬇️
test-optimization-cucumber-latest-latest	`52.97% <0.00%> (+0.10%)`	⬆️
test-optimization-cucumber-oldest-7.0.0	`50.30% <0.00%> (+0.10%)`	⬆️
test-optimization-cypress-latest-12.0.0-commonJS	`48.65% <0.00%> (+0.05%)`	⬆️
test-optimization-cypress-latest-12.0.0-esm	`48.68% <0.00%> (+0.18%)`	⬆️
test-optimization-cypress-latest-14.5.4-commonJS	`48.50% <0.00%> (+0.05%)`	⬆️
test-optimization-cypress-latest-14.5.4-esm	`48.53% <0.00%> (+0.05%)`	⬆️
test-optimization-cypress-latest-latest-commonJS	`48.99% <0.00%> (+0.05%)`	⬆️
test-optimization-cypress-latest-latest-esm	`49.02% <0.00%> (+0.05%)`	⬆️
test-optimization-cypress-oldest-12.0.0-commonJS	`48.69% <0.00%> (+0.66%)`	⬆️
test-optimization-cypress-oldest-12.0.0-esm	`48.72% <0.00%> (+0.60%)`	⬆️
test-optimization-cypress-oldest-14.5.4-commonJS	`48.53% <0.00%> (+0.05%)`	⬆️
test-optimization-cypress-oldest-14.5.4-esm	`48.57% <0.00%> (+0.66%)`	⬆️
test-optimization-jest-latest-latest	`54.73% <0.00%> (-0.04%)`	⬇️
test-optimization-jest-latest-oldest	`53.52% <0.00%> (+2.44%)`	⬆️
test-optimization-jest-oldest-latest	`54.74% <0.00%> (+0.06%)`	⬆️
test-optimization-jest-oldest-oldest	`53.49% <0.00%> (+2.30%)`	⬆️
test-optimization-mocha-latest-latest	`53.35% <0.00%> (+0.06%)`	⬆️
test-optimization-mocha-latest-oldest	`50.97% <0.00%> (+0.07%)`	⬆️
test-optimization-mocha-oldest-latest	`53.41% <0.00%> (+0.06%)`	⬆️
test-optimization-mocha-oldest-oldest	`50.91% <0.00%> (?)`
test-optimization-playwright-latest-latest-playwright-active-test-span	`44.21% <0.00%> (+0.26%)`	⬆️
test-optimization-playwright-latest-latest-playwright-atr	`42.98% <0.00%> (+0.09%)`	⬆️
test-optimization-playwright-latest-latest-playwright-efd	`43.40% <0.00%> (+0.07%)`	⬆️
test-optimization-playwright-latest-latest-playwright-final-status	`43.44% <0.00%> (+0.09%)`	⬆️
test-optimization-playwright-latest-latest-playwright-impacted-tests	`42.91% <0.00%> (-0.02%)`	⬇️
test-optimization-playwright-latest-latest-playwright-reporting	`42.85% <0.00%> (+0.07%)`	⬆️
test-optimization-playwright-latest-latest-playwright-test-management	`44.63% <0.00%> (+0.08%)`	⬆️
test-optimization-playwright-latest-oldest-playwright-active-test-span	`44.27% <0.00%> (+0.26%)`	⬆️
test-optimization-playwright-latest-oldest-playwright-atr	`43.21% <0.00%> (+0.11%)`	⬆️
test-optimization-playwright-latest-oldest-playwright-efd	`43.45% <0.00%> (+0.07%)`	⬆️
test-optimization-playwright-latest-oldest-playwright-final-status	`43.47% <0.00%> (+0.07%)`	⬆️
test-optimization-playwright-latest-oldest-playwright-impacted-tests	`42.95% <0.00%> (-0.02%)`	⬇️
test-optimization-playwright-latest-oldest-playwright-reporting	`42.92% <0.00%> (+0.07%)`	⬆️
test-optimization-playwright-latest-oldest-playwright-test-management	`44.70% <0.00%> (+0.09%)`	⬆️
test-optimization-playwright-oldest-latest-playwright-active-test-span	`44.22% <0.00%> (+0.24%)`	⬆️
test-optimization-playwright-oldest-latest-playwright-atr	`43.01% <0.00%> (+0.09%)`	⬆️
test-optimization-playwright-oldest-latest-playwright-efd	`43.41% <0.00%> (+0.07%)`	⬆️
test-optimization-playwright-oldest-latest-playwright-final-status	`43.46% <0.00%> (+0.09%)`	⬆️
test-optimization-playwright-oldest-latest-playwright-impacted-tests	`42.95% <0.00%> (-0.02%)`	⬇️
test-optimization-playwright-oldest-latest-playwright-reporting	`42.86% <0.00%> (+0.07%)`	⬆️
test-optimization-playwright-oldest-latest-playwright-test-management	`44.64% <0.00%> (+0.08%)`	⬆️
test-optimization-playwright-oldest-oldest-playwright-active-test-span	`44.31% <0.00%> (+0.26%)`	⬆️
test-optimization-playwright-oldest-oldest-playwright-atr	`43.23% <0.00%> (+0.09%)`	⬆️
test-optimization-playwright-oldest-oldest-playwright-efd	`43.47% <0.00%> (+0.07%)`	⬆️
test-optimization-playwright-oldest-oldest-playwright-final-status	`43.51% <0.00%> (?)`
test-optimization-playwright-oldest-oldest-playwright-impacted-tests	`42.99% <0.00%> (?)`
test-optimization-playwright-oldest-oldest-playwright-reporting	`42.93% <0.00%> (+0.07%)`	⬆️
test-optimization-playwright-oldest-oldest-playwright-test-management	`44.71% <0.00%> (+0.09%)`	⬆️
test-optimization-selenium-latest	`45.54% <0.00%> (+0.05%)`	⬆️
test-optimization-selenium-oldest	`45.03% <0.00%> (+0.06%)`	⬆️
test-optimization-testopt-active	`46.86% <0.00%> (+0.12%)`	⬆️
test-optimization-testopt-latest	`46.82% <0.00%> (+0.12%)`	⬆️
test-optimization-testopt-maintenance	`46.86% <0.00%> (+0.12%)`	⬆️
test-optimization-testopt-oldest	`47.71% <0.00%> (+0.13%)`	⬆️
test-optimization-vitest-latest	`50.94% <0.00%> (+1.19%)`	⬆️
test-optimization-vitest-oldest	`47.95% <0.00%> (+0.31%)`	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

