feat(appsec): enable api security for lambda

florentinl · florentinl · commit 2491b2dcdf25 · 2025-07-23T17:16:33.000+02:00
diff --git a/ddtrace/appsec/_handlers.py b/ddtrace/appsec/_handlers.py
@@ -4,13 +4,15 @@
 from typing import Any
 from typing import Dict
 from typing import Optional
+from typing import Union
 
 import xmltodict
 
 from ddtrace._trace.span import Span
 from ddtrace.appsec._asm_request_context import _call_waf
 from ddtrace.appsec._asm_request_context import _call_waf_first
 from ddtrace.appsec._asm_request_context import get_blocked
+from ddtrace.appsec._asm_request_context import set_body_response
 from ddtrace.appsec._constants import SPAN_DATA_NAMES
 from ddtrace.appsec._http_utils import extract_cookies_from_headers
 from ddtrace.appsec._http_utils import normalize_headers
@@ -131,6 +133,7 @@ def _on_lambda_start_response(
     span: Span,
     status_code: str,
     response_headers: Dict[str, str],
+    response_body: Optional[Union[str, Dict[str, Any]]],
 ):
     if not (asm_config._asm_enabled and span.span_type in asm_config._asm_http_span_types):
         return
@@ -156,6 +159,10 @@ def _on_lambda_start_response(
 
     _call_waf(("aws_lambda",))
 
+    if asm_config._api_security_feature_active:
+        if response_body:
+            set_body_response(response_body)
+
 
 # ASGI
 
diff --git a/ddtrace/appsec/_processor.py b/ddtrace/appsec/_processor.py
@@ -189,7 +189,7 @@ def on_span_start(self, span: Span) -> None:
             if skip_event:
                 core.discard_item("appsec_skip_next_lambda_event")
                 log.debug(
-                    "appsec: ignoring unsupported lamdba event",
+                    "appsec: ignoring unsupported lambda event",
                 )
                 span.set_metric(APPSEC.UNSUPPORTED_EVENT_TYPE, 1.0)
                 return
diff --git a/ddtrace/settings/asm.py b/ddtrace/settings/asm.py
@@ -246,9 +246,8 @@ def __init__(self):
             self._asm_processed_span_types.add(SpanTypes.SERVERLESS)
             self._asm_http_span_types.add(SpanTypes.SERVERLESS)
 
-            # As a first step, only Threat Management in monitoring mode should be enabled in AWS Lambda
+            # Disable all features that are not supported in Lambda
             tracer_config._remote_config_enabled = False
-            self._api_security_enabled = False
             self._ep_enabled = False
             self._iast_supported = False
 

Original file line number	Diff line number	Diff line change
`@@ -189,7 +189,7 @@ def on_span_start(self, span: Span) -> None:`
`189`	`189`	`if skip_event:`
`190`	`190`	`core.discard_item("appsec_skip_next_lambda_event")`
`191`	`191`	`log.debug(`
`192`		`- "appsec: ignoring unsupported lamdba event",`
	`192`	`+ "appsec: ignoring unsupported lambda event",`
`193`	`193`	`)`
`194`	`194`	`span.set_metric(APPSEC.UNSUPPORTED_EVENT_TYPE, 1.0)`
`195`	`195`	`return`