[CSPM] use text/template-less fork of opa

[paulcacheux]

What does this PR do?

This PR makes use of our fork of OPA to use a text/template version of the library. This will enable some desired binary size reduction, and also enable the work for dead code elimination enablement.

Diff:
open-policy-agent/opa@release-1.4...paulcacheux:opa:lightweight

Motivation

Describe how you validated your changes

Possible Drawbacks / Trade-offs

Additional Notes

[paulcacheux]

/ddci trigger

[dd-devflow]

View all feedbacks in Devflow UI.

2025-05-05 17:37:46 UTC ℹ️ Start processing command /ddci trigger
If you need support, contact us on Slack #devflow!

---

2025-05-05 17:38:47 UTC 🚨 Devflow

child workflow execution error (type: changeorchestrator.Changeorchestrator_GenerateDDCIRequestFromDevflow, workflowID: 703cd788-ca84-4bc9-99f0-a0c77f107613_32, runID: fcb2c0ed-1bd2-4b9e-a874-ccf600fe75fb, initiatedEventID: 32, startedEventID: 33): Child workflow timeout (type: StartToClose)

If you need support, contact us on Slack #devflow with those details!

[paulcacheux]

/ddci trigger

[dd-devflow]

View all feedbacks in Devflow UI.

2025-05-06 13:47:37 UTC ℹ️ Start processing command /ddci trigger
If you need support, contact us on Slack #devflow!

---

2025-05-06 13:48:37 UTC 🚨 Devflow

child workflow execution error (type: changeorchestrator.Changeorchestrator_GenerateDDCIRequestFromDevflow, workflowID: 19e3c0df-bb6f-463a-b961-7adcb2353cf2_32, runID: cccbacd2-f5cd-4ef5-96cd-987aff65fa30, initiatedEventID: 32, startedEventID: 33): Child workflow timeout (type: StartToClose)

If you need support, contact us on Slack #devflow with those details!

[BaptisteLalanne]

/ddci trigger

[dd-devflow]

View all feedbacks in Devflow UI.

2025-05-06 17:01:05 UTC ℹ️ Start processing command /ddci trigger

---

2025-05-06 17:01:32 UTC ℹ️ Devflow: /ddci trigger

✅ Tasks request sent successfully.
🔑 DDCI Request ID: 5651559841956091825
🔍 Debug this request with Datadog Traces

[cit-pr-commenter]

Go Package Import Differences

Baseline: 3f82913
Comparison: 5773847

binary	os	arch	change
cluster-agent	linux	amd64	+0, -1 -github.com/open-policy-agent/opa/v1/capabilities
cluster-agent	linux	arm64	+0, -1 -github.com/open-policy-agent/opa/v1/capabilities
security-agent	linux	amd64	+0, -1 -github.com/open-policy-agent/opa/v1/capabilities
security-agent	linux	arm64	+0, -1 -github.com/open-policy-agent/opa/v1/capabilities

[agent-platform-auto-pr]

Uncompressed package size comparison

Comparison with ancestor 3f8291331d818caaa5501bd8188813af8e9bbe70

Size reduction summary

package	diff	status	size	ancestor	threshold
datadog-agent-amd64-deb	-3.16MB	✅	764.11MB	767.27MB	0.50MB
datadog-agent-arm64-deb	-3.16MB	✅	754.54MB	757.70MB	0.50MB
datadog-agent-x86_64-rpm	-3.16MB	✅	773.05MB	776.22MB	0.50MB
datadog-agent-x86_64-suse	-3.16MB	✅	773.05MB	776.22MB	0.50MB
datadog-agent-aarch64-rpm	-3.16MB	✅	763.46MB	766.62MB	0.50MB

Diff per package

package	diff	status	size	ancestor	threshold
datadog-dogstatsd-amd64-deb	0.00MB	✅	31.20MB	31.20MB	0.50MB
datadog-dogstatsd-x86_64-rpm	0.00MB	✅	31.28MB	31.28MB	0.50MB
datadog-dogstatsd-x86_64-suse	0.00MB	✅	31.28MB	31.28MB	0.50MB
datadog-dogstatsd-arm64-deb	0.00MB	✅	30.03MB	30.03MB	0.50MB
datadog-heroku-agent-amd64-deb	0.00MB	✅	367.69MB	367.69MB	0.50MB
datadog-iot-agent-amd64-deb	0.00MB	✅	60.51MB	60.51MB	0.50MB
datadog-iot-agent-x86_64-rpm	0.00MB	✅	60.59MB	60.59MB	0.50MB
datadog-iot-agent-x86_64-suse	0.00MB	✅	60.59MB	60.59MB	0.50MB
datadog-iot-agent-arm64-deb	0.00MB	✅	57.80MB	57.80MB	0.50MB
datadog-iot-agent-aarch64-rpm	0.00MB	✅	57.88MB	57.88MB	0.50MB

