iframe-proxy

smola · 2026-04-29T14:33:18Z

What Does This Do

When DD_AI_GUARD_ENABLED=true, resolve the client IP eagerly during HTTP
server request decoration and stash it on the request context. Apply the
tags (http.client_ip and network.client.ip) on the local root span only
when an ai_guard span is actually created, so non-AI requests of an
AI-Guard-enabled service do not get IP tags.

APPSEC-62199

Motivation

Additional Notes

Contributor Checklist

Format the title according to the contribution guidelines
Assign the type: and (comp: or inst:) labels in addition to any other useful labels
Avoid using close, fix, or any linking keywords when referencing an issue
Use solves instead, and assign the PR milestone to the issue
Update the CODEOWNERS file on source file addition, migration, or deletion
Update public documentation with any new configuration flags or behaviors

Jira ticket: [PROJ-IDENT]

Note: Once your PR is ready to merge, add it to the merge queue by commenting /merge. /merge -c cancels the queue request. /merge -f --reason "reason" skips all merge queue checks; please use this judiciously, as some checks do not run at the PR-level. For more information, see this doc.

pr-commenter · 2026-04-29T15:54:52Z

Benchmarks

Startup

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	smola/ai-guard-client-ip-tags
git_commit_date	1777473948	1777475364
git_commit_sha	`c9cebad`	3b41551f9d
release_version	1.62.0-SNAPSHOT~c9cebadc2b	1.62.0-SNAPSHOT~3b41551f9d

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1777477073	1777477073
ci_job_id	1642810008	1642810008
ci_pipeline_id	110468859	110468859
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version	Linux runner-zfyrx7zua-project-304-concurrent-0-vn5psrc7 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux	Linux runner-zfyrx7zua-project-304-concurrent-0-vn5psrc7 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
module	Agent	Agent
parent	None	None

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 61 metrics, 10 unstable metrics.

Startup time reports for insecure-bank

gantt
    title insecure-bank - global startup overhead: candidate=1.62.0-SNAPSHOT~3b41551f9d, baseline=1.62.0-SNAPSHOT~c9cebadc2b

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.068 s) : 0, 1067980
Total [baseline] (8.851 s) : 0, 8850578
Agent [candidate] (1.074 s) : 0, 1074498
Total [candidate] (8.89 s) : 0, 8890471
section iast
Agent [baseline] (1.245 s) : 0, 1245218
Total [baseline] (9.584 s) : 0, 9584278
Agent [candidate] (1.242 s) : 0, 1242039
Total [candidate] (9.474 s) : 0, 9474385

baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.068 s	-
Agent	iast	1.245 s	177.239 ms (16.6%)
Total	tracing	8.851 s	-
Total	iast	9.584 s	733.7 ms (8.3%)

candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.074 s	-
Agent	iast	1.242 s	167.541 ms (15.6%)
Total	tracing	8.89 s	-
Total	iast	9.474 s	583.913 ms (6.6%)

gantt
    title insecure-bank - break down per module: candidate=1.62.0-SNAPSHOT~3b41551f9d, baseline=1.62.0-SNAPSHOT~c9cebadc2b

