Skip to content

feat(appsec): add command injection (CMDi) RASP via os.StartProcess#4978

Open
eliottness wants to merge 1 commit into
mainfrom
eliottness/command-injection
Open

feat(appsec): add command injection (CMDi) RASP via os.StartProcess#4978
eliottness wants to merge 1 commit into
mainfrom
eliottness/command-injection

Conversation

@eliottness

Copy link
Copy Markdown
Contributor

What does this PR do?

Adds Command Injection (CMDi) RASP to the tracer, wired end-to-end at the single os.StartProcess choke point (which underlies every os/exec call) and active under Orchestrion. When the WAF detects a command-injection attempt (rule rasp-932-110, address server.sys.exec.cmd), os.StartProcess is blocked: it returns a BlockingSecurityEvent error and (nil, err) instead of launching the process. This mirrors the existing LFI feature.

  • emitter: RunCommandOperation/Args/Res in instrumentation/appsec/emitter/ossec (no os import; generic).
  • listener: NewExecSecFeature (activates on server.sys.exec.cmd), registered in internal/appsec/features.go. Forces argv[0] = name so the WAF evaluates the real executable per [RFC-0989] (defeats an argv[0]-spoofing bypass on raw os.StartProcess).
  • contrib/os: context-aware StartProcess wrapper (named returns, argv forwarded unchanged).
  • orchestrion: os.StartProcess aspect in contrib/os/orchestrion.yml.
  • remoteconfig: advertise ASM_RASP_CMDI capability under orchestrion.Enabled().
  • tests: contrib/os unit tests (mock wrapper + table-driven real-WAF cmdi_detector vectors mirroring libddwaf) + orchestrion integration test (real WAF, HTTP 403) + testdata rasp-932-110.
  • ci: run APPSEC_RASP, APPSEC_RASP_NON_BLOCKING, and REMOTE_CONFIG_MOCKED_BACKEND_ASM_DD on net-http-orchestrion.
  • docs: appsec README + orchestrion.yml meta.

No spans, no shell variant, no go-libddwaf change.

Motivation

Exploit prevention for command injection ([RFC-0989]). The shipped WAF ruleset already contains the command-injection rule and the tracer already has the server.sys.exec.cmd address/metrics/rule-type plumbing, so this is a wiring-plus-tests change.

Companion system-tests PR (adds the /rasp/cmdi weblog endpoint and enables Test_Cmdi_* for net-http-orchestrion): DataDog/system-tests#7251. The CMDi net-http-orchestrion APPSEC_RASP run goes green once that endpoint/manifest is available; a manual cross-branch workflow_dispatch run validating both branches together will be linked below.

Reviewer's Checklist

  • Changed code has unit tests for its functionality at or near 100% coverage.
  • System-Tests covering this feature have been added and enabled with the va.b.c-dev version tag.
  • There is a benchmark for any new code, or changes to existing code.
  • If this interacts with the agent in a new way, a system test has been added.
  • New code is free of linting errors. You can check this by running make lint locally.
  • New code doesn't break existing tests. You can check this by running make test locally.
  • Add an appropriate team label so this PR gets put in the right place for the release notes.
  • All generated files are up to date. You can check this by running make generate locally.
  • Non-trivial go.mod changes reviewed by @DataDog/dd-trace-go-guild.

[RFC-0989]: internal exploit-prevention command-injection RFC

@github-actions github-actions Bot added the apm:ecosystem contrib/* related feature requests or bugs label Jul 2, 2026
@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Config Audit

PACKAGE: contrib/confluentinc/confluent-kafka-go/kafkatrace
  STATUS      CONFIG                            CALL_SITES
  UNMIGRATED  DD_TRACE_KAFKA_ANALYTICS_ENABLED  1

