Skip to content

Collect client IP tags for AI Guard requests#11233

Open
smola wants to merge 1 commit intomasterfrom
smola/ai-guard-client-ip-tags
Open

Collect client IP tags for AI Guard requests#11233
smola wants to merge 1 commit intomasterfrom
smola/ai-guard-client-ip-tags

Conversation

@smola
Copy link
Copy Markdown
Member

@smola smola commented Apr 29, 2026
edited by atlassian Bot
Loading

What Does This Do

When DD_AI_GUARD_ENABLED=true, resolve the client IP eagerly during HTTP
server request decoration and stash it on the request context. Apply the
tags (http.client_ip and network.client.ip) on the local root span only
when an ai_guard span is actually created, so non-AI requests of an
AI-Guard-enabled service do not get IP tags.

APPSEC-62199

Motivation

Additional Notes

Contributor Checklist

Jira ticket: [PROJ-IDENT]

Note: Once your PR is ready to merge, add it to the merge queue by commenting /merge. /merge -c cancels the queue request. /merge -f --reason "reason" skips all merge queue checks; please use this judiciously, as some checks do not run at the PR-level. For more information, see this doc.

@smola smola force-pushed the smola/ai-guard-client-ip-tags branch from 93c0a25 to 3b41551 Compare April 29, 2026 15:09
@pr-commenter
Copy link
Copy Markdown

pr-commenter Bot commented Apr 29, 2026

Benchmarks

Startup

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master smola/ai-guard-client-ip-tags
git_commit_date 1777473948 1777475364
git_commit_sha c9cebad 3b41551
release_version 1.62.0-SNAPSHOT~c9cebadc2b 1.62.0-SNAPSHOT~3b41551f9d
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1777477073 1777477073
ci_job_id 1642810008 1642810008
ci_pipeline_id 110468859 110468859
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-0-vn5psrc7 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-0-vn5psrc7 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
module Agent Agent
parent None None

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 61 metrics, 10 unstable metrics.

Startup time reports for insecure-bank 
gantt
    title insecure-bank - global startup overhead: candidate=1.62.0-SNAPSHOT~3b41551f9d, baseline=1.62.0-SNAPSHOT~c9cebadc2b

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.068 s) : 0, 1067980
Total [baseline] (8.851 s) : 0, 8850578
Agent [candidate] (1.074 s) : 0, 1074498
Total [candidate] (8.89 s) : 0, 8890471
section iast
Agent [baseline] (1.245 s) : 0, 1245218
Total [baseline] (9.584 s) : 0, 9584278
Agent [candidate] (1.242 s) : 0, 1242039
Total [candidate] (9.474 s) : 0, 9474385
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.068 s -
Agent iast 1.245 s 177.239 ms (16.6%)
Total tracing 8.851 s -
Total iast 9.584 s 733.7 ms (8.3%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.074 s -
Agent iast 1.242 s 167.541 ms (15.6%)
Total tracing 8.89 s -
Total iast 9.474 s 583.913 ms (6.6%) 
gantt
    title insecure-bank - break down per module: candidate=1.62.0-SNAPSHOT~3b41551f9d, baseline=1.62.0-SNAPSHOT~c9cebadc2b