Decision

✅ Passed

[cit-pr-commenter]

Regression Detector

Regression Detector Results

Metrics dashboard
Target profiles
Run ID: cff5090e-abaa-42d8-b685-2927cdb9ca3b

Baseline: 3f82913
Comparison: 5773847
Diff

Optimization Goals: ✅ No significant changes detected

Fine details of change detection per experiment

perf	experiment	goal	Δ mean %	Δ mean % CI	trials	links
➖	docker_containers_cpu	% cpu utilization	+4.14	[+0.26, +8.02]	1	Logs
➖	docker_containers_memory	memory utilization	+0.13	[+0.06, +0.20]	1	Logs
➖	quality_gate_idle	memory utilization	+0.13	[+0.06, +0.20]	1	Logs bounds checks dashboard
➖	file_to_blackhole_0ms_latency_http1	egress throughput	+0.07	[-0.57, +0.70]	1	Logs
➖	file_to_blackhole_300ms_latency	egress throughput	+0.05	[-0.57, +0.67]	1	Logs
➖	uds_dogstatsd_to_api	ingress throughput	+0.01	[-0.26, +0.29]	1	Logs
➖	file_to_blackhole_0ms_latency	egress throughput	+0.01	[-0.61, +0.63]	1	Logs
➖	file_to_blackhole_0ms_latency_http2	egress throughput	+0.01	[-0.61, +0.62]	1	Logs
➖	tcp_dd_logs_filter_exclude	ingress throughput	-0.00	[-0.02, +0.02]	1	Logs
➖	file_to_blackhole_1000ms_latency_linear_load	egress throughput	-0.01	[-0.24, +0.22]	1	Logs
➖	file_to_blackhole_1000ms_latency	egress throughput	-0.02	[-0.68, +0.65]	1	Logs
➖	otlp_ingest_logs	memory utilization	-0.02	[-0.14, +0.10]	1	Logs
➖	file_to_blackhole_500ms_latency	egress throughput	-0.08	[-0.71, +0.56]	1	Logs
➖	ddot_metrics	memory utilization	-0.09	[-0.21, +0.03]	1	Logs
➖	file_to_blackhole_100ms_latency	egress throughput	-0.11	[-0.75, +0.53]	1	Logs
➖	ddot_logs	memory utilization	-0.22	[-0.35, -0.09]	1	Logs
➖	uds_dogstatsd_20mb_12k_contexts_20_senders	memory utilization	-0.25	[-0.29, -0.20]	1	Logs
➖	otlp_ingest_metrics	memory utilization	-0.28	[-0.43, -0.13]	1	Logs
➖	quality_gate_logs	% cpu utilization	-0.33	[-3.09, +2.42]	1	Logs bounds checks dashboard
➖	tcp_syslog_to_blackhole	ingress throughput	-0.37	[-0.42, -0.32]	1	Logs
➖	uds_dogstatsd_to_api_cpu	% cpu utilization	-0.50	[-1.37, +0.36]	1	Logs
➖	file_tree	memory utilization	-0.68	[-0.86, -0.51]	1	Logs
➖	quality_gate_idle_all_features	memory utilization	-1.13	[-1.24, -1.03]	1	Logs bounds checks dashboard

Bounds Checks: ✅ Passed

perf	experiment	bounds_check_name	replicates_passed	links
✅	docker_containers_cpu	simple_check_run	10/10
✅	docker_containers_memory	memory_usage	10/10
✅	docker_containers_memory	simple_check_run	10/10
✅	file_to_blackhole_0ms_latency	lost_bytes	10/10
✅	file_to_blackhole_0ms_latency	memory_usage	10/10
✅	file_to_blackhole_0ms_latency_http1	lost_bytes	10/10
✅	file_to_blackhole_0ms_latency_http1	memory_usage	10/10
✅	file_to_blackhole_0ms_latency_http2	lost_bytes	10/10
✅	file_to_blackhole_0ms_latency_http2	memory_usage	10/10
✅	file_to_blackhole_1000ms_latency	memory_usage	10/10
✅	file_to_blackhole_1000ms_latency_linear_load	memory_usage	10/10
✅	file_to_blackhole_100ms_latency	lost_bytes	10/10
✅	file_to_blackhole_100ms_latency	memory_usage	10/10
✅	file_to_blackhole_300ms_latency	lost_bytes	10/10
✅	file_to_blackhole_300ms_latency	memory_usage	10/10
✅	file_to_blackhole_500ms_latency	lost_bytes	10/10
✅	file_to_blackhole_500ms_latency	memory_usage	10/10
✅	quality_gate_idle	intake_connections	10/10	bounds checks dashboard
✅	quality_gate_idle	memory_usage	10/10	bounds checks dashboard
✅	quality_gate_idle_all_features	intake_connections	10/10	bounds checks dashboard
✅	quality_gate_idle_all_features	memory_usage	10/10	bounds checks dashboard
✅	quality_gate_logs	intake_connections	10/10	bounds checks dashboard
✅	quality_gate_logs	lost_bytes	10/10	bounds checks dashboard
✅	quality_gate_logs	memory_usage	10/10	bounds checks dashboard

