datadog 2.3.0 → 2.5.0

data/lib/datadog/appsec/component.rb

@@ -10,10 +10,11 @@ module Datadog
     # Core-pluggable component for AppSec
     class Component
       class << self
-        def build_appsec_component(settings)
-          return unless settings.respond_to?(:appsec) && settings.appsec.enabled
+        def build_appsec_component(settings, telemetry:)
+          return if !settings.respond_to?(:appsec) || !settings.appsec.enabled
+          return if incompatible_ffi_version?
 
-          processor = create_processor(settings)
+          processor = create_processor(settings, telemetry)
 
           # We want to always instrument user events when AppSec is enabled.
           # There could be cases in which users use the DD_APPSEC_ENABLED Env variable to
@@ -28,8 +29,27 @@ module Datadog
 
         private
 
-        def create_processor(settings)
-          rules = AppSec::Processor::RuleLoader.load_rules(ruleset: settings.appsec.ruleset)
+        def incompatible_ffi_version?
+          ffi_version = Gem.loaded_specs['ffi'] && Gem.loaded_specs['ffi'].version
+          return true unless ffi_version
+
+          return false unless Gem::Version.new(RUBY_VERSION) >= Gem::Version.new('3.3') &&
+            ffi_version < Gem::Version.new('1.16.0')
+
+          Datadog.logger.warn(
+            'AppSec is not supported in Ruby versions above 3.3.0 when using `ffi` versions older than 1.16.0, ' \
+            'and will be forcibly disabled due to a memory leak in `ffi`. ' \
+            'Please upgrade your `ffi` version to 1.16.0 or higher.'
+          )
+
+          true
+        end
+
+        def create_processor(settings, telemetry)
+          rules = AppSec::Processor::RuleLoader.load_rules(
+            telemetry: telemetry,
+            ruleset: settings.appsec.ruleset
+          )
           return nil unless rules
 
           actions = rules['actions']
@@ -47,9 +67,10 @@ module Datadog
             rules: [rules],
             data: data,
             exclusions: exclusions,
+            telemetry: telemetry
           )
 
-          processor = Processor.new(ruleset: ruleset)
+          processor = Processor.new(ruleset: ruleset, telemetry: telemetry)
           return nil unless processor.ready?
 
           processor
@@ -63,11 +84,11 @@ module Datadog
         @mutex = Mutex.new
       end
 
-      def reconfigure(ruleset:, actions:)
+      def reconfigure(ruleset:, actions:, telemetry:)
         @mutex.synchronize do
           AppSec::Processor::Actions.merge(actions)
 
-          new = Processor.new(ruleset: ruleset)
+          new = Processor.new(ruleset: ruleset, telemetry: telemetry)
 