PACKAGE: ddtrace/opentelemetry/log
  STATUS      CONFIG                            CALL_SITES
  STILL_READ  DD_AGENT_HOST                     2
  STILL_READ  DD_ENV                            1
  STILL_READ  DD_SERVICE                        1
  STILL_READ  DD_TAGS                           1
  STILL_READ  DD_TRACE_AGENT_URL                2
  STILL_READ  DD_TRACE_REPORT_HOSTNAME          1
  STILL_READ  DD_VERSION                        1
  UNMIGRATED  DD_HOSTNAME                       1
  UNMIGRATED  OTEL_BLRP_EXPORT_TIMEOUT          1
  UNMIGRATED  OTEL_BLRP_MAX_EXPORT_BATCH_SIZE   1
  UNMIGRATED  OTEL_BLRP_MAX_QUEUE_SIZE          1
  UNMIGRATED  OTEL_BLRP_SCHEDULE_DELAY          1
  UNMIGRATED  OTEL_EXPORTER_OTLP_ENDPOINT       4
  UNMIGRATED  OTEL_EXPORTER_OTLP_HEADERS        2
  UNMIGRATED  OTEL_EXPORTER_OTLP_LOGS_ENDPOINT  4
  UNMIGRATED  OTEL_EXPORTER_OTLP_LOGS_HEADERS   2
  UNMIGRATED  OTEL_EXPORTER_OTLP_LOGS_PROTOCOL  2
  UNMIGRATED  OTEL_EXPORTER_OTLP_LOGS_TIMEOUT   1
  UNMIGRATED  OTEL_EXPORTER_OTLP_PROTOCOL       2
  UNMIGRATED  OTEL_EXPORTER_OTLP_TIMEOUT        1
  UNMIGRATED  OTEL_RESOURCE_ATTRIBUTES          1

PACKAGE: ddtrace/opentelemetry/metric
  STATUS      CONFIG                                             CALL_SITES
  STILL_READ  DD_AGENT_HOST                                      2
  STILL_READ  DD_ENV                                             1
  STILL_READ  DD_METRICS_OTEL_ENABLED                            1
  STILL_READ  DD_SERVICE                                         1
  STILL_READ  DD_TAGS                                            1
  STILL_READ  DD_TRACE_AGENT_URL                                 2
  STILL_READ  DD_TRACE_REPORT_HOSTNAME                           1
  STILL_READ  DD_VERSION                                         1
  STILL_READ  OTEL_METRICS_EXPORTER                              1
  UNMIGRATED  DD_HOSTNAME                                        1
  UNMIGRATED  OTEL_EXPORTER_OTLP_ENDPOINT                        2
  UNMIGRATED  OTEL_EXPORTER_OTLP_HEADERS                         1
  UNMIGRATED  OTEL_EXPORTER_OTLP_METRICS_ENDPOINT                2
  UNMIGRATED  OTEL_EXPORTER_OTLP_METRICS_HEADERS                 1
  UNMIGRATED  OTEL_EXPORTER_OTLP_METRICS_PROTOCOL                2
  UNMIGRATED  OTEL_EXPORTER_OTLP_METRICS_TEMPORALITY_PREFERENCE  1
  UNMIGRATED  OTEL_EXPORTER_OTLP_PROTOCOL                        2
  UNMIGRATED  OTEL_EXPORTER_OTLP_TIMEOUT                         1
  UNMIGRATED  OTEL_RESOURCE_ATTRIBUTES                           1
  UNMIGRATED  OTEL_SERVICE_NAME                                  1