    dateFormat X
    axisFormat %s
section tracing
crashtracking [baseline] (1.219 ms) : 0, 1219
crashtracking [candidate] (1.227 ms) : 0, 1227
BytebuddyAgent [baseline] (637.602 ms) : 0, 637602
BytebuddyAgent [candidate] (641.373 ms) : 0, 641373
AgentMeter [baseline] (29.49 ms) : 0, 29490
AgentMeter [candidate] (29.702 ms) : 0, 29702
GlobalTracer [baseline] (249.332 ms) : 0, 249332
GlobalTracer [candidate] (250.654 ms) : 0, 250654
AppSec [baseline] (32.898 ms) : 0, 32898
AppSec [candidate] (33.096 ms) : 0, 33096
Debugger [baseline] (61.851 ms) : 0, 61851
Debugger [candidate] (61.833 ms) : 0, 61833
Remote Config [baseline] (604.499 µs) : 0, 604
Remote Config [candidate] (2.091 ms) : 0, 2091
Telemetry [baseline] (8.415 ms) : 0, 8415
Telemetry [candidate] (10.053 ms) : 0, 10053
Flare Poller [baseline] (10.489 ms) : 0, 10489
Flare Poller [candidate] (8.406 ms) : 0, 8406
section iast
crashtracking [baseline] (1.231 ms) : 0, 1231
crashtracking [candidate] (1.226 ms) : 0, 1226
BytebuddyAgent [baseline] (824.019 ms) : 0, 824019
BytebuddyAgent [candidate] (820.913 ms) : 0, 820913
AgentMeter [baseline] (11.273 ms) : 0, 11273
AgentMeter [candidate] (11.259 ms) : 0, 11259
GlobalTracer [baseline] (237.602 ms) : 0, 237602
GlobalTracer [candidate] (237.348 ms) : 0, 237348
AppSec [baseline] (31.156 ms) : 0, 31156
AppSec [candidate] (33.935 ms) : 0, 33935
Debugger [baseline] (63.844 ms) : 0, 63844
Debugger [candidate] (63.899 ms) : 0, 63899
Remote Config [baseline] (525.393 µs) : 0, 525
Remote Config [candidate] (521.333 µs) : 0, 521
Telemetry [baseline] (7.907 ms) : 0, 7907
Telemetry [candidate] (7.846 ms) : 0, 7846
Flare Poller [baseline] (3.328 ms) : 0, 3328
Flare Poller [candidate] (3.31 ms) : 0, 3310
IAST [baseline] (28.237 ms) : 0, 28237
IAST [candidate] (25.783 ms) : 0, 25783

Startup time reports for petclinic

gantt
    title petclinic - global startup overhead: candidate=1.62.0-SNAPSHOT~3b41551f9d, baseline=1.62.0-SNAPSHOT~c9cebadc2b

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.064 s) : 0, 1064464
Total [baseline] (11.016 s) : 0, 11016159
Agent [candidate] (1.071 s) : 0, 1071153
Total [candidate] (11.116 s) : 0, 11115547
section appsec
Agent [baseline] (1.268 s) : 0, 1267765
Total [baseline] (11.284 s) : 0, 11283623
Agent [candidate] (1.28 s) : 0, 1279773
Total [candidate] (11.239 s) : 0, 11238647
section iast
Agent [baseline] (1.248 s) : 0, 1247950
Total [baseline] (11.225 s) : 0, 11224804
Agent [candidate] (1.262 s) : 0, 1262055
Total [candidate] (11.26 s) : 0, 11259686
section profiling
Agent [baseline] (1.193 s) : 0, 1192887
Total [baseline] (11.024 s) : 0, 11023538
Agent [candidate] (1.196 s) : 0, 1196241
Total [candidate] (11.067 s) : 0, 11067184

baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.064 s	-
Agent	appsec	1.268 s	203.302 ms (19.1%)
Agent	iast	1.248 s	183.486 ms (17.2%)
Agent	profiling	1.193 s	128.423 ms (12.1%)
Total	tracing	11.016 s	-
Total	appsec	11.284 s	267.464 ms (2.4%)
Total	iast	11.225 s	208.644 ms (1.9%)
Total	profiling	11.024 s	7.379 ms (0.1%)

candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.071 s	-
Agent	appsec	1.28 s	208.62 ms (19.5%)
Agent	iast	1.262 s	190.902 ms (17.8%)
Agent	profiling	1.196 s	125.088 ms (11.7%)
Total	tracing	11.116 s	-
Total	appsec	11.239 s	123.101 ms (1.1%)
Total	iast	11.26 s	144.14 ms (1.3%)
Total	profiling	11.067 s	-48.363 ms (-0.4%)

gantt
    title petclinic - break down per module: candidate=1.62.0-SNAPSHOT~3b41551f9d, baseline=1.62.0-SNAPSHOT~c9cebadc2b