Explanation

Confidence level: 90.00%
Effect size tolerance: |Δ mean %| ≥ 5.00%

Performance changes are noted in the perf column of each table:

• ✅ = significantly better comparison variant performance
• ❌ = significantly worse comparison variant performance
• ➖ = no significant change in performance

A regression test is an A/B test of target performance in a repeatable rig, where "performance" is measured as "comparison variant minus baseline variant" for an optimization goal (e.g., ingress throughput). Due to intrinsic variability in measuring that goal, we can only estimate its mean value for each experiment; we report uncertainty in that value as a 90.00% confidence interval denoted "Δ mean % CI".

For each experiment, we decide whether a change in performance is a "regression" -- a change worth investigating further -- if all of the following criteria are true:

1. Its estimated |Δ mean %| ≥ 5.00%, indicating the change is big enough to merit a closer look.

2. Its 90.00% confidence interval "Δ mean % CI" does not contain zero, indicating that if our statistical model is accurate, there is at least a 90.00% chance there is a difference in performance between baseline and comparison variants.

3. Its configuration does not mark it "erratic".

CI Pass/Fail Decision

✅ Passed. All Quality Gates passed.

• quality_gate_idle_all_features, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_idle_all_features, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_logs, bounds check lost_bytes: 10/10 replicas passed. Gate passed.
• quality_gate_logs, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_logs, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_idle, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_idle, bounds check memory_usage: 10/10 replicas passed. Gate passed.

[agent-platform-auto-pr]