datadog-prod-us1-5 · 2026-05-13T15:22:49Z

🎉 All green!

❄️ No new flaky tests detected
🧪 All tests passed

🎯 Code Coverage (details)
• Patch Coverage: 100.00%
• Overall Coverage: 86.44% (+0.00%)

_{This comment will be updated automatically if new data arrives.

🔗 Commit SHA: e6c4720 | Docs | Datadog PR Page | Give us feedback!}

simon-id · 2026-05-13T15:55:03Z

    })
  })
+
+  describe('security testing headers', () => {


a bit too "unit-y" for my taste, it doesn't test a header is tagged (even with appsec disabled), it tests the function works when stubbed, but up to you/APM

Keeping the unit tests since you flagged this as optional. The four scenarios (collected / absent / unconditional vs headerTags / empty value) directly exercise the contract through web.finishAll, which is the same seam every plugin span uses. Happy to add an integration-style spec in a follow-up if APM wants stronger coverage.

Tag `x-datadog-endpoint-scan` and `x-datadog-security-test` request headers on service entry spans as `http.request.headers.<name>`, unconditionally — regardless of `DD_TRACE_HEADER_TAGS` or AppSec being enabled. These markers let the API endpoint reducer distinguish Datadog scan/test traffic from real user traffic and keep it out of the API inventory. Headers are not propagated downstream (dd-trace-js only injects tracer headers into outgoing requests). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Inline the two header tag-sets directly into addRequestTags, drop the helper function and SECURITY_TESTING_HEADERS array (only two markers will ever exist). Remove inferred-proxy span tagging — RFC only mandates the service entry span. Drop the lowercase-normalization regression test and the inferred-proxy test. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

dd-octo-sts · 2026-05-15T12:49:39Z

Overall package size

Self size: 5.85 MB
Deduped: 6.69 MB
No deduping: 6.69 MB

Dependency sizes

| name | version | self size | total size | |------|---------|-----------|------------| | import-in-the-middle | 3.0.1 | 82.56 kB | 817.39 kB | | dc-polyfill | 0.1.11 | 25.74 kB | 25.74 kB |

_{🤖 This report was automatically generated by heaviest-objects-in-the-universe}

pr-commenter · 2026-05-15T13:04:18Z

Benchmarks

Benchmark execution time: 2026-05-15 13:04:14

Comparing candidate commit e6c4720 in PR branch christophe-papazian/aap-security-testing-headers with baseline commit 934f932 in branch master.