    dateFormat X
    axisFormat %s
section tracing
crashtracking [baseline] (1.219 ms) : 0, 1219
crashtracking [candidate] (1.227 ms) : 0, 1227
BytebuddyAgent [baseline] (637.602 ms) : 0, 637602
BytebuddyAgent [candidate] (641.373 ms) : 0, 641373
AgentMeter [baseline] (29.49 ms) : 0, 29490
AgentMeter [candidate] (29.702 ms) : 0, 29702
GlobalTracer [baseline] (249.332 ms) : 0, 249332
GlobalTracer [candidate] (250.654 ms) : 0, 250654
AppSec [baseline] (32.898 ms) : 0, 32898
AppSec [candidate] (33.096 ms) : 0, 33096
Debugger [baseline] (61.851 ms) : 0, 61851
Debugger [candidate] (61.833 ms) : 0, 61833
Remote Config [baseline] (604.499 µs) : 0, 604
Remote Config [candidate] (2.091 ms) : 0, 2091
Telemetry [baseline] (8.415 ms) : 0, 8415
Telemetry [candidate] (10.053 ms) : 0, 10053
Flare Poller [baseline] (10.489 ms) : 0, 10489
Flare Poller [candidate] (8.406 ms) : 0, 8406
section iast
crashtracking [baseline] (1.231 ms) : 0, 1231
crashtracking [candidate] (1.226 ms) : 0, 1226
BytebuddyAgent [baseline] (824.019 ms) : 0, 824019
BytebuddyAgent [candidate] (820.913 ms) : 0, 820913
AgentMeter [baseline] (11.273 ms) : 0, 11273
AgentMeter [candidate] (11.259 ms) : 0, 11259
GlobalTracer [baseline] (237.602 ms) : 0, 237602
GlobalTracer [candidate] (237.348 ms) : 0, 237348
AppSec [baseline] (31.156 ms) : 0, 31156
AppSec [candidate] (33.935 ms) : 0, 33935
Debugger [baseline] (63.844 ms) : 0, 63844
Debugger [candidate] (63.899 ms) : 0, 63899
Remote Config [baseline] (525.393 µs) : 0, 525
Remote Config [candidate] (521.333 µs) : 0, 521
Telemetry [baseline] (7.907 ms) : 0, 7907
Telemetry [candidate] (7.846 ms) : 0, 7846
Flare Poller [baseline] (3.328 ms) : 0, 3328
Flare Poller [candidate] (3.31 ms) : 0, 3310
IAST [baseline] (28.237 ms) : 0, 28237
IAST [candidate] (25.783 ms) : 0, 25783
Loading
Startup time reports for petclinic 
gantt
    title petclinic - global startup overhead: candidate=1.62.0-SNAPSHOT~3b41551f9d, baseline=1.62.0-SNAPSHOT~c9cebadc2b

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.064 s) : 0, 1064464
Total [baseline] (11.016 s) : 0, 11016159
Agent [candidate] (1.071 s) : 0, 1071153
Total [candidate] (11.116 s) : 0, 11115547
section appsec
Agent [baseline] (1.268 s) : 0, 1267765
Total [baseline] (11.284 s) : 0, 11283623
Agent [candidate] (1.28 s) : 0, 1279773
Total [candidate] (11.239 s) : 0, 11238647
section iast
Agent [baseline] (1.248 s) : 0, 1247950
Total [baseline] (11.225 s) : 0, 11224804
Agent [candidate] (1.262 s) : 0, 1262055
Total [candidate] (11.26 s) : 0, 11259686
section profiling
Agent [baseline] (1.193 s) : 0, 1192887
Total [baseline] (11.024 s) : 0, 11023538
Agent [candidate] (1.196 s) : 0, 1196241
Total [candidate] (11.067 s) : 0, 11067184
Loading
  • baseline results
Module Variant Duration Δ tracing
Agent tracing 1.064 s -
Agent appsec 1.268 s 203.302 ms (19.1%)
Agent iast 1.248 s 183.486 ms (17.2%)
Agent profiling 1.193 s 128.423 ms (12.1%)
Total tracing 11.016 s -
Total appsec 11.284 s 267.464 ms (2.4%)
Total iast 11.225 s 208.644 ms (1.9%)
Total profiling 11.024 s 7.379 ms (0.1%)
  • candidate results
Module Variant Duration Δ tracing
Agent tracing 1.071 s -
Agent appsec 1.28 s 208.62 ms (19.5%)
Agent iast 1.262 s 190.902 ms (17.8%)
Agent profiling 1.196 s 125.088 ms (11.7%)
Total tracing 11.116 s -
Total appsec 11.239 s 123.101 ms (1.1%)
Total iast 11.26 s 144.14 ms (1.3%)
Total profiling 11.067 s -48.363 ms (-0.4%) 
gantt
    title petclinic - break down per module: candidate=1.62.0-SNAPSHOT~3b41551f9d, baseline=1.62.0-SNAPSHOT~c9cebadc2b

