Skip to content

Enable API Security by default and make it lazy loading #9009

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jun 20, 2025
Merged

Enable API Security by default and make it lazy loading #9009

merged 2 commits into from
Jun 20, 2025
+89 −61

Conversation

smola
Copy link
Member

@smola smola commented Jun 19, 2025
edited by jira bot
Loading

What Does This Do

Bring back #8511
Original attempt was reverted because of a regression in startup time. This PR brings back the feature, but with lazy loading of the sampling, which removes the startup overhead when AppSec is not enabled.

Change DD_API_SECURITY_ENABLED=true by default. This should have impact only when AppSec is enabled.

This feature es effectively enabled only if AppSec is also enabled.

Motivation

API Security is now core functionality to the App & API Protection (AppSec), so we want it to be available by default to all AppSec customers.

Additional Notes

Contributor Checklist

Jira ticket: APPSEC-57850

@smola smola force-pushed the smola/api-security-startup-time branch from 33d425a to bc849b6 Compare June 19, 2025 09:40
smola
smola commented Jun 19, 2025
View reviewed changes
...va-agent/appsec/src/test/groovy/com/datadog/appsec/gateway/GatewayBridgeSpecification.groovy
@@ -258,8 +258,9 @@ class GatewayBridgeSpecification extends DDSpecification {
ctx.data.rawURI = '/'
ctx.data.peerAddress = '0.0.0.0'
eventDispatcher.getDataSubscribers(_) >> nonEmptyDsInfo
eventDispatcher.publishDataEvent(nonEmptyDsInfo, ctx.data, _ as DataBundle, _ as GatewayContext) >>
{ bundle = it[2]; NoopFlow.INSTANCE }
eventDispatcher.publishDataEvent(nonEmptyDsInfo, ctx.data, _ as DataBundle, _ as GatewayContext) >> {
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From here onwards, this is just spotless being funny.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let it have its fun then 😓

@pr-commenter
Copy link

pr-commenter bot commented Jun 19, 2025
edited
Loading

Benchmarks

Startup

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master smola/api-security-startup-time
git_commit_date 1750340918 1750342351
git_commit_sha f47ab39 ba6bea4
release_version 1.50.0-SNAPSHOT~f47ab3945d 1.50.0-SNAPSHOT~ba6bea4fa9
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1750344081 1750344081
ci_job_id 990209658 990209658
ci_pipeline_id 68245760 68245760
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-emldojjo-project-304-concurrent-0-ti9pxmms 6.8.0-1029-aws #31~22.04.1-Ubuntu SMP Thu Apr 24 21:16:18 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-emldojjo-project-304-concurrent-0-ti9pxmms 6.8.0-1029-aws #31~22.04.1-Ubuntu SMP Thu Apr 24 21:16:18 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
module Agent Agent
parent None None

Summary

Found 1 performance improvements and 0 performance regressions! Performance is the same for 40 metrics, 12 unstable metrics.

scenario Δ mean execution_time candidate mean execution_time baseline mean execution_time
scenario:startup:petclinic:tracing:Remote Config better
[-90.830µs; -49.263µs] or [-12.335%; -6.690%]		 666.291µs 736.338µs
Startup time reports for insecure-bank 
gantt
    title insecure-bank - global startup overhead: candidate=1.50.0-SNAPSHOT~ba6bea4fa9, baseline=1.50.0-SNAPSHOT~f47ab3945d

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.029 s) : 0, 1029298
Total [baseline] (8.548 s) : 0, 8547935
Agent [candidate] (1.025 s) : 0, 1025049
Total [candidate] (8.565 s) : 0, 8564893
section iast
Agent [baseline] (1.153 s) : 0, 1152828
Total [baseline] (9.191 s) : 0, 9190826
Agent [candidate] (1.156 s) : 0, 1155699
Total [candidate] (9.184 s) : 0, 9184397
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.029 s -
Agent iast 1.153 s 123.53 ms (12.0%)
Total tracing 8.548 s -
Total iast 9.191 s 642.891 ms (7.5%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.025 s -
Agent iast 1.156 s 130.649 ms (12.7%)
Total tracing 8.565 s -
Total iast 9.184 s 619.504 ms (7.2%) 
gantt
    title insecure-bank - break down per module: candidate=1.50.0-SNAPSHOT~ba6bea4fa9, baseline=1.50.0-SNAPSHOT~f47ab3945d

