API Security -Add support for trace tagging rules

[CarlesDD]

What does this PR do?

This PR adds support for trace-tagging rules, an extension of existing In-App WAF rules. These rules facilitate data collection by adding relevant attributes to the current trace.

Additionally, trace-tagging rules introduce the keep field which can be used to indicate whether the current trace should be kept through a change in the sampling priority. Since priority sampling does not rely on events presence anymore, appsec rate limiter has been moved from the reporter (where was consulted everytime an attack was reported) to the waf, to be consulted every time a WAF result comes with keep field set to true.

Motivation

[RFC-1034] API Security: Trace-Tagging Rules

Plugin Checklist

• Unit tests.

Additional Notes

APPSEC-57440

System Tests

[github-actions]

Overall package size

Self size: 9.64 MB
Deduped: 109.35 MB
No deduping: 109.74 MB

Dependency sizes

| name | version | self size | total size | |------|---------|-----------|------------| | @datadog/libdatadog | 0.7.0 | 35.02 MB | 35.02 MB | | @datadog/native-appsec | 10.0.1 | 20.3 MB | 20.3 MB | | @datadog/native-iast-taint-tracking | 4.0.0 | 11.72 MB | 11.73 MB | | @datadog/pprof | 5.9.0 | 9.77 MB | 10.14 MB | | @opentelemetry/core | 1.30.1 | 908.66 kB | 7.16 MB | | protobufjs | 7.5.3 | 2.95 MB | 5.6 MB | | @datadog/wasm-js-rewriter | 4.0.1 | 2.85 MB | 3.58 MB | | @datadog/native-metrics | 3.1.1 | 1.02 MB | 1.43 MB | | @opentelemetry/api | 1.8.0 | 1.21 MB | 1.21 MB | | jsonpath-plus | 10.3.0 | 617.18 kB | 1.08 MB | | import-in-the-middle | 1.14.2 | 122.36 kB | 850.93 kB | | lru-cache | 10.4.3 | 804.3 kB | 804.3 kB | | source-map | 0.7.4 | 226 kB | 226 kB | | opentracing | 0.14.7 | 194.81 kB | 194.81 kB | | limiter | 3.0.0 | 157.92 kB | 157.92 kB | | pprof-format | 2.1.0 | 111.69 kB | 111.69 kB | | @datadog/sketches-js | 2.1.1 | 109.9 kB | 109.9 kB | | lodash.sortby | 4.7.0 | 75.76 kB | 75.76 kB | | ignore | 7.0.5 | 63.38 kB | 63.38 kB | | istanbul-lib-coverage | 3.2.2 | 34.37 kB | 34.37 kB | | rfdc | 1.4.1 | 27.15 kB | 27.15 kB | | @isaacs/ttlcache | 1.4.1 | 25.2 kB | 25.2 kB | | dc-polyfill | 0.1.9 | 25.11 kB | 25.11 kB | | tlhunter-sorted-set | 0.1.0 | 24.94 kB | 24.94 kB | | shell-quote | 1.8.3 | 23.74 kB | 23.74 kB | | retry | 0.13.1 | 18.85 kB | 18.85 kB | | semifies | 1.0.0 | 15.84 kB | 15.84 kB | | jest-docblock | 29.7.0 | 8.99 kB | 12.76 kB | | crypto-randomuuid | 1.0.0 | 11.18 kB | 11.18 kB | | ttl-set | 1.0.0 | 4.61 kB | 9.69 kB | | mutexify | 1.4.0 | 5.71 kB | 8.74 kB | | path-to-regexp | 0.1.12 | 6.6 kB | 6.6 kB | | koalas | 1.0.2 | 6.47 kB | 6.47 kB | | module-details-from-path | 1.0.4 | 3.96 kB | 3.96 kB |

_{🤖 This report was automatically generated by heaviest-objects-in-the-universe}

[codecov]

Codecov Report

Attention: Patch coverage is 88.88889% with 2 lines in your changes missing coverage. Please review.

Project coverage is 81.85%. Comparing base (d04f2b4) to head (192de57).
Report is 5 commits behind head on master.

Files with missing lines	Patch %	Lines
packages/dd-trace/src/remote_config/index.js	0.00%	2 Missing ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #6075   +/-   ##
=======================================
  Coverage   81.85%   81.85%           
=======================================
  Files         473      472    -1     
  Lines       19446    19467   +21     
=======================================
+ Hits        15917    15935   +18     
- Misses       3529     3532    +3     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[CarlesDD]

Sampling priority relies now in the keep field returned by the waf and not in the event presence. Due to this, appsec rate limiter has been moved to waf.

[CarlesDD]

Conditional has been flipped in order to only apply the special format (gizp + base64 encoding) to schema attributes (aka derivatives)

[pr-commenter]

Benchmarks

Benchmark execution time: 2025-07-11 09:29:28

Comparing candidate commit 192de57 in PR branch ccapell/waf-trace-tagging-rules with baseline commit d04f2b4 in branch master.

Found 0 performance improvements and 0 performance regressions! Performance is the same for 1271 metrics, 52 unstable metrics.

[CarlesDD]

CI is failing due to a bug on native-appsec marshalling process, fixed in this PR