PACKAGE: ddtrace/tracer
  STATUS      CONFIG                                     CALL_SITES
  STILL_READ  DD_API_KEY                                 1
  UNMIGRATED  DD_APM_TRACING_ENABLED                     1
  UNMIGRATED  DD_APP_KEY                                 1
  UNMIGRATED  DD_CIVISIBILITY_AGENTLESS_URL              1
  UNMIGRATED  DD_EXPERIMENTAL_FLAGGING_PROVIDER_ENABLED  1
  UNMIGRATED  DD_LLMOBS_AGENTLESS_ENABLED                1
  UNMIGRATED  DD_LLMOBS_ENABLED                          1
  UNMIGRATED  DD_LLMOBS_ML_APP                           1
  UNMIGRATED  DD_LLMOBS_PROJECT_NAME                     1
  UNMIGRATED  DD_SITE                                    2
  UNMIGRATED  DD_TRACER_EXPERIMENTAL_SPAN_POOL_ENABLED   1
  UNMIGRATED  DD_TRACE_128_BIT_TRACEID_LOGGING_ENABLED   1
  UNMIGRATED  DD_TRACE_DEBUG_SEELOG_WORKAROUND           1
  UNMIGRATED  DD_TRACE_PROPAGATION_BEHAVIOR_EXTRACT      1
  UNMIGRATED  DD_TRACE_PROPAGATION_EXTRACT_FIRST         1
  UNMIGRATED  DD_TRACE_PROPAGATION_STYLE_EXTRACT         1
  UNMIGRATED  DD_TRACE_PROPAGATION_STYLE_INJECT          1
  UNMIGRATED  OTEL_TRACES_SAMPLER_ARG                    1

PACKAGE: instrumentation
  STATUS      CONFIG                                       CALL_SITES
  STILL_READ  DD_DATA_STREAMS_ENABLED                      1
  UNMIGRATED  DD_API_SECURITY_ENDPOINT_COLLECTION_ENABLED  1

PACKAGE: instrumentation/graphql
  STATUS      CONFIG                             CALL_SITES
  UNMIGRATED  DD_TRACE_GRAPHQL_ERROR_EXTENSIONS  1

PACKAGE: instrumentation/httptrace
  STATUS      CONFIG                                                 CALL_SITES
  UNMIGRATED  DD_TRACE_BAGGAGE_TAG_KEYS                              1
  UNMIGRATED  DD_TRACE_CLIENT_IP_ENABLED                             1
  UNMIGRATED  DD_TRACE_HTTP_SERVER_ERROR_STATUSES                    1
  UNMIGRATED  DD_TRACE_HTTP_URL_QUERY_STRING_ALLOWLIST               1
  UNMIGRATED  DD_TRACE_HTTP_URL_QUERY_STRING_ALLOWLIST_CLIENT        1
  UNMIGRATED  DD_TRACE_HTTP_URL_QUERY_STRING_ALLOWLIST_SERVER        1
  UNMIGRATED  DD_TRACE_HTTP_URL_QUERY_STRING_DISABLED                1
  UNMIGRATED  DD_TRACE_INFERRED_PROXY_SERVICES_ENABLED               1
  UNMIGRATED  DD_TRACE_OBFUSCATION_QUERY_STRING_REGEXP               2
  UNMIGRATED  DD_TRACE_RESOURCE_RENAMING_ALWAYS_SIMPLIFIED_ENDPOINT  1
  UNMIGRATED  DD_TRACE_RESOURCE_RENAMING_ENABLED                     1

PACKAGE: instrumentation/internal/namingschema
  STATUS      CONFIG                                             CALL_SITES
  STILL_READ  DD_SERVICE                                         1
  STILL_READ  DD_TRACE_SPAN_ATTRIBUTE_SCHEMA                     1
  UNMIGRATED  DD_TRACE_REMOVE_INTEGRATION_SERVICE_NAMES_ENABLED  1

PACKAGE: internal
  STATUS      CONFIG                         CALL_SITES
  STILL_READ  DD_AGENT_HOST                  1
  STILL_READ  DD_TAGS                        1
  STILL_READ  DD_TRACE_AGENT_PORT            1
  STILL_READ  DD_TRACE_AGENT_URL             1
  UNMIGRATED  DD_EXTERNAL_ENV                1
  UNMIGRATED  DD_GIT_COMMIT_SHA              1
  UNMIGRATED  DD_GIT_REPOSITORY_URL          1
  UNMIGRATED  DD_TRACE_GIT_METADATA_ENABLED  1

PACKAGE: internal/appsec
  STATUS      CONFIG           CALL_SITES
  UNMIGRATED  DD_APPSEC_RULES  1