    dateFormat X
    axisFormat %s
section tracing
crashtracking [baseline] (1.224 ms) : 0, 1224
crashtracking [candidate] (1.227 ms) : 0, 1227
BytebuddyAgent [baseline] (635.033 ms) : 0, 635033
BytebuddyAgent [candidate] (640.138 ms) : 0, 640138
AgentMeter [baseline] (29.407 ms) : 0, 29407
AgentMeter [candidate] (29.358 ms) : 0, 29358
GlobalTracer [baseline] (248.469 ms) : 0, 248469
GlobalTracer [candidate] (250.116 ms) : 0, 250116
AppSec [baseline] (32.719 ms) : 0, 32719
AppSec [candidate] (33.073 ms) : 0, 33073
Debugger [baseline] (61.828 ms) : 0, 61828
Debugger [candidate] (62.419 ms) : 0, 62419
Remote Config [baseline] (595.954 µs) : 0, 596
Remote Config [candidate] (589.163 µs) : 0, 589
Telemetry [baseline] (9.139 ms) : 0, 9139
Telemetry [candidate] (9.219 ms) : 0, 9219
Flare Poller [baseline] (9.944 ms) : 0, 9944
Flare Poller [candidate] (8.914 ms) : 0, 8914
section appsec
crashtracking [baseline] (1.233 ms) : 0, 1233
crashtracking [candidate] (1.236 ms) : 0, 1236
BytebuddyAgent [baseline] (674.829 ms) : 0, 674829
BytebuddyAgent [candidate] (682.589 ms) : 0, 682589
AgentMeter [baseline] (12.22 ms) : 0, 12220
AgentMeter [candidate] (12.378 ms) : 0, 12378
GlobalTracer [baseline] (249.43 ms) : 0, 249430
GlobalTracer [candidate] (251.791 ms) : 0, 251791
AppSec [baseline] (185.339 ms) : 0, 185339
AppSec [candidate] (186.253 ms) : 0, 186253
Debugger [baseline] (66.663 ms) : 0, 66663
Debugger [candidate] (66.639 ms) : 0, 66639
Remote Config [baseline] (556.072 µs) : 0, 556
Remote Config [candidate] (569.804 µs) : 0, 570
Telemetry [baseline] (7.724 ms) : 0, 7724
Telemetry [candidate] (7.892 ms) : 0, 7892
Flare Poller [baseline] (8.487 ms) : 0, 8487
Flare Poller [candidate] (8.59 ms) : 0, 8590
IAST [baseline] (24.627 ms) : 0, 24627
IAST [candidate] (24.954 ms) : 0, 24954
section iast
crashtracking [baseline] (1.229 ms) : 0, 1229
crashtracking [candidate] (1.243 ms) : 0, 1243
BytebuddyAgent [baseline] (824.426 ms) : 0, 824426
BytebuddyAgent [candidate] (837.335 ms) : 0, 837335
AgentMeter [baseline] (11.307 ms) : 0, 11307
AgentMeter [candidate] (11.414 ms) : 0, 11414
GlobalTracer [baseline] (238.267 ms) : 0, 238267
GlobalTracer [candidate] (239.298 ms) : 0, 239298
AppSec [baseline] (31.502 ms) : 0, 31502
AppSec [candidate] (31.721 ms) : 0, 31721
Debugger [baseline] (64.883 ms) : 0, 64883
Debugger [candidate] (65.209 ms) : 0, 65209
Remote Config [baseline] (526.885 µs) : 0, 527
Remote Config [candidate] (520.745 µs) : 0, 521
Telemetry [baseline] (8.014 ms) : 0, 8014
Telemetry [candidate] (7.984 ms) : 0, 7984
Flare Poller [baseline] (3.437 ms) : 0, 3437
Flare Poller [candidate] (3.503 ms) : 0, 3503
IAST [baseline] (28.245 ms) : 0, 28245
IAST [candidate] (27.432 ms) : 0, 27432
section profiling
ProfilingAgent [baseline] (94.657 ms) : 0, 94657
ProfilingAgent [candidate] (93.675 ms) : 0, 93675
crashtracking [baseline] (1.173 ms) : 0, 1173
crashtracking [candidate] (1.184 ms) : 0, 1184
BytebuddyAgent [baseline] (694.065 ms) : 0, 694065
BytebuddyAgent [candidate] (698.046 ms) : 0, 698046
AgentMeter [baseline] (8.976 ms) : 0, 8976
AgentMeter [candidate] (8.982 ms) : 0, 8982
GlobalTracer [baseline] (209.172 ms) : 0, 209172
GlobalTracer [candidate] (209.12 ms) : 0, 209120
AppSec [baseline] (33.046 ms) : 0, 33046
AppSec [candidate] (33.031 ms) : 0, 33031
Debugger [baseline] (68.046 ms) : 0, 68046
Debugger [candidate] (68.055 ms) : 0, 68055
Remote Config [baseline] (576.877 µs) : 0, 577
Remote Config [candidate] (575.383 µs) : 0, 575
Telemetry [baseline] (8.205 ms) : 0, 8205
Telemetry [candidate] (8.191 ms) : 0, 8191
Flare Poller [baseline] (3.562 ms) : 0, 3562
Flare Poller [candidate] (3.556 ms) : 0, 3556
Profiling [baseline] (95.221 ms) : 0, 95221
Profiling [candidate] (94.224 ms) : 0, 94224

