--- title: Enabling App and API Protection for Google Cloud Run functions in Go description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > App and API Protection > Enabling App and API Protection > Setup App and API Protection on Google Cloud Run functions > Enabling App and API Protection for Google Cloud Run functions in Go --- # Enabling App and API Protection for Google Cloud Run functions in Go {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site). (). {% /alert %} {% /callout %} {% alert level="info" %} AAP support for Google Cloud Run is in Preview. {% /alert %} ## How it works{% #how-it-works %} The `serverless-init` application wraps your process and executes it as a subprocess. It starts a DogStatsD listener for metrics and a Trace Agent listener for traces. It collects logs by wrapping the stdout/stderr streams of your application. After bootstrapping, `serverless-init` then launches your command as a subprocess. To get full instrumentation, ensure you are calling `datadog-init` as the first command that runs inside your Docker container. You can do this by setting it as the entrypoint, or by setting it as the first argument in CMD. ## Compatibility{% #compatibility %} {% alert level="info" %} Google Cloud Run support for App and API Protection serverless is in Preview. {% /alert %} **Note**: Threat Protection through Remote Configuration is not supported. Use [Workflows](https://docs.datadoghq.com/actions/workflows/) to block IPs in your [WAF](https://docs.datadoghq.com/security/application_security/waf-integration/). ## Get started{% #get-started %} [Manually install](https://docs.datadoghq.com/tracing/trace_collection/dd_libraries/go) the Go tracer before you deploy your application. Compile your go binary with the "appsec" tag enabled (`go build --tags "appsec" ...`). Add the following instructions and arguments to your Dockerfile: ```dockerfile COPY --from=datadog/serverless-init:1 /datadog-init /app/datadog-init ENTRYPOINT ["/app/datadog-init"] ENV DD_SERVICE=datadog-demo-run-go ENV DD_ENV=datadog-demo ENV DD_VERSION=1 ENV DD_APPSEC_ENABLED=1 ``` ### Explanation{% #explanation %} 1. Copy the Datadog `serverless-init` into your Docker image. ```dockerfile COPY --from=datadog/serverless-init:1 /datadog-init /app/datadog-init ``` 1. Change the entrypoint to wrap your application in the Datadog `serverless-init` process. **Note**: If you already have an entrypoint defined inside your Dockerfile, see the alternative configuration. ```dockerfile ENTRYPOINT ["/app/datadog-init"] ``` 1. (Optional) Add Datadog tags. ```dockerfile ENV DD_SERVICE=datadog-demo-run-go ENV DD_ENV=datadog-demo ENV DD_VERSION=1 ENV DD_APPSEC_ENABLED=1 ``` 1. Execute your binary application wrapped in the entrypoint. Adapt this line to your needs. ```dockerfile CMD ["/path/to/your-go-binary"] ``` ### Alternative configuration{% #alt-go %} If you already have an entrypoint defined inside your Dockerfile, you can instead modify the CMD argument. ```dockerfile COPY --from=datadog/serverless-init:1 /datadog-init /app/datadog-init ENV DD_SERVICE=datadog-demo-run-go ENV DD_ENV=datadog-demo ENV DD_VERSION=1 ENV DD_APPSEC_ENABLED=1 CMD ["/app/datadog-init", "/path/to/your-go-binary"] ``` If you require your entrypoint to be instrumented as well, you can swap your entrypoint and CMD arguments instead. For more information, see How `serverless-init` works. ```dockerfile COPY --from=datadog/serverless-init:1 /datadog-init /app/datadog-init ENV DD_SERVICE=datadog-demo-run-go ENV DD_ENV=datadog-demo ENV DD_VERSION=1 ENV DD_APPSEC_ENABLED=1 ENTRYPOINT ["/app/datadog-init"] CMD ["your_entrypoint.sh", "/path/to/your-go-binary"] ``` As long as your command to run is passed as an argument to `datadog-init`, you will receive full instrumentation. ## Further reading{% #further-reading %} - [How App and API Protection Works](https://docs.datadoghq.com/security/application_security/how-it-works/) - [OOTB App and API Protection Rules](https://docs.datadoghq.com/security/default_rules/?category=cat-application-security) - [Troubleshooting App and API Protection](https://docs.datadoghq.com/security/application_security/troubleshooting) - [App and API Protection](https://docs.datadoghq.com/security/application_security/threats/) - [Datadog Security extends compliance and threat protection capabilities for Google Cloud](https://www.datadoghq.com/blog/datadog-security-google-cloud/)