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (686.403 ms) : 0, 686403
BytebuddyAgent [candidate] (683.385 ms) : 0, 683385
GlobalTracer [baseline] (242.662 ms) : 0, 242662
GlobalTracer [candidate] (241.147 ms) : 0, 241147
AppSec [baseline] (56.448 ms) : 0, 56448
AppSec [candidate] (56.563 ms) : 0, 56563
Debugger [baseline] (9.132 ms) : 0, 9132
Debugger [candidate] (7.024 ms) : 0, 7024
Remote Config [baseline] (750.422 µs) : 0, 750
Remote Config [candidate] (720.53 µs) : 0, 721
Telemetry [baseline] (10.406 ms) : 0, 10406
Telemetry [candidate] (12.759 ms) : 0, 12759
section iast
BytebuddyAgent [baseline] (804.652 ms) : 0, 804652
BytebuddyAgent [candidate] (805.932 ms) : 0, 805932
GlobalTracer [baseline] (231.155 ms) : 0, 231155
GlobalTracer [candidate] (231.733 ms) : 0, 231733
IAST [baseline] (26.022 ms) : 0, 26022
IAST [candidate] (26.934 ms) : 0, 26934
AppSec [baseline] (52.213 ms) : 0, 52213
AppSec [candidate] (53.055 ms) : 0, 53055
Debugger [baseline] (5.94 ms) : 0, 5940
Debugger [candidate] (5.983 ms) : 0, 5983
Remote Config [baseline] (594.555 µs) : 0, 595
Remote Config [candidate] (616.79 µs) : 0, 617
Telemetry [baseline] (7.919 ms) : 0, 7919
Telemetry [candidate] (8.015 ms) : 0, 8015
Loading
Startup time reports for petclinic 
gantt
    title petclinic - global startup overhead: candidate=1.50.0-SNAPSHOT~ba6bea4fa9, baseline=1.50.0-SNAPSHOT~f47ab3945d

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.02 s) : 0, 1020153
Total [baseline] (10.512 s) : 0, 10512201
Agent [candidate] (1.03 s) : 0, 1029927
Total [candidate] (10.509 s) : 0, 10509131
section appsec
Agent [baseline] (1.185 s) : 0, 1184695
Total [baseline] (10.722 s) : 0, 10722031
Agent [candidate] (1.187 s) : 0, 1187242
Total [candidate] (10.71 s) : 0, 10710376
section iast
Agent [baseline] (1.17 s) : 0, 1169770
Total [baseline] (10.88 s) : 0, 10880316
Agent [candidate] (1.155 s) : 0, 1155382
Total [candidate] (10.897 s) : 0, 10897440
section profiling
Agent [baseline] (1.263 s) : 0, 1263151
Total [baseline] (10.864 s) : 0, 10864275
Agent [candidate] (1.279 s) : 0, 1278612
Total [candidate] (10.96 s) : 0, 10959991
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.02 s -
Agent appsec 1.185 s 164.542 ms (16.1%)
Agent iast 1.17 s 149.617 ms (14.7%)
Agent profiling 1.263 s 242.998 ms (23.8%)
Total tracing 10.512 s -
Total appsec 10.722 s 209.83 ms (2.0%)
Total iast 10.88 s 368.115 ms (3.5%)
Total profiling 10.864 s 352.075 ms (3.3%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.03 s -
Agent appsec 1.187 s 157.315 ms (15.3%)
Agent iast 1.155 s 125.455 ms (12.2%)
Agent profiling 1.279 s 248.685 ms (24.1%)
Total tracing 10.509 s -
Total appsec 10.71 s 201.245 ms (1.9%)
Total iast 10.897 s 388.309 ms (3.7%)
Total profiling 10.96 s 450.86 ms (4.3%) 
gantt
    title petclinic - break down per module: candidate=1.50.0-SNAPSHOT~ba6bea4fa9, baseline=1.50.0-SNAPSHOT~f47ab3945d