           if new && new.ready?
             old = @processor

data/lib/datadog/appsec/configuration/settings.rb

@@ -9,8 +9,8 @@ module Datadog
       # Settings
       module Settings
         # rubocop:disable Layout/LineLength
-        DEFAULT_OBFUSCATOR_KEY_REGEX = '(?i)(?:p(?:ass)?w(?:or)?d|pass(?:_?phrase)?|secret|(?:api_?|private_?|public_?)key)|token|consumer_?(?:id|key|secret)|sign(?:ed|ature)|bearer|authorization'
-        DEFAULT_OBFUSCATOR_VALUE_REGEX = '(?i)(?:p(?:ass)?w(?:or)?d|pass(?:_?phrase)?|secret|(?:api_?|private_?|public_?|access_?|secret_?)key(?:_?id)?|token|consumer_?(?:id|key|secret)|sign(?:ed|ature)?|auth(?:entication|orization)?)(?:\s*=[^;]|"\s*:\s*"[^"]+")|bearer\s+[a-z0-9\._\-]+|token:[a-z0-9]{13}|gh[opsu]_[0-9a-zA-Z]{36}|ey[I-L][\w=-]+\.ey[I-L][\w=-]+(?:\.[\w.+\/=-]+)?|[\-]{5}BEGIN[a-z\s]+PRIVATE\sKEY[\-]{5}[^\-]+[\-]{5}END[a-z\s]+PRIVATE\sKEY|ssh-rsa\s*[a-z0-9\/\.+]{100,}'
+        DEFAULT_OBFUSCATOR_KEY_REGEX = '(?i)pass|pw(?:or)?d|secret|(?:api|private|public|access)[_-]?key|token|consumer[_-]?(?:id|key|secret)|sign(?:ed|ature)|bearer|authorization|jsessionid|phpsessid|asp\.net[_-]sessionid|sid|jwt'
+        DEFAULT_OBFUSCATOR_VALUE_REGEX = '(?i)(?:p(?:ass)?w(?:or)?d|pass(?:[_-]?phrase)?|secret(?:[_-]?key)?|(?:(?:api|private|public|access)[_-]?)key(?:[_-]?id)?|(?:(?:auth|access|id|refresh)[_-]?)?token|consumer[_-]?(?:id|key|secret)|sign(?:ed|ature)?|auth(?:entication|orization)?|jsessionid|phpsessid|asp\.net(?:[_-]|-)sessionid|sid|jwt)(?:\s*=[^;]|"\s*:\s*"[^"]+")|bearer\s+[a-z0-9\._\-]+|token:[a-z0-9]{13}|gh[opsu]_[0-9a-zA-Z]{36}|ey[I-L][\w=-]+\.ey[I-L][\w=-]+(?:\.[\w.+\/=-]+)?|[\-]{5}BEGIN[a-z\s]+PRIVATE\sKEY[\-]{5}[^\-]+[\-]{5}END[a-z\s]+PRIVATE\sKEY|ssh-rsa\s*[a-z0-9\/\.+]{100,}'
         # rubocop:enable Layout/LineLength
         APPSEC_VALID_TRACK_USER_EVENTS_MODE = [
           'safe',
@@ -197,6 +197,14 @@ module Datadog
                 o.type :bool, nilable: true
                 o.env 'DD_APPSEC_SCA_ENABLED'
               end
+
+              settings :standalone do
+                option :enabled do |o|
+                  o.type :bool
+                  o.env 'DD_EXPERIMENTAL_APPSEC_STANDALONE_ENABLED'
+                  o.default false
+                end
+              end
             end
           end
         end

data/lib/datadog/appsec/contrib/devise/patcher/authenticatable_patch.rb

@@ -15,6 +15,7 @@ module Datadog
             def validate(resource, &block)
               result = super
               return result unless AppSec.enabled?
+              return result if @_datadog_skip_track_login_event
 
               track_user_events_configuration = Datadog.configuration.appsec.track_user_events
 

data/lib/datadog/appsec/contrib/devise/patcher/rememberable_patch.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module Datadog
+  module AppSec
+    module Contrib
+      module Devise
+        module Patcher
+          # To avoid tracking new sessions that are created by
+          # Rememberable strategy as Login Success events.
+          module RememberablePatch
+            def validate(*args)
+              @_datadog_skip_track_login_event = true
+
+              super
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/datadog/appsec/contrib/devise/patcher.rb

@@ -2,6 +2,7 @@
 
 require_relative '../patcher'
 require_relative 'patcher/authenticatable_patch'
+require_relative 'patcher/rememberable_patch'
 require_relative 'patcher/registration_controller_patch'
 
 module Datadog
@@ -23,16 +24,25 @@ module Datadog
           end
 
           def patch
-            patch_authenticable_strategy
+            patch_authenticatable_strategy
+            patch_rememberable_strategy
             patch_registration_controller
 
             Patcher.instance_variable_set(:@patched, true)
           end
 
-          def patch_authenticable_strategy
+          def patch_authenticatable_strategy
             ::Devise::Strategies::Authenticatable.prepend(AuthenticatablePatch)
           end
 
+          def patch_rememberable_strategy
+            return unless ::Devise::STRATEGIES.include?(:rememberable)
+
+            # Rememberable strategy is required in autoloaded Rememberable model
+            ::Devise::Models::Rememberable # rubocop:disable Lint/Void
+            ::Devise::Strategies::Rememberable.prepend(RememberablePatch)
+          end
+
           def patch_registration_controller
             ::ActiveSupport.on_load(:after_initialize) do
               ::Devise::RegistrationsController.prepend(RegistrationControllerPatch)

data/lib/datadog/appsec/contrib/graphql/appsec_trace.rb

@@ -28,20 +28,6 @@ module Datadog
 
             multiplex_return
           end
-
-          private
-
-          def active_trace
-            return unless defined?(Datadog::Tracing)
-
-            Datadog::Tracing.active_trace
-          end
-
-          def active_span
-            return unless defined?(Datadog::Tracing)
-
-            Datadog::Tracing.active_span
-          end
         end
       end
     end