Load

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	smola/ai-guard-client-ip-tags
git_commit_date	1777473948	1777475364
git_commit_sha	`c9cebad`	3b41551f9d
release_version	1.62.0-SNAPSHOT~c9cebadc2b	1.62.0-SNAPSHOT~3b41551f9d

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1777477549	1777477549
ci_job_id	1642810009	1642810009
ci_pipeline_id	110468859	110468859
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version	Linux runner-zfyrx7zua-project-304-concurrent-1-qb630l81 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux	Linux runner-zfyrx7zua-project-304-concurrent-1-qb630l81 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 1 performance improvements and 4 performance regressions! Performance is the same for 16 metrics, 15 unstable metrics.

scenario	Δ mean agg_http_req_duration_p50	Δ mean agg_http_req_duration_p95	Δ mean throughput	candidate mean agg_http_req_duration_p50	candidate mean agg_http_req_duration_p95	candidate mean throughput	baseline mean agg_http_req_duration_p50	baseline mean agg_http_req_duration_p95	baseline mean throughput
scenario:load:insecure-bank:profiling:high_load	better [-240.781µs; -70.039µs] or [-12.723%; -3.701%]	unstable [-1278.709µs; -298.240µs] or [-22.203%; -5.178%]	unstable [-34.075op/s; +450.325op/s] or [-1.793%; +23.701%]	1.737ms	4.971ms	2108.156op/s	1.892ms	5.759ms	1900.031op/s
scenario:load:insecure-bank:iast_FULL:high_load	worse [+326.804µs; +578.710µs] or [+6.405%; +11.342%]	worse [+0.718ms; +1.476ms] or [+5.950%; +12.235%]	unstable [-135.631op/s; +18.818op/s] or [-16.879%; +2.342%]	5.555ms	13.163ms	745.125op/s	5.102ms	12.066ms	803.531op/s
scenario:load:insecure-bank:iast:high_load	worse [+81.803µs; +188.869µs] or [+3.273%; +7.556%]	same [-12.852µs; +633.587µs] or [-0.174%; +8.586%]	unstable [-214.352op/s; +79.352op/s] or [-15.087%; +5.585%]	2.635ms	7.690ms	1353.281op/s	2.499ms	7.379ms	1420.781op/s
scenario:load:petclinic:profiling:high_load	worse [+0.841ms; +1.864ms] or [+4.669%; +10.344%]	unsure [+0.372ms; +2.225ms] or [+1.256%; +7.514%]	unstable [-37.974op/s; +10.474op/s] or [-15.034%; +4.147%]	19.370ms	30.917ms	238.844op/s	18.018ms	29.619ms	252.594op/s

Request duration reports for insecure-bank

gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.62.0-SNAPSHOT~3b41551f9d, baseline=1.62.0-SNAPSHOT~c9cebadc2b
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.246 ms) : 1234, 1259
.   : milestone, 1246,
iast (3.218 ms) : 3174, 3262
.   : milestone, 3218,
iast_FULL (5.751 ms) : 5695, 5807
.   : milestone, 5751,
iast_GLOBAL (3.648 ms) : 3586, 3711
.   : milestone, 3648,
profiling (2.388 ms) : 2364, 2412
.   : milestone, 2388,
tracing (1.927 ms) : 1910, 1943
.   : milestone, 1927,
section candidate
no_agent (1.231 ms) : 1219, 1242
.   : milestone, 1231,
iast (3.384 ms) : 3337, 3430
.   : milestone, 3384,
iast_FULL (6.211 ms) : 6147, 6275
.   : milestone, 6211,
iast_GLOBAL (3.673 ms) : 3618, 3729
.   : milestone, 3673,
profiling (2.146 ms) : 2124, 2167
.   : milestone, 2146,
tracing (1.918 ms) : 1902, 1934
.   : milestone, 1918,

baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	1.246 ms [1.234 ms, 1.259 ms]	-
iast	3.218 ms [3.174 ms, 3.262 ms]	1.972 ms (158.2%)
iast_FULL	5.751 ms [5.695 ms, 5.807 ms]	4.505 ms (361.5%)
iast_GLOBAL	3.648 ms [3.586 ms, 3.711 ms]	2.402 ms (192.8%)
profiling	2.388 ms [2.364 ms, 2.412 ms]	1.142 ms (91.6%)
tracing	1.927 ms [1.91 ms, 1.943 ms]	680.355 µs (54.6%)

candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	1.231 ms [1.219 ms, 1.242 ms]	-
iast	3.384 ms [3.337 ms, 3.43 ms]	2.153 ms (175.0%)
iast_FULL	6.211 ms [6.147 ms, 6.275 ms]	4.98 ms (404.7%)
iast_GLOBAL	3.673 ms [3.618 ms, 3.729 ms]	2.443 ms (198.5%)
profiling	2.146 ms [2.124 ms, 2.167 ms]	915.106 µs (74.4%)
tracing	1.918 ms [1.902 ms, 1.934 ms]	687.451 µs (55.9%)

Request duration reports for petclinic

gantt
    title petclinic - request duration [CI 0.99] : candidate=1.62.0-SNAPSHOT~3b41551f9d, baseline=1.62.0-SNAPSHOT~c9cebadc2b
    dateFormat X
    axisFormat %s
section baseline
no_agent (18.947 ms) : 18756, 19138
.   : milestone, 18947,
appsec (18.716 ms) : 18527, 18906
.   : milestone, 18716,
code_origins (17.551 ms) : 17379, 17723
.   : milestone, 17551,
iast (17.777 ms) : 17603, 17951
.   : milestone, 17777,
profiling (18.478 ms) : 18294, 18663
.   : milestone, 18478,
tracing (17.959 ms) : 17780, 18139
.   : milestone, 17959,
section candidate
no_agent (19.298 ms) : 19103, 19493
.   : milestone, 19298,
appsec (18.372 ms) : 18187, 18557
.   : milestone, 18372,
code_origins (17.96 ms) : 17783, 18137
.   : milestone, 17960,
iast (17.833 ms) : 17656, 18010
.   : milestone, 17833,
profiling (19.544 ms) : 19344, 19745
.   : milestone, 19544,
tracing (17.711 ms) : 17538, 17885
.   : milestone, 17711,

baseline results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	18.947 ms [18.756 ms, 19.138 ms]	-
appsec	18.716 ms [18.527 ms, 18.906 ms]	-230.467 µs (-1.2%)
code_origins	17.551 ms [17.379 ms, 17.723 ms]	-1.396 ms (-7.4%)
iast	17.777 ms [17.603 ms, 17.951 ms]	-1.17 ms (-6.2%)
profiling	18.478 ms [18.294 ms, 18.663 ms]	-468.589 µs (-2.5%)
tracing	17.959 ms [17.78 ms, 18.139 ms]	-987.731 µs (-5.2%)

candidate results

Variant	Request duration [CI 0.99]	Δ no_agent
no_agent	19.298 ms [19.103 ms, 19.493 ms]	-
appsec	18.372 ms [18.187 ms, 18.557 ms]	-926.428 µs (-4.8%)
code_origins	17.96 ms [17.783 ms, 18.137 ms]	-1.338 ms (-6.9%)
iast	17.833 ms [17.656 ms, 18.01 ms]	-1.466 ms (-7.6%)
profiling	19.544 ms [19.344 ms, 19.745 ms]	245.986 µs (1.3%)
tracing	17.711 ms [17.538 ms, 17.885 ms]	-1.587 ms (-8.2%)

Dacapo

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	smola/ai-guard-client-ip-tags
git_commit_date	1777473948	1777475364
git_commit_sha	`c9cebad`	3b41551f9d
release_version	1.62.0-SNAPSHOT~c9cebadc2b	1.62.0-SNAPSHOT~3b41551f9d

See matching parameters

	Baseline	Candidate
application	biojava	biojava
ci_job_date	1777477304	1777477304
ci_job_id	1642810010	1642810010
ci_pipeline_id	110468859	110468859
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version	Linux runner-zfyrx7zua-project-304-concurrent-1-533v37x5 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux	Linux runner-zfyrx7zua-project-304-concurrent-1-533v37x5 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 11 metrics, 1 unstable metrics.