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (681.63 ms) : 0, 681630
BytebuddyAgent [candidate] (688.058 ms) : 0, 688058
GlobalTracer [baseline] (240.128 ms) : 0, 240128
GlobalTracer [candidate] (242.307 ms) : 0, 242307
AppSec [baseline] (56.968 ms) : 0, 56968
AppSec [candidate] (59.4 ms) : 0, 59400
Debugger [baseline] (8.367 ms) : 0, 8367
Debugger [candidate] (6.913 ms) : 0, 6913
Remote Config [baseline] (736.338 µs) : 0, 736
Remote Config [candidate] (666.291 µs) : 0, 666
Telemetry [baseline] (8.95 ms) : 0, 8950
Telemetry [candidate] (8.968 ms) : 0, 8968
section appsec
BytebuddyAgent [baseline] (712.243 ms) : 0, 712243
BytebuddyAgent [candidate] (711.891 ms) : 0, 711891
GlobalTracer [baseline] (236.988 ms) : 0, 236988
GlobalTracer [candidate] (236.594 ms) : 0, 236594
IAST [baseline] (22.239 ms) : 0, 22239
IAST [candidate] (21.925 ms) : 0, 21925
AppSec [baseline] (175.796 ms) : 0, 175796
AppSec [candidate] (179.496 ms) : 0, 179496
Debugger [baseline] (5.929 ms) : 0, 5929
Debugger [candidate] (5.813 ms) : 0, 5813
Remote Config [baseline] (616.017 µs) : 0, 616
Remote Config [candidate] (629.553 µs) : 0, 630
Telemetry [baseline] (7.276 ms) : 0, 7276
Telemetry [candidate] (7.3 ms) : 0, 7300
section iast
BytebuddyAgent [baseline] (816.885 ms) : 0, 816885
BytebuddyAgent [candidate] (805.719 ms) : 0, 805719
GlobalTracer [baseline] (234.199 ms) : 0, 234199
GlobalTracer [candidate] (231.645 ms) : 0, 231645
IAST [baseline] (27.556 ms) : 0, 27556
IAST [candidate] (26.03 ms) : 0, 26030
AppSec [baseline] (52.613 ms) : 0, 52613
AppSec [candidate] (53.883 ms) : 0, 53883
Debugger [baseline] (6.018 ms) : 0, 6018
Debugger [candidate] (5.956 ms) : 0, 5956
Remote Config [baseline] (618.105 µs) : 0, 618
Remote Config [candidate] (600.737 µs) : 0, 601
Telemetry [baseline] (8.088 ms) : 0, 8088
Telemetry [candidate] (8.02 ms) : 0, 8020
section profiling
BytebuddyAgent [baseline] (673.298 ms) : 0, 673298
BytebuddyAgent [candidate] (680.44 ms) : 0, 680440
GlobalTracer [baseline] (359.223 ms) : 0, 359223
GlobalTracer [candidate] (362.728 ms) : 0, 362728
AppSec [baseline] (61.94 ms) : 0, 61940
AppSec [candidate] (62.8 ms) : 0, 62800
Debugger [baseline] (6.078 ms) : 0, 6078
Debugger [candidate] (6.172 ms) : 0, 6172
Remote Config [baseline] (656.775 µs) : 0, 657
Remote Config [candidate] (670.803 µs) : 0, 671
Telemetry [baseline] (8.123 ms) : 0, 8123
Telemetry [candidate] (8.322 ms) : 0, 8322
ProfilingAgent [baseline] (103.127 ms) : 0, 103127
ProfilingAgent [candidate] (106.267 ms) : 0, 106267
Profiling [baseline] (103.151 ms) : 0, 103151
Profiling [candidate] (106.292 ms) : 0, 106292
Loading