PACKAGE: internal/appsec/config
  STATUS      CONFIG                                                CALL_SITES
  UNMIGRATED  DD_API_SECURITY_DOWNSTREAM_BODY_ANALYSIS_SAMPLE_RATE  1
  UNMIGRATED  DD_API_SECURITY_ENABLED                               1
  UNMIGRATED  DD_API_SECURITY_MAX_DOWNSTREAM_REQUEST_BODY_ANALYSIS  1
  UNMIGRATED  DD_API_SECURITY_PROXY_SAMPLE_RATE                     1
  UNMIGRATED  DD_API_SECURITY_REQUEST_SAMPLE_RATE                   1
  UNMIGRATED  DD_API_SECURITY_SAMPLE_DELAY                          1
  UNMIGRATED  DD_APM_TRACING_ENABLED                                1
  UNMIGRATED  DD_APPSEC_ENABLED                                     1
  UNMIGRATED  DD_APPSEC_RASP_ENABLED                                1
  UNMIGRATED  DD_APPSEC_RULES                                       1
  UNMIGRATED  DD_APPSEC_SCA_ENABLED                                 1
  UNMIGRATED  DD_APPSEC_TRACE_RATE_LIMIT                            1
  UNMIGRATED  DD_APPSEC_WAF_TIMEOUT                                 1

PACKAGE: internal/appsec/listener/httpsec
  STATUS      CONFIG                     CALL_SITES
  UNMIGRATED  DD_TRACE_CLIENT_IP_HEADER  1

PACKAGE: internal/bazel
  STATUS      CONFIG                                  CALL_SITES
  UNMIGRATED  DD_TEST_OPTIMIZATION_MANIFEST_FILE      1
  UNMIGRATED  DD_TEST_OPTIMIZATION_PAYLOADS_IN_FILES  1

PACKAGE: internal/civisibility/envconfig
  STATUS      CONFIG                   CALL_SITES
  STILL_READ  DD_CIVISIBILITY_ENABLED  1

PACKAGE: internal/civisibility/integrations
  STATUS      CONFIG                                               CALL_SITES
  STILL_READ  DD_SERVICE                                           1
  STILL_READ  DD_TRACE_DEBUG                                       1
  UNMIGRATED  DD_CIVISIBILITY_CODE_COVERAGE_REPORT_UPLOAD_ENABLED  1
  UNMIGRATED  DD_CIVISIBILITY_FLAKY_RETRY_COUNT                    1
  UNMIGRATED  DD_CIVISIBILITY_FLAKY_RETRY_ENABLED                  1
  UNMIGRATED  DD_CIVISIBILITY_GIT_UPLOAD_ENABLED                   1
  UNMIGRATED  DD_CIVISIBILITY_IMPACTED_TESTS_DETECTION_ENABLED     1
  UNMIGRATED  DD_CIVISIBILITY_SUBTEST_FEATURES_ENABLED             1
  UNMIGRATED  DD_CIVISIBILITY_TOTAL_FLAKY_RETRY_COUNT              1
  UNMIGRATED  DD_TEST_MANAGEMENT_ATTEMPT_TO_FIX_RETRIES            1
  UNMIGRATED  DD_TEST_MANAGEMENT_ENABLED                           1

PACKAGE: internal/civisibility/integrations/gotesting
  STATUS      CONFIG                                                           CALL_SITES
  UNMIGRATED  DD_CIVISIBILITY_INTERNAL_PARALLEL_EARLY_FLAKE_DETECTION_ENABLED  1
  UNMIGRATED  DD_TEST_MANAGEMENT_ENABLED                                       1

PACKAGE: internal/civisibility/integrations/logs
  STATUS      CONFIG                        CALL_SITES
  UNMIGRATED  DD_CIVISIBILITY_LOGS_ENABLED  1

PACKAGE: internal/civisibility/utils
  STATUS      CONFIG                              CALL_SITES
  STILL_READ  DD_SERVICE                          1
  UNMIGRATED  DD_ACTION_EXECUTION_ID              1
  UNMIGRATED  DD_PIPELINE_EXECUTION_ID            1
  UNMIGRATED  DD_TEST_OPTIMIZATION_ENV_DATA_FILE  1
  UNMIGRATED  DD_TEST_SESSION_NAME                1