    dateFormat X
    axisFormat %s
section tracing
crashtracking [baseline] (1.224 ms) : 0, 1224
crashtracking [candidate] (1.227 ms) : 0, 1227
BytebuddyAgent [baseline] (635.033 ms) : 0, 635033
BytebuddyAgent [candidate] (640.138 ms) : 0, 640138
AgentMeter [baseline] (29.407 ms) : 0, 29407
AgentMeter [candidate] (29.358 ms) : 0, 29358
GlobalTracer [baseline] (248.469 ms) : 0, 248469
GlobalTracer [candidate] (250.116 ms) : 0, 250116
AppSec [baseline] (32.719 ms) : 0, 32719
AppSec [candidate] (33.073 ms) : 0, 33073
Debugger [baseline] (61.828 ms) : 0, 61828
Debugger [candidate] (62.419 ms) : 0, 62419
Remote Config [baseline] (595.954 µs) : 0, 596
Remote Config [candidate] (589.163 µs) : 0, 589
Telemetry [baseline] (9.139 ms) : 0, 9139
Telemetry [candidate] (9.219 ms) : 0, 9219
Flare Poller [baseline] (9.944 ms) : 0, 9944
Flare Poller [candidate] (8.914 ms) : 0, 8914
section appsec
crashtracking [baseline] (1.233 ms) : 0, 1233
crashtracking [candidate] (1.236 ms) : 0, 1236
BytebuddyAgent [baseline] (674.829 ms) : 0, 674829
BytebuddyAgent [candidate] (682.589 ms) : 0, 682589
AgentMeter [baseline] (12.22 ms) : 0, 12220
AgentMeter [candidate] (12.378 ms) : 0, 12378
GlobalTracer [baseline] (249.43 ms) : 0, 249430
GlobalTracer [candidate] (251.791 ms) : 0, 251791
AppSec [baseline] (185.339 ms) : 0, 185339
AppSec [candidate] (186.253 ms) : 0, 186253
Debugger [baseline] (66.663 ms) : 0, 66663
Debugger [candidate] (66.639 ms) : 0, 66639
Remote Config [baseline] (556.072 µs) : 0, 556
Remote Config [candidate] (569.804 µs) : 0, 570
Telemetry [baseline] (7.724 ms) : 0, 7724
Telemetry [candidate] (7.892 ms) : 0, 7892
Flare Poller [baseline] (8.487 ms) : 0, 8487
Flare Poller [candidate] (8.59 ms) : 0, 8590
IAST [baseline] (24.627 ms) : 0, 24627
IAST [candidate] (24.954 ms) : 0, 24954
section iast
crashtracking [baseline] (1.229 ms) : 0, 1229
crashtracking [candidate] (1.243 ms) : 0, 1243
BytebuddyAgent [baseline] (824.426 ms) : 0, 824426
BytebuddyAgent [candidate] (837.335 ms) : 0, 837335
AgentMeter [baseline] (11.307 ms) : 0, 11307
AgentMeter [candidate] (11.414 ms) : 0, 11414
GlobalTracer [baseline] (238.267 ms) : 0, 238267
GlobalTracer [candidate] (239.298 ms) : 0, 239298
AppSec [baseline] (31.502 ms) : 0, 31502
AppSec [candidate] (31.721 ms) : 0, 31721
Debugger [baseline] (64.883 ms) : 0, 64883
Debugger [candidate] (65.209 ms) : 0, 65209
Remote Config [baseline] (526.885 µs) : 0, 527
Remote Config [candidate] (520.745 µs) : 0, 521
Telemetry [baseline] (8.014 ms) : 0, 8014
Telemetry [candidate] (7.984 ms) : 0, 7984
Flare Poller [baseline] (3.437 ms) : 0, 3437
Flare Poller [candidate] (3.503 ms) : 0, 3503
IAST [baseline] (28.245 ms) : 0, 28245
IAST [candidate] (27.432 ms) : 0, 27432
section profiling
ProfilingAgent [baseline] (94.657 ms) : 0, 94657
ProfilingAgent [candidate] (93.675 ms) : 0, 93675
crashtracking [baseline] (1.173 ms) : 0, 1173
crashtracking [candidate] (1.184 ms) : 0, 1184
BytebuddyAgent [baseline] (694.065 ms) : 0, 694065
BytebuddyAgent [candidate] (698.046 ms) : 0, 698046
AgentMeter [baseline] (8.976 ms) : 0, 8976
AgentMeter [candidate] (8.982 ms) : 0, 8982
GlobalTracer [baseline] (209.172 ms) : 0, 209172
GlobalTracer [candidate] (209.12 ms) : 0, 209120
AppSec [baseline] (33.046 ms) : 0, 33046
AppSec [candidate] (33.031 ms) : 0, 33031
Debugger [baseline] (68.046 ms) : 0, 68046
Debugger [candidate] (68.055 ms) : 0, 68055
Remote Config [baseline] (576.877 µs) : 0, 577
Remote Config [candidate] (575.383 µs) : 0, 575
Telemetry [baseline] (8.205 ms) : 0, 8205
Telemetry [candidate] (8.191 ms) : 0, 8191
Flare Poller [baseline] (3.562 ms) : 0, 3562
Flare Poller [candidate] (3.556 ms) : 0, 3556
Profiling [baseline] (95.221 ms) : 0, 95221
Profiling [candidate] (94.224 ms) : 0, 94224
Loading

