This product is not supported for your selected Datadog site. ().
This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Enabling App and API Protection

Prerequisite

Get started

  1. Install Orchestrion:

    $ go install github.com/DataDog/orchestrion@latest
    
  2. Register Orchestrion as a Go module in your project directory:

    $ orchestrion pin
    
  3. Datadog provides a series of pluggable packages that provide native support for instrumenting a series of Go libraries and frameworks. A list of these packages can be found in Compatibility Requirements. Import these packages into your application and follow the configuration instructions listed alongside each integration.

  4. Recompile your program with Orchestrion using the appsec build:

    $ orchestrion go build -tags=appsec my-program
    

    For more options on how to use Orchestrion, see Orchestrion usage.

Note: If you are building without CGO on Linux, see Building Go applications with CGO disabled.

  1. Redeploy your Go service and enable App and API Protection by setting the DD_APPSEC_ENABLED environment variable to true:
$ env DD_APPSEC_ENABLED=true ./my-program

Add the following environment variable value to your Docker command line:

$ docker run -e DD_APPSEC_ENABLED=true [...]

For more information on how to create a fitting docker image, See [Creating a Dockerfile for App and API Protection for Go][3].

Add the following environment variable value to your application container’s Dockerfile:

ENV DD_APPSEC_ENABLED=true

For more information on how to create a fitting docker image, See [Creating a Dockerfile for App & API Protection for Go][3].

Update your application’s deployment configuration file for APM and add the following environment variable:

spec:
  template:
    spec:
      containers:
        - name: <CONTAINER_NAME>
          image: <CONTAINER_IMAGE>/<TAG>
          env:
            - name: DD_APPSEC_ENABLED
              value: "true"

For more information on how to create a fitting docker image, See [Creating a Dockerfile for App and API Protection for Go][3].

Update your application’s ECS task definition JSON file using this environment section:

"environment": [
  ...,
  {
    "name": "DD_APPSEC_ENABLED",
    "value": "true"
  }
]

For more information on how to create a fitting docker image, See [Creating a Dockerfile for App and API Protection for Go][3].

Verify your setup

To verify that App and API Protection is working correctly:

To see App and API Protection threat detection in action, send known attack patterns to your application. For example, trigger the Security Scanner Detected rule by running a file that contains the following curl script:

for ((i=1;i<=250;i++)); 
do
# Target existing service’s routes
curl https://your-application-url/existing-route -A Arachni/v1.0;
# Target non existing service’s routes
curl https://your-application-url/non-existing-route -A Arachni/v1.0;
done

A few minutes after you enable your application and exercise it, threat information appears in the Application Trace and Signals Explorer in Datadog.

Building without CGO

If you are building your Go application without CGO, you can still enable App and API Protection by following these steps:

  1. Add the appsec build tag when compiling your application:
    $ CGO_ENABLED=0 orchestrion go build -tags appsec my-program
    
Using `CGO_ENABLED=0` usually guarantees a statically-linked binary. This is will not be the case here.
  1. Install libc.so.6, libpthread.so.0 and libdl.so.2 on your system, as these libraries are required by the Datadog WAF: This installation can be done by installing the glibc package on your system with your package manager. See [Creating a Dockerfile for App and API Protection for Go][3].

  2. Redeploy your Go service with the DD_APPSEC_ENABLED=true environment variable set, as described above.

Building with Bazel

If you are using Bazel and rules_go to build your Go application, Orchestrion is not compatible with Bazel. Instead, you can use the Datadog Go Tracer library to instrument your application manually.

App and API Protection relies on purego to support its C++ biddings to DataDog’s WAF, which requires special attention inside the repositories.bzl generated by Gazelle. Under the go_repository rule for com_github_ebitengine_purego, you need to add the build_directives attribute with the gazelle:build_tags cgo directive. For example:

    go_repository(
        name = "com_github_ebitengine_purego",
        build_directives = [
            "gazelle:build_tags cgo",
        ]
        build_file_proto_mode = "disable",
        importpath = "github.com/ebitengine/purego",
        sum = "<your-checksum>",
        version = "v0.8.3",
    )

Using App and API Protection without APM tracing

If you want to use App and API Protection without APM tracing functionality, you can deploy with tracing disabled:

  1. Configure your tracing library with the DD_APM_TRACING_ENABLED=false environment variable in addition to the DD_APPSEC_ENABLED=true environment variable. This configuration reduces the amount of APM data sent to Datadog to the minimum required by App and API Protection products.

For more details, see Standalone App and API Protection.

Further Reading