data/lib/datadog/appsec/contrib/graphql/gateway/multiplex.rb

@@ -19,7 +19,7 @@ module Datadog
             end
 
             def arguments
-              @arguments ||= create_arguments_hash
+              @arguments ||= build_arguments_hash
             end
 
             def queries
@@ -28,41 +28,77 @@ module Datadog
 
             private
 
-            def create_arguments_hash
-              args = {}
-              @multiplex.queries.each_with_index do |query, index|
-                resolver_args = {}
-                resolver_dirs = {}
-                selections = (query.selected_operation.selections.dup if query.selected_operation) || []
-                # Iterative tree traversal
-                while selections.any?
-                  selection = selections.shift
-                  set_hash_with_variables(resolver_args, selection.arguments, query.provided_variables)
-                  selection.directives.each do |dir|
-                    resolver_dirs[dir.name] ||= {}
-                    set_hash_with_variables(resolver_dirs[dir.name], dir.arguments, query.provided_variables)
-                  end
-                  selections.concat(selection.selections)
+            # This method builds an array of argument hashes for each field with arguments in the query.
+            #
+            # For example, given the following query:
+            # query ($postSlug: ID = "my-first-post", $withComments: Boolean!) {
+            #   firstPost: post(slug: $postSlug) {
+            #     title
+            #     comments @include(if: $withComments) {
+            #       author { name }
+            #       content
+            #     }
+            #   }
+            # }
+            #
+            # The result would be:
+            # {"post"=>[{"slug"=>"my-first-post"}], "comments"=>[{"include"=>{"if"=>true}}]}
+            #
+            # Note that the `comments` "include" directive is included in the arguments list
+            def build_arguments_hash
+              queries.each_with_object({}) do |query, args_hash|
+                next unless query.selected_operation
+
+                arguments_from_selections(query.selected_operation.selections, query.variables, args_hash)
+              end
+            end
+
+            def arguments_from_selections(selections, query_variables, args_hash)
+              selections.each do |selection|
+                # rubocop:disable Style/ClassEqualityComparison
+                next unless selection.class.name == Integration::AST_NODE_CLASS_NAMES[:field]
+                # rubocop:enable Style/ClassEqualityComparison
+
+                selection_name = selection.alias || selection.name
+
+                if !selection.arguments.empty? || !selection.directives.empty?
+                  args_hash[selection_name] ||= []
+                  args_hash[selection_name] <<
+                    arguments_hash(selection.arguments, query_variables).merge!(
+                      arguments_from_directives(selection.directives, query_variables)
+                    )
                 end
-                next if resolver_args.empty? && resolver_dirs.empty?
 
-                args_resolver = (args[query.operation_name || "query#{index + 1}"] ||= [])
-                # We don't want to add empty hashes so we check again if the arguments and directives are empty
-                args_resolver << resolver_args unless resolver_args.empty?
-                args_resolver << resolver_dirs unless resolver_dirs.empty?
+                arguments_from_selections(selection.selections, query_variables, args_hash)
+              end
+            end
+
+            def arguments_from_directives(directives, query_variables)
+              directives.each_with_object({}) do |directive, args_hash|
+                # rubocop:disable Style/ClassEqualityComparison
+                next unless directive.class.name == Integration::AST_NODE_CLASS_NAMES[:directive]
+                # rubocop:enable Style/ClassEqualityComparison
+
+                args_hash[directive.name] = arguments_hash(directive.arguments, query_variables)
+              end
+            end
+
+            def arguments_hash(arguments, query_variables)
+              arguments.each_with_object({}) do |argument, args_hash|
+                args_hash[argument.name] = argument_value(argument, query_variables)
               end
-              args
             end
 
-            # Set the resolver hash (resolver_args and resolver_dirs) with the arguments and provided variables
-            def set_hash_with_variables(resolver_hash, arguments, provided_variables)
-              arguments.each do |arg|
-                resolver_hash[arg.name] =
-                  if arg.value.is_a?(::GraphQL::Language::Nodes::VariableIdentifier)
-                    provided_variables[arg.value.name]
-                  else
-                    arg.value
-                  end
+            def argument_value(argument, query_variables)
+              case argument.value.class.name
+              when Integration::AST_NODE_CLASS_NAMES[:variable_identifier]
+                # we need to pass query.variables here instead of query.provided_variables,
+                # since #provided_variables don't know anything about variable default value
+                query_variables[argument.value.name]
+              when Integration::AST_NODE_CLASS_NAMES[:input_object]
+                arguments_hash(argument.value.arguments, query_variables)
+              else
+                argument.value
               end
             end
           end

data/lib/datadog/appsec/contrib/graphql/gateway/watcher.rb

@@ -24,27 +24,26 @@ module Datadog
                 gateway.watch('graphql.multiplex', :appsec) do |stack, gateway_multiplex|
                   block = false
                   event = nil
+
                   scope = AppSec::Scope.active_scope
 