PACKAGE: internal/civisibility/utils/net
  STATUS      CONFIG                             CALL_SITES
  STILL_READ  DD_API_KEY                         1
  STILL_READ  DD_CIVISIBILITY_AGENTLESS_ENABLED  1
  STILL_READ  DD_ENV                             1
  STILL_READ  DD_SERVICE                         1
  STILL_READ  DD_TAGS                            1
  STILL_READ  DD_VERSION                         1
  UNMIGRATED  DD_CIVISIBILITY_AGENTLESS_URL      1
  UNMIGRATED  DD_SITE                            1

PACKAGE: internal/civisibility/utils/telemetry
  STATUS      CONFIG                                         CALL_SITES
  UNMIGRATED  DD_CIVISIBILITY_AUTO_INSTRUMENTATION_PROVIDER  1

PACKAGE: internal/globalconfig
  STATUS      CONFIG                           CALL_SITES
  UNMIGRATED  DD_INSTRUMENTATION_INSTALL_ID    1
  UNMIGRATED  DD_INSTRUMENTATION_INSTALL_TIME  1
  UNMIGRATED  DD_INSTRUMENTATION_INSTALL_TYPE  1

PACKAGE: internal/hostname
  STATUS      CONFIG       CALL_SITES
  UNMIGRATED  DD_HOSTNAME  1

PACKAGE: internal/namingschema
  STATUS      CONFIG                                             CALL_SITES
  STILL_READ  DD_SERVICE                                         1
  STILL_READ  DD_TRACE_SPAN_ATTRIBUTE_SCHEMA                     1
  UNMIGRATED  DD_TRACE_REMOVE_INTEGRATION_SERVICE_NAMES_ENABLED  1

PACKAGE: internal/processtags
  STATUS      CONFIG                                          CALL_SITES
  UNMIGRATED  DD_EXPERIMENTAL_PROPAGATE_PROCESS_TAGS_ENABLED  1

PACKAGE: internal/remoteconfig
  STATUS      CONFIG                                  CALL_SITES
  STILL_READ  DD_ENV                                  1
  UNMIGRATED  DD_RC_TUF_ROOT                          1
  UNMIGRATED  DD_REMOTE_CONFIGURATION_ENABLED         1
  UNMIGRATED  DD_REMOTE_CONFIG_POLL_INTERVAL_SECONDS  1

PACKAGE: internal/stacktrace
  STATUS      CONFIG                           CALL_SITES
  UNMIGRATED  DD_APPSEC_MAX_STACK_TRACE_DEPTH  1
  UNMIGRATED  DD_APPSEC_STACK_TRACE_ENABLED    1

PACKAGE: internal/telemetry
  STATUS      CONFIG                                             CALL_SITES
  STILL_READ  DD_API_KEY                                         1
  UNMIGRATED  DD_API_SECURITY_ENDPOINT_COLLECTION_MESSAGE_LIMIT  1
  UNMIGRATED  DD_INSTRUMENTATION_TELEMETRY_ENABLED               1
  UNMIGRATED  DD_SITE                                            1
  UNMIGRATED  DD_TELEMETRY_DEBUG                                 1
  UNMIGRATED  DD_TELEMETRY_DEPENDENCY_COLLECTION_ENABLED         1
  UNMIGRATED  DD_TELEMETRY_EXTENDED_HEARTBEAT_INTERVAL           1
  UNMIGRATED  DD_TELEMETRY_HEARTBEAT_INTERVAL                    1
  UNMIGRATED  DD_TELEMETRY_LOG_COLLECTION_ENABLED                1
  UNMIGRATED  DD_TELEMETRY_METRICS_ENABLED                       1

PACKAGE: openfeature
  STATUS      CONFIG                                                     CALL_SITES
  STILL_READ  DD_ENV                                                     2
  STILL_READ  DD_SERVICE                                                 2
  STILL_READ  DD_VERSION                                                 2
  UNMIGRATED  DD_EXPERIMENTAL_FLAGGING_PROVIDER_ENABLED                  1
  UNMIGRATED  DD_EXPERIMENTAL_FLAGGING_PROVIDER_SPAN_ENRICHMENT_ENABLED  1
  UNMIGRATED  DD_FLAGGING_EVALUATION_COUNTS_ENABLED                      1