Load

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master smola/ai-guard-client-ip-tags
git_commit_date 1777473948 1777475364
git_commit_sha c9cebad 3b41551
release_version 1.62.0-SNAPSHOT~c9cebadc2b 1.62.0-SNAPSHOT~3b41551f9d
See matching parameters
Baseline Candidate
application insecure-bank insecure-bank
ci_job_date 1777477549 1777477549
ci_job_id 1642810009 1642810009
ci_pipeline_id 110468859 110468859
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-1-qb630l81 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-1-qb630l81 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 1 performance improvements and 4 performance regressions! Performance is the same for 16 metrics, 15 unstable metrics.

scenario Δ mean agg_http_req_duration_p50 Δ mean agg_http_req_duration_p95 Δ mean throughput candidate mean agg_http_req_duration_p50 candidate mean agg_http_req_duration_p95 candidate mean throughput baseline mean agg_http_req_duration_p50 baseline mean agg_http_req_duration_p95 baseline mean throughput
scenario:load:insecure-bank:profiling:high_load better
[-240.781µs; -70.039µs] or [-12.723%; -3.701%]		 unstable
[-1278.709µs; -298.240µs] or [-22.203%; -5.178%]		 unstable
[-34.075op/s; +450.325op/s] or [-1.793%; +23.701%]		 1.737ms 4.971ms 2108.156op/s 1.892ms 5.759ms 1900.031op/s
scenario:load:insecure-bank:iast_FULL:high_load worse
[+326.804µs; +578.710µs] or [+6.405%; +11.342%]		 worse
[+0.718ms; +1.476ms] or [+5.950%; +12.235%]		 unstable
[-135.631op/s; +18.818op/s] or [-16.879%; +2.342%]		 5.555ms 13.163ms 745.125op/s 5.102ms 12.066ms 803.531op/s
scenario:load:insecure-bank:iast:high_load worse
[+81.803µs; +188.869µs] or [+3.273%; +7.556%]		 same
[-12.852µs; +633.587µs] or [-0.174%; +8.586%]		 unstable
[-214.352op/s; +79.352op/s] or [-15.087%; +5.585%]		 2.635ms 7.690ms 1353.281op/s 2.499ms 7.379ms 1420.781op/s
scenario:load:petclinic:profiling:high_load worse
[+0.841ms; +1.864ms] or [+4.669%; +10.344%]		 unsure
[+0.372ms; +2.225ms] or [+1.256%; +7.514%]		 unstable
[-37.974op/s; +10.474op/s] or [-15.034%; +4.147%]		 19.370ms 30.917ms 238.844op/s 18.018ms 29.619ms 252.594op/s
Request duration reports for insecure-bank 
gantt
    title insecure-bank - request duration [CI 0.99] : candidate=1.62.0-SNAPSHOT~3b41551f9d, baseline=1.62.0-SNAPSHOT~c9cebadc2b
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.246 ms) : 1234, 1259