Load

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master smola/api-security-startup-time
git_commit_date 1750340918 1750342351
git_commit_sha f47ab39 ba6bea4
release_version 1.50.0-SNAPSHOT~f47ab3945d 1.50.0-SNAPSHOT~ba6bea4fa9
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1750343775 1750343775
ci_job_id 990209659 990209659
ci_pipeline_id 68245760 68245760
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-8bgay5fx-project-304-concurrent-0-9x9ed961 6.8.0-1029-aws #31~22.04.1-Ubuntu SMP Thu Apr 24 21:16:18 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-8bgay5fx-project-304-concurrent-0-9x9ed961 6.8.0-1029-aws #31~22.04.1-Ubuntu SMP Thu Apr 24 21:16:18 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 0 performance improvements and 4 performance regressions! Performance is the same for 8 metrics, 12 unstable metrics.

scenario Δ mean http_req_duration Δ mean throughput candidate mean http_req_duration candidate mean throughput baseline mean http_req_duration baseline mean throughput
scenario:load:insecure-bank:tracing:high_load worse
[+234.469µs; +472.113µs] or [+3.225%; +6.494%]		 unstable
[-107.687op/s; +49.187op/s] or [-16.912%; +7.725%]		 7.623ms 607.500op/s 7.270ms 636.750op/s
scenario:load:petclinic:no_agent:high_load worse
[+0.992ms; +1.628ms] or [+2.756%; +4.524%]		 unstable
[-13.357op/s; +4.332op/s] or [-10.280%; +3.334%]		 37.295ms 125.425op/s 35.985ms 129.938op/s
scenario:load:petclinic:iast:high_load worse
[+1.123ms; +1.977ms] or [+2.498%; +4.398%]		 unstable
[-9.073op/s; +4.722op/s] or [-8.712%; +4.534%]		 46.497ms 101.962op/s 44.947ms 104.138op/s
scenario:load:petclinic:tracing:high_load worse
[+2.111ms; +2.932ms] or [+4.857%; +6.746%]		 unstable
[-13.281op/s; +1.506op/s] or [-12.337%; +1.399%]		 45.992ms 101.763op/s 43.470ms 107.650op/s
Request duration reports for petclinic 
gantt
    title petclinic - request duration [CI 0.99] : candidate=1.50.0-SNAPSHOT~ba6bea4fa9, baseline=1.50.0-SNAPSHOT~f47ab3945d
    dateFormat X
    axisFormat %s
section baseline
no_agent (35.985 ms) : 35693, 36278
.   : milestone, 35985,
appsec (46.953 ms) : 46529, 47377
.   : milestone, 46953,
code_origins (44.545 ms) : 44192, 44898
.   : milestone, 44545,
iast (44.947 ms) : 44555, 45340
.   : milestone, 44947,
profiling (47.736 ms) : 47234, 48239
.   : milestone, 47736,
tracing (43.47 ms) : 43094, 43845
.   : milestone, 43470,
section candidate
no_agent (37.295 ms) : 36996, 37594
.   : milestone, 37295,
appsec (46.394 ms) : 45982, 46807
.   : milestone, 46394,
code_origins (44.35 ms) : 43994, 44706
.   : milestone, 44350,
iast (46.497 ms) : 46096, 46899
.   : milestone, 46497,
profiling (47.729 ms) : 47252, 48206
.   : milestone, 47729,
tracing (45.992 ms) : 45605, 46379
.   : milestone, 45992,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 35.985 ms [35.693 ms, 36.278 ms] -
appsec 46.953 ms [46.529 ms, 47.377 ms] 10.968 ms (30.5%)
code_origins 44.545 ms [44.192 ms, 44.898 ms] 8.56 ms (23.8%)