PACKAGE: profiler
  STATUS      CONFIG                                    CALL_SITES
  STILL_READ  DD_API_KEY                                1
  STILL_READ  DD_ENV                                    1
  STILL_READ  DD_SERVICE                                1
  STILL_READ  DD_TAGS                                   1
  STILL_READ  DD_TRACE_STARTUP_LOGS                     1
  STILL_READ  DD_VERSION                                1
  UNMIGRATED  DD_PROFILING_AGENTLESS                    1
  UNMIGRATED  DD_PROFILING_DEBUG_COMPRESSION_SETTINGS   1
  UNMIGRATED  DD_PROFILING_DELTA                        1
  UNMIGRATED  DD_PROFILING_ENABLED                      3
  UNMIGRATED  DD_PROFILING_ENDPOINT_COUNT_ENABLED       1
  UNMIGRATED  DD_PROFILING_EXECUTION_TRACE_ENABLED      1
  UNMIGRATED  DD_PROFILING_EXECUTION_TRACE_LIMIT_BYTES  1
  UNMIGRATED  DD_PROFILING_EXECUTION_TRACE_PERIOD       1
  UNMIGRATED  DD_PROFILING_FLUSH_ON_EXIT                1
  UNMIGRATED  DD_PROFILING_OUTPUT_DIR                   1
  UNMIGRATED  DD_PROFILING_UPLOAD_TIMEOUT               1
  UNMIGRATED  DD_PROFILING_URL                          1
  UNMIGRATED  DD_SITE                                   1

@datadog-prod-us1-4

datadog-prod-us1-4 Bot commented Jul 2, 2026

Copy link
Copy Markdown

Tests

🎉 All green!

🧪 All tests passed
❄️ No new flaky tests detected

🎯 Code Coverage (details)
Patch Coverage: 51.06%
Overall Coverage: 62.90% (+11.66%)

This comment will be updated automatically if new data arrives.
🔗 Commit SHA: c2bd250 | Docs | Datadog PR Page | Give us feedback!

Wire command-injection RASP end-to-end at the os.StartProcess choke point,
mirroring the existing LFI feature. Under Orchestrion, a command-injection
attempt detected by the WAF (rule rasp-932-110, address server.sys.exec.cmd)
is blocked: os.StartProcess returns a BlockingSecurityEvent error and (nil, err).

- emitter: RunCommandOperation/Args/Res in instrumentation/appsec/emitter/ossec
- listener: NewExecSecFeature (activates on server.sys.exec.cmd), registered in features.go;
  forces argv[0]=name so the WAF evaluates the real executable (RFC-0989)
- contrib/os: context-aware StartProcess wrapper (named returns, argv unchanged)
- orchestrion: os.StartProcess aspect
- remoteconfig: advertise ASM_RASP_CMDI capability under orchestrion.Enabled()
- tests: contrib/os unit tests (incl. real-WAF cmdi_detector vectors) + orchestrion
  integration test (real WAF, HTTP 403) + testdata rasp-932-110
- ci: run APPSEC_RASP / APPSEC_RASP_NON_BLOCKING / REMOTE_CONFIG_MOCKED_BACKEND_ASM_DD
  on net-http-orchestrion
- docs: appsec README + orchestrion.yml meta

No spans, no shell variant, no go-libddwaf change.
@eliottness eliottness force-pushed the eliottness/command-injection branch from 391217f to c2bd250 Compare July 2, 2026 16:01
@pr-commenter

pr-commenter Bot commented Jul 2, 2026

Copy link
Copy Markdown

Benchmarks

Benchmark execution time: 2026-07-02 16:31:46

Comparing candidate commit c2bd250 in PR branch eliottness/command-injection with baseline commit 12105c7 in branch main.