Found 0 performance improvements and 0 performance regressions! Performance is the same for 1483 metrics, 110 unstable metrics.

chatgpt-codex-connector

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: e6c4720807

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

Open a pull request for review
Mark a draft as ready
Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

simon-id · 2026-05-18T10:11:34Z

LGTM but this is not our turf, deferring approval to the codeowners

…#8463) * feat(appsec): collect Datadog security-testing headers on entry spans Tag `x-datadog-endpoint-scan` and `x-datadog-security-test` request headers on service entry spans as `http.request.headers.<name>`, unconditionally — regardless of `DD_TRACE_HEADER_TAGS` or AppSec being enabled. These markers let the API endpoint reducer distinguish Datadog scan/test traffic from real user traffic and keep it out of the API inventory. Headers are not propagated downstream (dd-trace-js only injects tracer headers into outgoing requests). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * refactor(appsec): address review feedback on security-testing headers Inline the two header tag-sets directly into addRequestTags, drop the helper function and SECURITY_TESTING_HEADERS array (only two markers will ever exist). Remove inferred-proxy span tagging — RFC only mandates the service entry span. Drop the lowercase-normalization regression test and the inferred-proxy test. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

…ry spans (#8682) ## Summary of changes Tag `x-datadog-endpoint-scan` and `x-datadog-security-test` HTTP request headers as `http.request.headers.<name>` on every HTTP server entry span (and the inferred-proxy span when one is created), unconditionally — independent of `DD_TRACE_HEADER_TAGS` and AppSec enablement. Markers are not propagated downstream. ## Reason for change APPSEC-65483 — RFC ["Security Testing: Trace Attribution for Inventory Enrichment and Pollution Prevention"](https://docs.google.com/document/d/1uR4QQvU8pItEV2zFqr3-L6jO2jxzmvLrFTX_yyvqIOA). These two markers let the API endpoint reducer distinguish Datadog scan/test traffic from real user traffic and keep it out of the API inventory. Sibling-tracer implementations already merged: [`dd-trace-py#18049`](DataDog/dd-trace-py#18049), [`dd-trace-js#8463`](DataDog/dd-trace-js#8463), [`dd-trace-java#11418`](DataDog/dd-trace-java#11418). ## Implementation details - New `SpanContextPropagator.AddSecurityTestingHeadersAsTags<THeaders>` reads both markers from any `IHeadersCollection` and tags them on the supplied span. Tag names are precomputed; `string[]` fast-path avoids enumerator allocation on the legacy `NameValueCollection` / `WebHeaderCollection` carriers; presence-based (empty values still tagged). - Wired into every HTTP server entry path: - `AspNetMvcIntegration` (System.Web MVC) — entry span + inferred-proxy span (proxy tagged at creation site) - `AspNetWebApi2Integration` (System.Web Web API 2) — entry span (no proxy support on this path) - `TracingHttpModule` (OWIN/IIS classic) — entry span + inferred-proxy span - `AspNetCoreHttpRequestHandler` (ASP.NET Core, including Azure Functions isolated worker HTTP-proxying mode) — entry span + inferred-proxy span - `WcfCommon` (WCF over HTTP) — entry span ## Test coverage - `SpanContextPropagatorTests_AddSecurityTestingHeadersAsTags` (new — 13 cases): both markers + unrelated header, absent headers, no `HeaderTags` config, only one marker present, empty-string value still tagged, case-insensitive lookup, ASP.NET Core `HeadersCollectionAdapter` with mixed-case lookup. - All existing `SpanContextPropagatorTests*` continue to pass. ## Other details  --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>