Execution time for biojava

gantt
    title biojava - execution time [CI 0.99] : candidate=1.62.0-SNAPSHOT~3b41551f9d, baseline=1.62.0-SNAPSHOT~c9cebadc2b
    dateFormat X
    axisFormat %s
section baseline
no_agent (15.475 s) : 15475000, 15475000
.   : milestone, 15475000,
appsec (14.539 s) : 14539000, 14539000
.   : milestone, 14539000,
iast (18.501 s) : 18501000, 18501000
.   : milestone, 18501000,
iast_GLOBAL (17.704 s) : 17704000, 17704000
.   : milestone, 17704000,
profiling (14.799 s) : 14799000, 14799000
.   : milestone, 14799000,
tracing (14.89 s) : 14890000, 14890000
.   : milestone, 14890000,
section candidate
no_agent (15.4 s) : 15400000, 15400000
.   : milestone, 15400000,
appsec (14.912 s) : 14912000, 14912000
.   : milestone, 14912000,
iast (18.401 s) : 18401000, 18401000
.   : milestone, 18401000,
iast_GLOBAL (18.041 s) : 18041000, 18041000
.   : milestone, 18041000,
profiling (15.257 s) : 15257000, 15257000
.   : milestone, 15257000,
tracing (14.617 s) : 14617000, 14617000
.   : milestone, 14617000,

baseline results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	15.475 s [15.475 s, 15.475 s]	-
appsec	14.539 s [14.539 s, 14.539 s]	-936.0 ms (-6.0%)
iast	18.501 s [18.501 s, 18.501 s]	3.026 s (19.6%)
iast_GLOBAL	17.704 s [17.704 s, 17.704 s]	2.229 s (14.4%)
profiling	14.799 s [14.799 s, 14.799 s]	-676.0 ms (-4.4%)
tracing	14.89 s [14.89 s, 14.89 s]	-585.0 ms (-3.8%)

candidate results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	15.4 s [15.4 s, 15.4 s]	-
appsec	14.912 s [14.912 s, 14.912 s]	-488.0 ms (-3.2%)
iast	18.401 s [18.401 s, 18.401 s]	3.001 s (19.5%)
iast_GLOBAL	18.041 s [18.041 s, 18.041 s]	2.641 s (17.1%)
profiling	15.257 s [15.257 s, 15.257 s]	-143.0 ms (-0.9%)
tracing	14.617 s [14.617 s, 14.617 s]	-783.0 ms (-5.1%)

Execution time for tomcat

gantt
    title tomcat - execution time [CI 0.99] : candidate=1.62.0-SNAPSHOT~3b41551f9d, baseline=1.62.0-SNAPSHOT~c9cebadc2b
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.487 ms) : 1475, 1498
.   : milestone, 1487,
appsec (3.798 ms) : 3576, 4020
.   : milestone, 3798,
iast (2.275 ms) : 2206, 2345
.   : milestone, 2275,
iast_GLOBAL (2.315 ms) : 2245, 2385
.   : milestone, 2315,
profiling (2.106 ms) : 2051, 2161
.   : milestone, 2106,
tracing (2.085 ms) : 2032, 2139
.   : milestone, 2085,
section candidate
no_agent (1.483 ms) : 1472, 1495
.   : milestone, 1483,
appsec (3.839 ms) : 3617, 4061
.   : milestone, 3839,
iast (2.271 ms) : 2202, 2341
.   : milestone, 2271,
iast_GLOBAL (2.315 ms) : 2245, 2385
.   : milestone, 2315,
profiling (2.104 ms) : 2049, 2159
.   : milestone, 2104,
tracing (2.088 ms) : 2034, 2141
.   : milestone, 2088,

baseline results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	1.487 ms [1.475 ms, 1.498 ms]	-
appsec	3.798 ms [3.576 ms, 4.02 ms]	2.311 ms (155.5%)
iast	2.275 ms [2.206 ms, 2.345 ms]	788.671 µs (53.0%)
iast_GLOBAL	2.315 ms [2.245 ms, 2.385 ms]	828.517 µs (55.7%)
profiling	2.106 ms [2.051 ms, 2.161 ms]	619.442 µs (41.7%)
tracing	2.085 ms [2.032 ms, 2.139 ms]	598.621 µs (40.3%)