Found 2 performance improvements and 0 performance regressions! Performance is the same for 322 metrics, 2 unstable metrics, 1 flaky benchmarks without significant changes.

Explanation

This is an A/B test comparing a candidate commit's performance against that of a baseline commit. Performance changes are noted in the tables below as:

  • 🟩 = significantly better candidate vs. baseline
  • 🟥 = significantly worse candidate vs. baseline

We compute a confidence interval (CI) over the relative difference of means between metrics from the candidate and baseline commits, considering the baseline as the reference.

If the CI is entirely outside the configured SIGNIFICANT_IMPACT_THRESHOLD (or the deprecated UNCONFIDENCE_THRESHOLD), the change is considered significant.

Feel free to reach out to #apm-benchmarking-platform on Slack if you have any questions.

More details about the CI and significant changes

You can imagine this CI as a range of values that is likely to contain the true difference of means between the candidate and baseline commits.

CIs of the difference of means are often centered around 0%, because often changes are not that big:

---------------------------------(------|---^--------)-------------------------------->
                              -0.6%    0%  0.3%     +1.2%
                                 |          |        |
         lower bound of the CI --'          |        |
sample mean (center of the CI) -------------'        |
         upper bound of the CI ----------------------'

As described above, a change is considered significant if the CI is entirely outside the configured SIGNIFICANT_IMPACT_THRESHOLD (or the deprecated UNCONFIDENCE_THRESHOLD).

For instance, for an execution time metric, this confidence interval indicates a significantly worse performance:

----------------------------------------|---------|---(---------^---------)---------->
                                       0%        1%  1.3%      2.2%      3.1%
                                                  |   |         |         |
       significant impact threshold --------------'   |         |         |
                      lower bound of CI --------------'         |         |
       sample mean (center of the CI) --------------------------'         |
                      upper bound of CI ----------------------------------'

scenario:BenchmarkPayloadVersions/simple_1000spans/v0.4

  • 🟩 execution_time [-17.544µs; -13.403µs] or [-6.561%; -5.012%]

scenario:BenchmarkPayloadVersions/simple_100spans/v0.4

  • 🟩 execution_time [-1.430µs; -1.214µs] or [-5.054%; -4.293%]

Known flaky benchmarks

These benchmarks are marked as flaky and will not trigger a failure. Modify FLAKY_BENCHMARKS_REGEX to control which benchmarks are marked as flaky.

Known flaky benchmarks without significant changes:

  • scenario:BenchmarkOTLPTraceWriterFlush

@eliottness

Copy link
Copy Markdown
Contributor Author

Cross-branch validation (dd-trace-go eliottness/command-injection + system-tests eliottness/cmdi-rasp): https://github.com/DataDog/dd-trace-go/actions/runs/28603975175

@eliottness eliottness marked this pull request as ready for review July 2, 2026 17:13
@eliottness eliottness requested review from a team as code owners July 2, 2026 17:13
@eliottness eliottness requested review from rarguelloF and removed request for a team July 2, 2026 17:13

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: c2bd25085e

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread contrib/os/os.go
@eliottness

Copy link
Copy Markdown
Contributor Author

/merge

@gh-worker-devflow-routing-ef8351

gh-worker-devflow-routing-ef8351 Bot commented Jul 3, 2026

Copy link
Copy Markdown

View all feedbacks in Devflow UI.

2026-07-03 08:42:37 UTC ℹ️ Start processing command /merge
Use /merge -c to cancel this operation!


2026-07-03 08:42:48 UTC ℹ️ MergeQueue: waiting for PR to be ready

This pull request is not mergeable according to GitHub. Common reasons include pending required checks, missing approvals, or merge conflicts — but it could also be blocked by other repository rules or settings.
It will be added to the queue as soon as checks pass and/or get approvals. View in MergeQueue UI.
Note: if you pushed new commits since the last approval, you may need additional approval.
You can remove it from the waiting list with /remove command.

Use /merge -c to cancel this operation!


⏳ Processing

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

apm:ecosystem contrib/* related feature requests or bugs mergequeue-status: waiting

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants