feat(appsec): support for inserting blocking IDs to blocking templates

[simon-id]

What does this PR do?

This updates the appsec blocking templates to include [security_response_id]. And update blocking code to replace this string by a random UUID provided by the WAF.

Motivation

Easier to track stuff.

ST PR: DataDog/system-tests#6720

[github-actions]

Overall package size

Self size: 5.48 MB
Deduped: 6.32 MB
No deduping: 6.32 MB

Dependency sizes

| name | version | self size | total size | |------|---------|-----------|------------| | import-in-the-middle | 3.0.1 | 82.56 kB | 817.39 kB | | dc-polyfill | 0.1.10 | 26.73 kB | 26.73 kB |

_{🤖 This report was automatically generated by heaviest-objects-in-the-universe}

[datadog-datadog-prod-us1-2]

⚠️ Tests

✨ Fix all issues with BitsAI or with Cursor

⚠️ Other Violations

🧪 1 Test failed

AIGuard SDK "before each" hook for "test evaluate 'tool call' with ALLOW action (blocking: true)" from AIGuard SDK     (Fix with Cursor)

Timeout of 5000ms exceeded. For async tests and hooks, ensure "done()" is called; if returning a Promise, ensure it resolves. (D:\a\dd-trace-js\dd-trace-js\packages\dd-trace\test\aiguard\index.spec.js)

Error: Timeout of 5000ms exceeded. For async tests and hooks, ensure "done()" is called; if returning a Promise, ensure it resolves. (D:\a\dd-trace-js\dd-trace-js\packages\dd-trace\test\aiguard\index.spec.js)
    at process.processTicksAndRejections (node:internal/process/task_queues:104:5)

ℹ️ Info

No other issues found (see more)

❄️ No new flaky tests detected

🎯 Code Coverage (details)
• Patch Coverage: 96.55%
• Overall Coverage: 68.24% (-0.00%)

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 796745a | Docs | Datadog PR Page | Was this helpful? React with 👍/👎 or give us feedback!}

[pr-commenter]

Benchmarks

Benchmark execution time: 2026-04-13 08:55:27

Comparing candidate commit 796745a in PR branch blocking_id with baseline commit b5ded05 in branch master.

Found 0 performance improvements and 0 performance regressions! Performance is the same for 228 metrics, 32 unstable metrics.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 73.83%. Comparing base (b5ded05) to head (796745a).
⚠️ Report is 5 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #7923   +/-   ##
=======================================
  Coverage   73.83%   73.83%           
=======================================
  Files         773      773           
  Lines       35983    35989    +6     
=======================================
+ Hits        26567    26572    +5     
- Misses       9416     9417    +1     