-                  AppSec::Reactive::Operation.new('graphql.multiplex') do |op|
-                    GraphQL::Reactive::Multiplex.subscribe(op, scope.processor_context) do |result|
-                      event = {
-                        waf_result: result,
-                        trace: scope.trace,
-                        span: scope.service_entry_span,
-                        multiplex: gateway_multiplex,
-                        actions: result.actions
-                      }
+                  if scope
+                    AppSec::Reactive::Operation.new('graphql.multiplex') do |op|
+                      GraphQL::Reactive::Multiplex.subscribe(op, scope.processor_context) do |result|
+                        event = {
+                          waf_result: result,
+                          trace: scope.trace,
+                          span: scope.service_entry_span,
+                          multiplex: gateway_multiplex,
+                          actions: result.actions
+                        }
 
-                      if scope.service_entry_span
-                        scope.service_entry_span.set_tag('appsec.blocked', 'true') if result.actions.include?('block')
-                        scope.service_entry_span.set_tag('appsec.event', 'true')
+                        Datadog::AppSec::Event.tag_and_keep!(scope, result)
+                        scope.processor_context.events << event
                       end
 
-                      scope.processor_context.events << event
+                      block = GraphQL::Reactive::Multiplex.publish(op, gateway_multiplex)
                     end
-
-                    block = GraphQL::Reactive::Multiplex.publish(op, gateway_multiplex)
                   end
 
                   next [nil, [[:block, event]]] if block

data/lib/datadog/appsec/contrib/graphql/integration.rb

@@ -13,6 +13,13 @@ module Datadog
 
           MINIMUM_VERSION = Gem::Version.new('2.0.19')
 
+          AST_NODE_CLASS_NAMES = {
+            field: 'GraphQL::Language::Nodes::Field',
+            directive: 'GraphQL::Language::Nodes::Directive',
+            variable_identifier: 'GraphQL::Language::Nodes::VariableIdentifier',
+            input_object: 'GraphQL::Language::Nodes::InputObject',
+          }.freeze
+
           register_as :graphql, auto_patch: false
 
           def self.version
@@ -24,13 +31,19 @@ module Datadog
           end
 
           def self.compatible?
-            super && version >= MINIMUM_VERSION
+            super && version >= MINIMUM_VERSION && ast_node_classes_defined?
           end
 
           def self.auto_instrument?
             true
           end
 
+          def self.ast_node_classes_defined?
+            AST_NODE_CLASS_NAMES.all? do |_, class_name|
+              Object.const_defined?(class_name)
+            end
+          end
+
           def patcher
             Patcher
           end

data/lib/datadog/appsec/contrib/graphql/reactive/multiplex.rb

@@ -25,30 +25,17 @@ module Datadog
                 Datadog.logger.debug { "reacted to #{ADDRESSES.inspect}: #{values.inspect}" }
                 arguments = values[0]
 
-                waf_args = {
+                persistent_data = {
                   'graphql.server.all_resolvers' => arguments
                 }
 
                 waf_timeout = Datadog.configuration.appsec.waf_timeout
-                result = waf_context.run(waf_args, waf_timeout)
-
-                Datadog.logger.debug { "WAF TIMEOUT: #{result.inspect}" } if result.timeout
-
-                case result.status
-                when :match
-                  Datadog.logger.debug { "WAF: #{result.inspect}" }
-
-                  yield result
-                  throw(:block, true) unless result.actions.empty?
-                when :ok
-                  Datadog.logger.debug { "WAF OK: #{result.inspect}" }
-                when :invalid_call
-                  Datadog.logger.debug { "WAF CALL ERROR: #{result.inspect}" }
-                when :invalid_rule, :invalid_flow, :no_rule
-                  Datadog.logger.debug { "WAF RULE ERROR: #{result.inspect}" }
-                else
-                  Datadog.logger.debug { "WAF UNKNOWN: #{result.status.inspect} #{result.inspect}" }
-                end
+                result = waf_context.run(persistent_data, {}, waf_timeout)
+
+                next if result.status != :match
+
+                yield result
+                throw(:block, true) unless result.actions.empty?
               end
             end
           end

data/lib/datadog/appsec/contrib/rack/gateway/request.rb

@@ -45,14 +45,11 @@ module Datadog
               end
 
               result['content-type'] = request.content_type if request.content_type
-              result['content-length'] = request.content_length if request.content_length
+              # Since Rack 3.1, content-length is nil if the body is empty, but we still want to send it to the WAF.
+              result['content-length'] = request.content_length || '0'
               result
             end
 