iast 44.947 ms [44.555 ms, 45.34 ms] 8.962 ms (24.9%)
profiling 47.736 ms [47.234 ms, 48.239 ms] 11.751 ms (32.7%)
tracing 43.47 ms [43.094 ms, 43.845 ms] 7.485 ms (20.8%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 37.295 ms [36.996 ms, 37.594 ms] -
appsec 46.394 ms [45.982 ms, 46.807 ms] 9.099 ms (24.4%)
code_origins 44.35 ms [43.994 ms, 44.706 ms] 7.055 ms (18.9%)
iast 46.497 ms [46.096 ms, 46.899 ms] 9.202 ms (24.7%)
profiling 47.729 ms [47.252 ms, 48.206 ms] 10.434 ms (28.0%)
tracing 45.992 ms [45.605 ms, 46.379 ms] 8.697 ms (23.3%)
Request duration reports for insecure-bank 
gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.50.0-SNAPSHOT~ba6bea4fa9, baseline=1.50.0-SNAPSHOT~f47ab3945d
    dateFormat X
    axisFormat %s
section baseline
no_agent (4.396 ms) : 4340, 4452
.   : milestone, 4396,
iast (9.021 ms) : 8860, 9183
.   : milestone, 9021,
iast_FULL (13.642 ms) : 13368, 13917
.   : milestone, 13642,
iast_GLOBAL (10.448 ms) : 10265, 10632
.   : milestone, 10448,
profiling (8.885 ms) : 8724, 9046
.   : milestone, 8885,
tracing (7.27 ms) : 7162, 7378
.   : milestone, 7270,
section candidate
no_agent (4.295 ms) : 4247, 4344
.   : milestone, 4295,
iast (9.163 ms) : 9010, 9315
.   : milestone, 9163,
iast_FULL (13.598 ms) : 13328, 13869
.   : milestone, 13598,
iast_GLOBAL (10.053 ms) : 9874, 10232
.   : milestone, 10053,
profiling (8.883 ms) : 8743, 9024
.   : milestone, 8883,
tracing (7.623 ms) : 7510, 7736
.   : milestone, 7623,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 4.396 ms [4.34 ms, 4.452 ms] -
iast 9.021 ms [8.86 ms, 9.183 ms] 4.625 ms (105.2%)
iast_FULL 13.642 ms [13.368 ms, 13.917 ms] 9.247 ms (210.3%)
iast_GLOBAL 10.448 ms [10.265 ms, 10.632 ms] 6.052 ms (137.7%)
profiling 8.885 ms [8.724 ms, 9.046 ms] 4.489 ms (102.1%)
tracing 7.27 ms [7.162 ms, 7.378 ms] 2.874 ms (65.4%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 4.295 ms [4.247 ms, 4.344 ms] -
iast 9.163 ms [9.01 ms, 9.315 ms] 4.867 ms (113.3%)
iast_FULL 13.598 ms [13.328 ms, 13.869 ms] 9.303 ms (216.6%)
iast_GLOBAL 10.053 ms [9.874 ms, 10.232 ms] 5.758 ms (134.0%)
profiling 8.883 ms [8.743 ms, 9.024 ms] 4.588 ms (106.8%)
tracing 7.623 ms [7.51 ms, 7.736 ms] 3.328 ms (77.5%)

Dacapo

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master smola/api-security-startup-time
git_commit_date 1750340918 1750342351
git_commit_sha f47ab39 ba6bea4
release_version 1.50.0-SNAPSHOT~f47ab3945d 1.50.0-SNAPSHOT~ba6bea4fa9
See matching parameters
Baseline Candidate
application biojava biojava
ci_job_date 1750344300 1750344300
ci_job_id 990209660 990209660
ci_pipeline_id 68245760 68245760
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-emldojjo-project-304-concurrent-1-200l9963 6.8.0-1029-aws #31~22.04.1-Ubuntu SMP Thu Apr 24 21:16:18 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-emldojjo-project-304-concurrent-1-200l9963 6.8.0-1029-aws #31~22.04.1-Ubuntu SMP Thu Apr 24 21:16:18 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 0 unstable metrics.