Flag	Coverage Δ
aiguard-macos	36.46% <51.72%> (-0.06%)	⬇️
aiguard-ubuntu	36.57% <51.72%> (-0.06%)	⬇️
aiguard-windows	36.36% <51.72%> (-0.06%)	⬇️
apm-capabilities-tracing-macos	48.43% <51.72%> (+0.01%)	⬆️
apm-capabilities-tracing-ubuntu	48.47% <51.72%> (+0.01%)	⬆️
apm-capabilities-tracing-windows	48.25% <51.72%> (+<0.01%)	⬆️
apm-integrations-child-process	36.10% <51.72%> (-0.06%)	⬇️
apm-integrations-couchbase-18	35.02% <51.72%> (-0.09%)	⬇️
apm-integrations-couchbase-eol	35.09% <51.72%> (-0.06%)	⬇️
apm-integrations-oracledb	35.06% <51.72%> (-0.06%)	⬇️
appsec-express	52.82% <65.51%> (-0.07%)	⬇️
appsec-fastify	49.31% <72.41%> (-0.02%)	⬇️
appsec-graphql	49.56% <82.75%> (-0.13%)	⬇️
appsec-kafka	42.12% <51.72%> (-0.06%)	⬇️
appsec-ldapjs	41.41% <51.72%> (-0.05%)	⬇️
appsec-lodash	41.44% <51.72%> (-0.05%)	⬇️
appsec-macos	56.77% <96.55%> (-0.04%)	⬇️
appsec-mongodb-core	46.05% <51.72%> (-0.05%)	⬇️
appsec-mongoose	46.62% <51.72%> (-0.05%)	⬇️
appsec-mysql	48.75% <51.72%> (-0.06%)	⬇️
appsec-node-serialize	40.62% <51.72%> (-0.05%)	⬇️
appsec-passport	44.58% <51.72%> (-0.06%)	⬇️
appsec-postgres	48.33% <51.72%> (-0.07%)	⬇️
appsec-sourcing	40.08% <51.72%> (-0.05%)	⬇️
appsec-stripe	42.33% <51.72%> (-0.06%)	⬇️
appsec-template	40.78% <51.72%> (-0.05%)	⬇️
appsec-ubuntu	56.85% <96.55%> (-0.04%)	⬇️
appsec-windows	56.65% <96.55%> (-0.06%)	⬇️
instrumentations-instrumentation-bluebird	29.83% <51.72%> (-0.06%)	⬇️
instrumentations-instrumentation-body-parser	37.68% <51.72%> (-0.06%)	⬇️
instrumentations-instrumentation-child_process	35.47% <51.72%> (-0.06%)	⬇️
instrumentations-instrumentation-cookie-parser	31.76% <51.72%> (-0.05%)	⬇️
instrumentations-instrumentation-express	31.98% <51.72%> (-0.05%)	⬇️
instrumentations-instrumentation-express-mongo-sanitize	31.88% <51.72%> (-0.05%)	⬇️
instrumentations-instrumentation-express-session	37.31% <51.72%> (-0.06%)	⬇️
instrumentations-instrumentation-fs	29.49% <51.72%> (-0.06%)	⬇️
instrumentations-instrumentation-generic-pool	31.14% <ø> (ø)
instrumentations-instrumentation-http	36.91% <51.72%> (-0.06%)	⬇️
instrumentations-instrumentation-knex	29.80% <51.72%> (-0.06%)	⬇️
instrumentations-instrumentation-mongoose	30.91% <51.72%> (-0.05%)	⬇️
instrumentations-instrumentation-multer	37.45% <51.72%> (-0.06%)	⬇️
instrumentations-instrumentation-mysql2	35.41% <51.72%> (-0.06%)	⬇️
instrumentations-instrumentation-passport	41.19% <51.72%> (-0.05%)	⬇️
instrumentations-instrumentation-passport-http	40.89% <51.72%> (-0.05%)	⬇️
instrumentations-instrumentation-passport-local	41.39% <51.72%> (-0.05%)	⬇️
instrumentations-instrumentation-pg	34.93% <51.72%> (-0.06%)	⬇️
instrumentations-instrumentation-promise	29.76% <51.72%> (-0.06%)	⬇️
instrumentations-instrumentation-promise-js	29.77% <51.72%> (-0.06%)	⬇️
instrumentations-instrumentation-q	29.80% <51.72%> (-0.06%)	⬇️
instrumentations-instrumentation-url	29.76% <51.72%> (-0.06%)	⬇️
instrumentations-instrumentation-when	29.78% <51.72%> (-0.06%)	⬇️
llmobs-ai	38.41% <51.72%> (-0.06%)	⬇️
llmobs-anthropic	37.87% <51.72%> (-0.06%)	⬇️
llmobs-bedrock	37.14% <51.72%> (-0.05%)	⬇️
llmobs-google-genai	37.56% <51.72%> (-0.05%)	⬇️
llmobs-langchain	37.13% <51.72%> (-0.05%)	⬇️
llmobs-openai	41.25% <51.72%> (-0.06%)	⬇️
llmobs-vertex-ai	37.73% <51.72%> (-0.06%)	⬇️
platform-core	31.10% <ø> (ø)
platform-esbuild	33.97% <ø> (ø)
platform-instrumentations-misc	40.97% <ø> (ø)
platform-shimmer	37.00% <ø> (ø)
platform-unit-guardrails	32.49% <ø> (ø)
platform-webpack	20.84% <ø> (ø)
plugins-azure-durable-functions	25.87% <ø> (ø)