-            def body
-              request.body.read.tap { request.body.rewind }
-            end
-
             def url
               request.url
             end

data/lib/datadog/appsec/contrib/rack/gateway/watcher.rb

@@ -41,11 +41,9 @@ module Datadog
                           actions: result.actions
                         }
 
-                        if scope.service_entry_span
-                          scope.service_entry_span.set_tag('appsec.blocked', 'true') if result.actions.include?('block')
-                          scope.service_entry_span.set_tag('appsec.event', 'true')
-                        end
-
+                        # We want to keep the trace in case of security event
+                        scope.trace.keep! if scope.trace
+                        Datadog::AppSec::Event.tag_and_keep!(scope, result)
                         scope.processor_context.events << event
                       end
                     end
@@ -85,11 +83,9 @@ module Datadog
                           actions: result.actions
                         }
 
-                        if scope.service_entry_span
-                          scope.service_entry_span.set_tag('appsec.blocked', 'true') if result.actions.include?('block')
-                          scope.service_entry_span.set_tag('appsec.event', 'true')
-                        end
-
+                        # We want to keep the trace in case of security event
+                        scope.trace.keep! if scope.trace
+                        Datadog::AppSec::Event.tag_and_keep!(scope, result)
                         scope.processor_context.events << event
                       end
                     end
@@ -129,11 +125,9 @@ module Datadog
                           actions: result.actions
                         }
 
-                        if scope.service_entry_span
-                          scope.service_entry_span.set_tag('appsec.blocked', 'true') if result.actions.include?('block')
-                          scope.service_entry_span.set_tag('appsec.event', 'true')
-                        end
-
+                        # We want to keep the trace in case of security event
+                        scope.trace.keep! if scope.trace
+                        Datadog::AppSec::Event.tag_and_keep!(scope, result)
                         scope.processor_context.events << event
                       end
                     end

data/lib/datadog/appsec/contrib/rack/reactive/request.rb

@@ -33,6 +33,7 @@ module Datadog
             def self.subscribe(op, waf_context)
               op.subscribe(*ADDRESSES) do |*values|
                 Datadog.logger.debug { "reacted to #{ADDRESSES.inspect}: #{values.inspect}" }
+
                 headers = values[0]
                 headers_no_cookies = headers.dup.tap { |h| h.delete('cookie') }
                 uri_raw = values[1]
@@ -41,7 +42,7 @@ module Datadog
                 client_ip = values[4]
                 request_method = values[5]
 
-                waf_args = {
+                persistent_data = {
                   'server.request.cookies' => cookies,
                   'server.request.query' => query,
                   'server.request.uri.raw' => uri_raw,
@@ -52,25 +53,12 @@ module Datadog
                 }
 
                 waf_timeout = Datadog.configuration.appsec.waf_timeout
-                result = waf_context.run(waf_args, waf_timeout)
-
-                Datadog.logger.debug { "WAF TIMEOUT: #{result.inspect}" } if result.timeout
+                result = waf_context.run(persistent_data, {}, waf_timeout)
 
-                case result.status
-                when :match
-                  Datadog.logger.debug { "WAF: #{result.inspect}" }
+                next if result.status != :match
 
-                  yield result
-                  throw(:block, true) unless result.actions.empty?
-                when :ok
-                  Datadog.logger.debug { "WAF OK: #{result.inspect}" }
-                when :invalid_call
-                  Datadog.logger.debug { "WAF CALL ERROR: #{result.inspect}" }
-                when :invalid_rule, :invalid_flow, :no_rule
-                  Datadog.logger.debug { "WAF RULE ERROR: #{result.inspect}" }
-                else
-                  Datadog.logger.debug { "WAF UNKNOWN: #{result.status.inspect} #{result.inspect}" }
-                end
+                yield result
+                throw(:block, true) unless result.actions.empty?
               end
             end
           end

data/lib/datadog/appsec/contrib/rack/reactive/request_body.rb

@@ -26,30 +26,17 @@ module Datadog
                 Datadog.logger.debug { "reacted to #{ADDRESSES.inspect}: #{values.inspect}" }
                 body = values[0]
 