Static quality checks

✅ Please find below the results from static quality gates

Successful checks

Info

Result	Quality gate	On disk size	On disk size limit	On wire size	On wire size limit
✅	static_quality_gate_agent_deb_amd64	738.94 MiB	778.06 MiB	182.12 MiB	191.06 MiB
✅	static_quality_gate_agent_deb_amd64_fips	736.78 MiB	776.09 MiB	181.6 MiB	190.72 MiB
✅	static_quality_gate_agent_heroku_amd64	358.21 MiB	434.99 MiB	95.41 MiB	114.34 MiB
✅	static_quality_gate_agent_msi	953.62 MiB	978.45 MiB	146.86 MiB	151.65 MiB
✅	static_quality_gate_agent_rpm_amd64	738.93 MiB	778.06 MiB	184.32 MiB	193.42 MiB
✅	static_quality_gate_agent_rpm_amd64_fips	736.77 MiB	776.06 MiB	183.77 MiB	192.61 MiB
✅	static_quality_gate_agent_rpm_arm64	729.78 MiB	768.33 MiB	166.98 MiB	174.71 MiB
✅	static_quality_gate_agent_rpm_arm64_fips	727.83 MiB	766.55 MiB	166.32 MiB	173.92 MiB
✅	static_quality_gate_agent_suse_amd64	738.93 MiB	778.08 MiB	184.32 MiB	193.42 MiB
✅	static_quality_gate_agent_suse_amd64_fips	736.77 MiB	776.11 MiB	183.77 MiB	192.78 MiB
✅	static_quality_gate_agent_suse_arm64	729.78 MiB	768.31 MiB	166.98 MiB	174.71 MiB
✅	static_quality_gate_agent_suse_arm64_fips	727.83 MiB	766.5 MiB	166.32 MiB	173.92 MiB
✅	static_quality_gate_docker_agent_amd64	833.61 MiB	862.5 MiB	281.7 MiB	292.0 MiB
✅	static_quality_gate_docker_agent_arm64	847.62 MiB	876.0 MiB	268.82 MiB	278.3 MiB
✅	static_quality_gate_docker_agent_jmx_amd64	833.61 MiB	862.5 MiB	281.7 MiB	292.0 MiB
✅	static_quality_gate_docker_agent_jmx_arm64	847.62 MiB	876.63 MiB	268.82 MiB	278.4 MiB
✅	static_quality_gate_docker_agent_windows1809	833.61 MiB	862.5 MiB	281.7 MiB	292.0 MiB
✅	static_quality_gate_docker_agent_windows1809_core	833.61 MiB	862.5 MiB	281.7 MiB	292.0 MiB
✅	static_quality_gate_docker_agent_windows1809_core_jmx	833.61 MiB	862.5 MiB	281.7 MiB	292.0 MiB
✅	static_quality_gate_docker_agent_windows1809_jmx	833.61 MiB	862.5 MiB	281.7 MiB	292.0 MiB
✅	static_quality_gate_docker_agent_windows2022	833.61 MiB	862.5 MiB	281.7 MiB	292.0 MiB
✅	static_quality_gate_docker_agent_windows2022_core	833.61 MiB	862.5 MiB	281.7 MiB	292.0 MiB
✅	static_quality_gate_docker_agent_windows2022_core_jmx	833.61 MiB	862.5 MiB	281.7 MiB	292.0 MiB
✅	static_quality_gate_docker_agent_windows2022_jmx	833.61 MiB	862.5 MiB	281.7 MiB	292.0 MiB
✅	static_quality_gate_docker_cluster_agent_amd64	256.63 MiB	263.4 MiB	101.82 MiB	104.07 MiB
✅	static_quality_gate_docker_cluster_agent_arm64	272.62 MiB	279.38 MiB	96.77 MiB	98.95 MiB
✅	static_quality_gate_docker_cws_instrumentation_amd64	6.66 MiB	7.12 MiB	2.82 MiB	3.29 MiB
✅	static_quality_gate_docker_cws_instrumentation_arm64	6.44 MiB	6.92 MiB	2.6 MiB	3.07 MiB
✅	static_quality_gate_docker_dogstatsd_amd64	37.97 MiB	46.39 MiB	14.64 MiB	17.78 MiB
✅	static_quality_gate_docker_dogstatsd_arm64	36.88 MiB	45.05 MiB	13.72 MiB	16.65 MiB
✅	static_quality_gate_dogstatsd_deb_amd64	29.83 MiB	38.4 MiB	7.89 MiB	10.26 MiB
✅	static_quality_gate_dogstatsd_deb_arm64	28.71 MiB	36.98 MiB	6.87 MiB	8.96 MiB
✅	static_quality_gate_dogstatsd_rpm_amd64	29.83 MiB	38.4 MiB	7.9 MiB	10.27 MiB
✅	static_quality_gate_dogstatsd_suse_amd64	29.83 MiB	38.4 MiB	7.9 MiB	10.27 MiB
✅	static_quality_gate_iot_agent_deb_amd64	57.79 MiB	58.51 MiB	14.54 MiB	15.02 MiB
✅	static_quality_gate_iot_agent_deb_arm64	55.21 MiB	55.94 MiB	12.57 MiB	13.05 MiB
✅	static_quality_gate_iot_agent_deb_armhf	53.97 MiB	54.32 MiB	12.58 MiB	13.05 MiB
✅	static_quality_gate_iot_agent_rpm_amd64	57.79 MiB	58.51 MiB	14.57 MiB	15.04 MiB
✅	static_quality_gate_iot_agent_rpm_arm64	55.21 MiB	55.94 MiB	12.59 MiB	13.07 MiB
✅	static_quality_gate_iot_agent_suse_amd64	57.79 MiB	58.51 MiB	14.57 MiB	15.04 MiB

[Copilot]

Pull Request Overview

This PR updates the dependency on OPA by switching to our lightweight fork aimed at reducing binary size and enabling dead code elimination.

• Replaces the upstream OPA dependency with a forked version in go.mod
• Removes an unused OPA licensing entry from LICENSE-3rdparty.csv

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File	Description
go.mod	Added a replacement directive for the forked OPA library with an explanatory comment.
LICENSE-3rdparty.csv	Removed an entry for OPA capabilities license to reflect the change in dependency usage.

Comments suppressed due to low confidence (1)

LICENSE-3rdparty.csv:1496

• Verify that removing the licensing notice for OPA capabilities is compliant with our licensing policies and that no required acknowledgements are missed in our documentation.

-core,github.com/open-policy-agent/opa/v1/capabilities,Apache-2.0,Copyright 2016 The OPA Authors.  All rights reserved.

[Copilot]

Consider expanding the comment to briefly explain the rationale for the fork and any implications for future updates or compatibility.

Suggested change

	// Fork to remove some text/template usage, https://github.com/paulcacheux/opa/tree/lightweight
	// Fork to remove some text/template usage due to performance and maintainability concerns.
	// This fork eliminates dependencies on text/template to simplify the codebase and improve runtime efficiency.
	// Note: This fork may diverge from the upstream repository, making it harder to integrate future updates.
	// Developers should evaluate whether upstream changes are critical before attempting to merge them.
	// See https://github.com/paulcacheux/opa/tree/lightweight for more details.

[paulcacheux]

/merge

[dd-devflow]

View all feedbacks in Devflow UI.

2025-05-12 11:33:53 UTC ℹ️ Start processing command /merge

---

2025-05-12 11:33:56 UTC ℹ️ MergeQueue: pull request added to the queue

The expected merge time in main is approximately 50m (p90).

---

2025-05-12 12:37:43 UTC ℹ️ MergeQueue: This merge request was merged