candidate results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	1.483 ms [1.472 ms, 1.495 ms]	-
appsec	3.839 ms [3.617 ms, 4.061 ms]	2.355 ms (158.8%)
iast	2.271 ms [2.202 ms, 2.341 ms]	787.717 µs (53.1%)
iast_GLOBAL	2.315 ms [2.245 ms, 2.385 ms]	831.28 µs (56.0%)
profiling	2.104 ms [2.049 ms, 2.159 ms]	620.965 µs (41.9%)
tracing	2.088 ms [2.034 ms, 2.141 ms]	604.25 µs (40.7%)

chatgpt-codex-connector

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 041ae77c3d

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

Open a pull request for review
Mark a draft as ready
Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

manuel-alvarez-alvarez

LGTM, to review the Codex comment

vandonr

looks ok, needs a review from core too

vandonr · 2026-05-06T14:15:20Z

+    if (peerIp != null && localRootSpan.getTag(Tags.NETWORK_CLIENT_IP) == null) {
+      localRootSpan.setTag(Tags.NETWORK_CLIENT_IP, peerIp);
+    }
+    final String inferredClientIp = clientIpAddressData.getInferredClientIp();
+    if (inferredClientIp != null && localRootSpan.getTag(Tags.HTTP_CLIENT_IP) == null) {
+      localRootSpan.setTag(Tags.HTTP_CLIENT_IP, inferredClientIp);
+    }


if it's frequent enough that both tags are already set on the root span, it could make sense to check that before unfolding the request context ? maybe ?

I think the tags would generally not be present in the root span. In the normal path, if the http decorator is tagging these for all requests, then the IPs would not be stashed for later, and this function would see requestContext.getAndResetClientIpAddressData() == null).

vandonr · 2026-05-06T14:16:58Z

+    // This should be enabled if:
+    //   - DD_TRACE_CLIENT_IP_ENABLED=true, or
+    //   - DD_APPSEC_ENABLED=true (or AppSec enabled at runtime)


this is kinda repeating the logic that's written below, not sure it's very useful + it risks being outdated if the condition changes

The logic below is scattered across ~3 separate code blocks intermingled with other stuff. At least for me it was quite hard to follow every subtle detail about what gets collected when, and why. The whole logic for IP tagging should probably be splitted to a separate function so that it's grouped and fits once screen (material for another PR I guess). But until then, I would rather keep some consolidated clarification about what's going on.

ok, makes sense, I saw it as mostly rewording the bool computation below, but it's indeed carrying more information.

smola · 2026-05-07T07:19:59Z

@codex review

chatgpt-codex-connector

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 25e6058ade

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

Open a pull request for review
Mark a draft as ready
Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

chatgpt-codex-connector · 2026-05-07T07:24:05Z

    new AIGuard.Options().block(false) | true           | false
  }

+  void 'test evaluate applies captured client ip tags to local root span'() {


Move new Spock coverage to JUnit 5

The repo-level AGENTS.md explicitly says, "Do not write new Groovy / Spock tests" and to migrate existing Groovy tests to JUnit 5 when touching them. This commit adds new Spock test methods in this Groovy spec, increasing the legacy test surface instead of following the maintained JUnit 5 convention.

Useful? React with 👍 / 👎.

Oh well, once we migrate the test class as a whole.

When DD_AI_GUARD_ENABLED=true, resolve the client IP eagerly during HTTP server request decoration and stash it on the request context. Apply the tags (http.client_ip and network.client.ip) on the local root span only when an ai_guard span is actually created, so non-AI requests of an AI-Guard-enabled service do not get IP tags. APPSEC-62199

…spans Replace getAndResetClientIpAddressData with a non-destructive getClientIpAddressData, and guard the stash write in HttpServerDecorator so that a child server span cannot overwrite IP data already resolved from the root span's proxy headers. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

smola · 2026-05-07T08:39:25Z

@codex review

chatgpt-codex-connector

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 1cccdeed34

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

Open a pull request for review
Mark a draft as ready
Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

chatgpt-codex-connector · 2026-05-07T08:42:47Z

    new AIGuard.Options().block(false) | true           | false
  }

+  void 'test evaluate applies captured client ip tags to local root span'() {


Move added Spock coverage to JUnit 5

The repo-level AGENTS.md test guideline says to always use JUnit 5 and not write new Groovy/Spock tests, migrating existing Groovy tests instead. This change adds new Spock test coverage here (and similarly in the HTTP decorator/smoke specs), so the new AI Guard client-IP coverage should be implemented as JUnit 5 tests rather than extending Groovy specs.