plugins-azure-event-hubs	26.03% <ø> (ø)
plugins-azure-service-bus	25.40% <ø> (ø)
plugins-bullmq	40.75% <51.72%> (-0.07%)	⬇️
plugins-cassandra	35.07% <51.72%> (-0.18%)	⬇️
plugins-cookie	27.06% <ø> (ø)
plugins-cookie-parser	26.85% <ø> (ø)
plugins-crypto	26.55% <ø> (ø)
plugins-dd-trace-api	35.46% <51.72%> (-0.06%)	⬇️
plugins-express-mongo-sanitize	26.99% <ø> (ø)
plugins-express-session	26.81% <ø> (ø)
plugins-fastify	39.38% <51.72%> (-0.06%)	⬇️
plugins-fetch	35.75% <51.72%> (-0.06%)	⬇️
plugins-fs	35.70% <51.72%> (-0.06%)	⬇️
plugins-generic-pool	25.92% <ø> (ø)
plugins-google-cloud-pubsub	43.04% <51.72%> (-0.06%)	⬇️
plugins-grpc	38.06% <51.72%> (-0.06%)	⬇️
plugins-handlebars	27.03% <ø> (ø)
plugins-hapi	37.26% <51.72%> (-0.06%)	⬇️
plugins-hono	37.54% <51.72%> (-0.18%)	⬇️
plugins-ioredis	35.64% <51.72%> (-0.06%)	⬇️
plugins-knex	26.67% <ø> (ø)
plugins-langgraph	35.08% <51.72%> (-0.06%)	⬇️
plugins-ldapjs	24.45% <ø> (ø)
plugins-light-my-request	26.41% <ø> (ø)
plugins-limitd-client	30.04% <51.72%> (-0.06%)	⬇️
plugins-lodash	26.00% <ø> (ø)
plugins-mariadb	36.51% <51.72%> (-0.10%)	⬇️
plugins-memcached	35.30% <51.72%> (-0.06%)	⬇️
plugins-microgateway-core	36.35% <51.72%> (-0.06%)	⬇️
plugins-moleculer	38.06% <51.72%> (-0.06%)	⬇️
plugins-mongodb	36.40% <51.72%> (-0.06%)	⬇️
plugins-mongodb-core	36.11% <51.72%> (-0.06%)	⬇️
plugins-mongoose	36.04% <51.72%> (-0.14%)	⬇️
plugins-multer	26.81% <ø> (ø)
plugins-mysql	36.38% <51.72%> (-0.06%)	⬇️
plugins-mysql2	36.36% <51.72%> (-0.06%)	⬇️
plugins-node-serialize	27.10% <ø> (ø)
plugins-opensearch	34.96% <51.72%> (-0.06%)	⬇️
plugins-passport-http	26.85% <ø> (ø)
plugins-postgres	34.35% <51.72%> (-0.08%)	⬇️
plugins-process	26.55% <ø> (ø)
plugins-pug	27.06% <ø> (ø)
plugins-redis	35.85% <51.72%> (-0.06%)	⬇️
plugins-router	40.01% <51.72%> (-0.06%)	⬇️
plugins-sequelize	25.68% <ø> (ø)
plugins-test-and-upstream-amqp10	35.66% <51.72%> (-0.06%)	⬇️
plugins-test-and-upstream-amqplib	40.86% <51.72%> (-0.06%)	⬇️
plugins-test-and-upstream-apollo	36.53% <51.72%> (-0.05%)	⬇️
plugins-test-and-upstream-avsc	35.55% <51.72%> (-0.06%)	⬇️
plugins-test-and-upstream-bunyan	31.20% <51.72%> (-0.06%)	⬇️
plugins-test-and-upstream-connect	37.87% <51.72%> (-0.06%)	⬇️
plugins-test-and-upstream-graphql	37.21% <51.72%> (-0.06%)	⬇️
plugins-test-and-upstream-koa	37.47% <51.72%> (-0.06%)	⬇️
plugins-test-and-upstream-protobufjs	35.77% <51.72%> (-0.06%)	⬇️
plugins-test-and-upstream-rhea	40.97% <51.72%> (-0.06%)	⬇️
plugins-undici	36.55% <51.72%> (-0.06%)	⬇️
plugins-url	26.55% <ø> (ø)
plugins-valkey	35.32% <51.72%> (-0.06%)	⬇️
plugins-vm	26.55% <ø> (ø)
plugins-winston	31.63% <51.72%> (-0.06%)	⬇️
plugins-ws	38.95% <51.72%> (-0.06%)	⬇️
profiling-macos	37.97% <51.72%> (-0.06%)	⬇️
profiling-ubuntu	38.13% <51.72%> (-0.06%)	⬇️
profiling-windows	39.50% <51.72%> (-0.06%)	⬇️
serverless-azure-functions-client	25.75% <ø> (ø)
serverless-azure-functions-eventhubs	25.75% <ø> (ø)
serverless-azure-functions-servicebus	25.75% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[CarlesDD]

LGTM but note that if a custom template contains [security_response_id] more than once, only the first occurrence will be replaced. Is this a limitation of the feature, or should we handle multiple occurrences?

[simon-id]

It's a limitation I took into account. Sure there are use cases for having multiple times the thing included, but doing so would make the "compilation" optimization way slower, so I decided one occurence was enough. Wdyt ?
(the RFC doesn't define this behavior, so i chose speed over potential use case)