Execution time for tomcat 
gantt
    title tomcat - execution time [CI 0.99] : candidate=1.50.0-SNAPSHOT~ba6bea4fa9, baseline=1.50.0-SNAPSHOT~f47ab3945d
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.478 ms) : 1466, 1490
.   : milestone, 1478,
appsec (2.405 ms) : 2357, 2454
.   : milestone, 2405,
iast (2.185 ms) : 2124, 2246
.   : milestone, 2185,
iast_GLOBAL (2.238 ms) : 2177, 2300
.   : milestone, 2238,
profiling (2.02 ms) : 1972, 2069
.   : milestone, 2020,
tracing (2.002 ms) : 1955, 2049
.   : milestone, 2002,
section candidate
no_agent (1.477 ms) : 1466, 1489
.   : milestone, 1477,
appsec (2.398 ms) : 2350, 2446
.   : milestone, 2398,
iast (2.187 ms) : 2126, 2248
.   : milestone, 2187,
iast_GLOBAL (2.231 ms) : 2170, 2293
.   : milestone, 2231,
profiling (2.034 ms) : 1985, 2083
.   : milestone, 2034,
tracing (2.005 ms) : 1958, 2053
.   : milestone, 2005,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.478 ms [1.466 ms, 1.49 ms] -
appsec 2.405 ms [2.357 ms, 2.454 ms] 927.34 µs (62.7%)
iast 2.185 ms [2.124 ms, 2.246 ms] 707.314 µs (47.9%)
iast_GLOBAL 2.238 ms [2.177 ms, 2.3 ms] 760.368 µs (51.4%)
profiling 2.02 ms [1.972 ms, 2.069 ms] 542.257 µs (36.7%)
tracing 2.002 ms [1.955 ms, 2.049 ms] 524.113 µs (35.5%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.477 ms [1.466 ms, 1.489 ms] -
appsec 2.398 ms [2.35 ms, 2.446 ms] 920.735 µs (62.3%)
iast 2.187 ms [2.126 ms, 2.248 ms] 709.683 µs (48.0%)
iast_GLOBAL 2.231 ms [2.17 ms, 2.293 ms] 753.933 µs (51.0%)
profiling 2.034 ms [1.985 ms, 2.083 ms] 557.119 µs (37.7%)
tracing 2.005 ms [1.958 ms, 2.053 ms] 527.978 µs (35.7%)
Execution time for biojava 
gantt
    title biojava - execution time [CI 0.99] : candidate=1.50.0-SNAPSHOT~ba6bea4fa9, baseline=1.50.0-SNAPSHOT~f47ab3945d
    dateFormat X
    axisFormat %s
section baseline
no_agent (15.245 s) : 15245000, 15245000
.   : milestone, 15245000,
appsec (14.818 s) : 14818000, 14818000
.   : milestone, 14818000,
iast (18.365 s) : 18365000, 18365000
.   : milestone, 18365000,
iast_GLOBAL (17.726 s) : 17726000, 17726000
.   : milestone, 17726000,
profiling (14.974 s) : 14974000, 14974000
.   : milestone, 14974000,
tracing (14.596 s) : 14596000, 14596000
.   : milestone, 14596000,
section candidate
no_agent (15.589 s) : 15589000, 15589000
.   : milestone, 15589000,
appsec (15.032 s) : 15032000, 15032000
.   : milestone, 15032000,
iast (18.956 s) : 18956000, 18956000
.   : milestone, 18956000,
iast_GLOBAL (18.096 s) : 18096000, 18096000
.   : milestone, 18096000,
profiling (15.83 s) : 15830000, 15830000
.   : milestone, 15830000,
tracing (15.027 s) : 15027000, 15027000
.   : milestone, 15027000,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 15.245 s [15.245 s, 15.245 s] -
appsec 14.818 s [14.818 s, 14.818 s] -427.0 ms (-2.8%)
iast 18.365 s [18.365 s, 18.365 s] 3.12 s (20.5%)
iast_GLOBAL 17.726 s [17.726 s, 17.726 s] 2.481 s (16.3%)
profiling 14.974 s [14.974 s, 14.974 s] -271.0 ms (-1.8%)
tracing 14.596 s [14.596 s, 14.596 s] -649.0 ms (-4.3%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 15.589 s [15.589 s, 15.589 s] -
appsec 15.032 s [15.032 s, 15.032 s] -557.0 ms (-3.6%)
iast 18.956 s [18.956 s, 18.956 s] 3.367 s (21.6%)
iast_GLOBAL 18.096 s [18.096 s, 18.096 s] 2.507 s (16.1%)
profiling 15.83 s [15.83 s, 15.83 s] 241.0 ms (1.5%)
tracing 15.027 s [15.027 s, 15.027 s] -562.0 ms (-3.6%)