Useful? React with 👍 / 👎.

smola force-pushed the smola/ai-guard-client-ip-tags branch from 93c0a25 to 3b41551 Compare April 29, 2026 15:09

smola force-pushed the smola/ai-guard-client-ip-tags branch from 3b41551 to 041ae77 Compare May 6, 2026 08:00

smola changed the title ~~Smola/ai guard client ip tags~~ Collect client IP tags for AI Guard requests May 6, 2026

smola added type: enhancement Enhancements and improvements tag: ai generated Largely based on code generated by an AI or LLM comp: ai-guard AI Guard labels May 6, 2026

smola marked this pull request as ready for review May 6, 2026 10:11

smola requested review from a team as code owners May 6, 2026 10:11

smola requested review from a team, daniel-romano-DD, manuel-alvarez-alvarez and mtoffl01 and removed request for a team May 6, 2026 10:11

chatgpt-codex-connector Bot reviewed May 6, 2026

View reviewed changes

Comment thread ...rap/src/main/java/datadog/trace/bootstrap/instrumentation/decorator/HttpServerDecorator.java

manuel-alvarez-alvarez approved these changes May 6, 2026

View reviewed changes

vandonr approved these changes May 6, 2026

View reviewed changes

smola force-pushed the smola/ai-guard-client-ip-tags branch from 041ae77 to 25e6058 Compare May 6, 2026 15:16

chatgpt-codex-connector Bot reviewed May 7, 2026

View reviewed changes

smola and others added 2 commits May 7, 2026 10:38

smola force-pushed the smola/ai-guard-client-ip-tags branch from 25e6058 to 1cccdee Compare May 7, 2026 08:39

chatgpt-codex-connector Bot reviewed May 7, 2026

View reviewed changes

Merge branch 'master' into smola/ai-guard-client-ip-tags

ca1d302

gh-worker-dd-mergequeue-cf854d Bot merged commit 886db92 into master May 7, 2026
570 checks passed

gh-worker-dd-mergequeue-cf854d Bot deleted the smola/ai-guard-client-ip-tags branch May 7, 2026 16:42

github-actions Bot added this to the 1.63.0 milestone May 7, 2026

Sunbelt Computer Software

PL/B Language Development and Support

Uh oh!

Conversation

smola commented Apr 29, 2026 • edited by atlassian Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

What Does This Do

Motivation

Additional Notes

Contributor Checklist

Uh oh!

pr-commenter Bot commented Apr 29, 2026

Benchmarks

Startup

Parameters

Summary

Load

Parameters

Summary

Dacapo

Parameters

Summary

Uh oh!

chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

💡 Codex Review

Uh oh!

Uh oh!

manuel-alvarez-alvarez left a comment

Choose a reason for hiding this comment

Uh oh!

vandonr left a comment

Choose a reason for hiding this comment

Uh oh!

vandonr May 6, 2026

Choose a reason for hiding this comment

Uh oh!

smola May 6, 2026

Choose a reason for hiding this comment

Uh oh!

vandonr May 6, 2026

Choose a reason for hiding this comment

Uh oh!

smola May 6, 2026

Choose a reason for hiding this comment

Uh oh!

vandonr May 6, 2026

Choose a reason for hiding this comment

Uh oh!

smola commented May 7, 2026

Uh oh!

chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

💡 Codex Review

Uh oh!

Uh oh!

chatgpt-codex-connector Bot May 7, 2026

Choose a reason for hiding this comment

Uh oh!

smola May 7, 2026

Choose a reason for hiding this comment

Uh oh!

smola commented May 7, 2026

Uh oh!

chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

💡 Codex Review

Uh oh!

chatgpt-codex-connector Bot May 7, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

smola commented Apr 29, 2026 •

edited by atlassian Bot

Loading