-                waf_args = {
+                persistent_data = {
                   'server.request.body' => body,
                 }
 
                 waf_timeout = Datadog.configuration.appsec.waf_timeout
-                result = waf_context.run(waf_args, waf_timeout)
-
-                Datadog.logger.debug { "WAF TIMEOUT: #{result.inspect}" } if result.timeout
-
-                case result.status
-                when :match
-                  Datadog.logger.debug { "WAF: #{result.inspect}" }
-
-                  yield result
-                  throw(:block, true) unless result.actions.empty?
-                when :ok
-                  Datadog.logger.debug { "WAF OK: #{result.inspect}" }
-                when :invalid_call
-                  Datadog.logger.debug { "WAF CALL ERROR: #{result.inspect}" }
-                when :invalid_rule, :invalid_flow, :no_rule
-                  Datadog.logger.debug { "WAF RULE ERROR: #{result.inspect}" }
-                else
-                  Datadog.logger.debug { "WAF UNKNOWN: #{result.status.inspect} #{result.inspect}" }
-                end
+                result = waf_context.run(persistent_data, {}, waf_timeout)
+
+                next if result.status != :match
+
+                yield result
+                throw(:block, true) unless result.actions.empty?
               end
             end
           end

data/lib/datadog/appsec/contrib/rack/reactive/response.rb

@@ -30,32 +30,19 @@ module Datadog
                 response_headers = values[1]
                 response_headers_no_cookies = response_headers.dup.tap { |h| h.delete('set-cookie') }
 
-                waf_args = {
+                persistent_data = {
                   'server.response.status' => response_status.to_s,
                   'server.response.headers' => response_headers,
                   'server.response.headers.no_cookies' => response_headers_no_cookies,
                 }
 
                 waf_timeout = Datadog.configuration.appsec.waf_timeout
-                result = waf_context.run(waf_args, waf_timeout)
+                result = waf_context.run(persistent_data, {}, waf_timeout)
 
-                Datadog.logger.debug { "WAF TIMEOUT: #{result.inspect}" } if result.timeout
+                next if result.status != :match
 
-                case result.status
-                when :match
-                  Datadog.logger.debug { "WAF: #{result.inspect}" }
-
-                  yield result
-                  throw(:block, true) unless result.actions.empty?
-                when :ok
-                  Datadog.logger.debug { "WAF OK: #{result.inspect}" }
-                when :invalid_call
-                  Datadog.logger.debug { "WAF CALL ERROR: #{result.inspect}" }
-                when :invalid_rule, :invalid_flow, :no_rule
-                  Datadog.logger.debug { "WAF RULE ERROR: #{result.inspect}" }
-                else
-                  Datadog.logger.debug { "WAF UNKNOWN: #{result.status.inspect} #{result.inspect}" }
-                end
+                yield result
+                throw(:block, true) unless result.actions.empty?
               end
             end
           end

data/lib/datadog/appsec/contrib/rack/request_middleware.rb

@@ -150,7 +150,9 @@ module Datadog
 
             return unless trace && span
 
-            span.set_tag('_dd.appsec.enabled', 1)
+            span.set_metric(Datadog::AppSec::Ext::TAG_APPSEC_ENABLED, 1)
+            # We add this tag when ASM standalone is enabled to make sure we don't bill APM
+            span.set_metric(Datadog::AppSec::Ext::TAG_APM_ENABLED, 0) if Datadog.configuration.appsec.standalone.enabled
             span.set_tag('_dd.runtime_family', 'ruby')
             span.set_tag('_dd.appsec.waf.version', Datadog::AppSec::WAF::VERSION::BASE_STRING)
 

data/lib/datadog/appsec/contrib/rails/gateway/watcher.rb

@@ -38,11 +38,9 @@ module Datadog
                           actions: result.actions
                         }
 
-                        if scope.service_entry_span
-                          scope.service_entry_span.set_tag('appsec.blocked', 'true') if result.actions.include?('block')
-                          scope.service_entry_span.set_tag('appsec.event', 'true')
-                        end
-
+                        # We want to keep the trace in case of security event
+                        scope.trace.keep! if scope.trace
+                        Datadog::AppSec::Event.tag_and_keep!(scope, result)
                         scope.processor_context.events << event
                       end
                     end