@smola smola force-pushed the smola/api-security-startup-time branch from bc849b6 to 9ad217d Compare June 19, 2025 10:15
@smola smola changed the title Smola/api security startup time Enable API Security by default and make it lazy loading Jun 19, 2025
@smola smola added the comp: asm waf Application Security Management (WAF) label Jun 19, 2025
@smola smola force-pushed the smola/api-security-startup-time branch from 9ad217d to 744ce49 Compare June 19, 2025 12:33
@smola smola force-pushed the smola/api-security-startup-time branch from 744ce49 to ba6bea4 Compare June 19, 2025 14:12
@smola smola marked this pull request as ready for review June 20, 2025 08:30
@smola smola requested review from a team as code owners June 20, 2025 08:30
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jun 20, 2025
edited
Loading

Hi! 👋 Thanks for your pull request! 🎉

To help us review it, please make sure to:

  • Add at least one type, and one component or instrumentation label to the pull request

If you need help, please check our contributing guidelines.

manuel-alvarez-alvarez
manuel-alvarez-alvarez reviewed Jun 20, 2025
View reviewed changes
dd-java-agent/appsec/src/main/java/com/datadog/appsec/AppSecSystem.java
// We initialize API Security the first time AppSec becomes active.
// We never de-initialize it, as that could lead to a leak of open WAF contexts in-flight.
if (API_SECURITY_INITIALIZED.compareAndSet(false, true)) {
if (SpanPostProcessor.Holder.INSTANCE == SpanPostProcessor.Holder.NOOP) {
Copy link
Member

@manuel-alvarez-alvarez manuel-alvarez-alvarez Jun 20, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Correctly if I'm wrong, but this should also have a positive effect on span processing overhead when appsec is disabled right? (I'm asking because of the regressions in the high_load benchmarks, that might be spurious)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, this should ensure that the post-processor is always no-op unless enabled.

@smola smola merged commit 60c30c2 into master Jun 20, 2025
487 of 490 checks passed
@smola smola deleted the smola/api-security-startup-time branch June 20, 2025 13:57
@github-actions github-actions bot added this to the 1.51.0 milestone Jun 20, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@PerfectSlayer PerfectSlayer PerfectSlayer left review comments

@manuel-alvarez-alvarez manuel-alvarez-alvarez manuel-alvarez-alvarez approved these changes

@sezen-datadog sezen-datadog sezen-datadog approved these changes

@robertpi robertpi Awaiting requested review from robertpi robertpi is a code owner automatically assigned from DataDog/asm-java

Assignees
No one assigned
Labels
comp: asm waf Application Security Management (WAF) type: enhancement
Projects
None yet
Milestone
1.51.0
Development

Successfully merging this pull request may close these issues.
4 participants
@smola @PerfectSlayer @manuel-alvarez-alvarez @sezen-datadog