.   : milestone, 1246,
iast (3.218 ms) : 3174, 3262
.   : milestone, 3218,
iast_FULL (5.751 ms) : 5695, 5807
.   : milestone, 5751,
iast_GLOBAL (3.648 ms) : 3586, 3711
.   : milestone, 3648,
profiling (2.388 ms) : 2364, 2412
.   : milestone, 2388,
tracing (1.927 ms) : 1910, 1943
.   : milestone, 1927,
section candidate
no_agent (1.231 ms) : 1219, 1242
.   : milestone, 1231,
iast (3.384 ms) : 3337, 3430
.   : milestone, 3384,
iast_FULL (6.211 ms) : 6147, 6275
.   : milestone, 6211,
iast_GLOBAL (3.673 ms) : 3618, 3729
.   : milestone, 3673,
profiling (2.146 ms) : 2124, 2167
.   : milestone, 2146,
tracing (1.918 ms) : 1902, 1934
.   : milestone, 1918,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.246 ms [1.234 ms, 1.259 ms] -
iast 3.218 ms [3.174 ms, 3.262 ms] 1.972 ms (158.2%)
iast_FULL 5.751 ms [5.695 ms, 5.807 ms] 4.505 ms (361.5%)
iast_GLOBAL 3.648 ms [3.586 ms, 3.711 ms] 2.402 ms (192.8%)
profiling 2.388 ms [2.364 ms, 2.412 ms] 1.142 ms (91.6%)
tracing 1.927 ms [1.91 ms, 1.943 ms] 680.355 µs (54.6%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 1.231 ms [1.219 ms, 1.242 ms] -
iast 3.384 ms [3.337 ms, 3.43 ms] 2.153 ms (175.0%)
iast_FULL 6.211 ms [6.147 ms, 6.275 ms] 4.98 ms (404.7%)
iast_GLOBAL 3.673 ms [3.618 ms, 3.729 ms] 2.443 ms (198.5%)
profiling 2.146 ms [2.124 ms, 2.167 ms] 915.106 µs (74.4%)
tracing 1.918 ms [1.902 ms, 1.934 ms] 687.451 µs (55.9%)
Request duration reports for petclinic 
gantt
    title petclinic - request duration [CI 0.99] : candidate=1.62.0-SNAPSHOT~3b41551f9d, baseline=1.62.0-SNAPSHOT~c9cebadc2b
    dateFormat X
    axisFormat %s
section baseline
no_agent (18.947 ms) : 18756, 19138
.   : milestone, 18947,
appsec (18.716 ms) : 18527, 18906
.   : milestone, 18716,
code_origins (17.551 ms) : 17379, 17723
.   : milestone, 17551,
iast (17.777 ms) : 17603, 17951
.   : milestone, 17777,
profiling (18.478 ms) : 18294, 18663
.   : milestone, 18478,
tracing (17.959 ms) : 17780, 18139
.   : milestone, 17959,
section candidate
no_agent (19.298 ms) : 19103, 19493
.   : milestone, 19298,
appsec (18.372 ms) : 18187, 18557
.   : milestone, 18372,
code_origins (17.96 ms) : 17783, 18137
.   : milestone, 17960,
iast (17.833 ms) : 17656, 18010
.   : milestone, 17833,
profiling (19.544 ms) : 19344, 19745
.   : milestone, 19544,
tracing (17.711 ms) : 17538, 17885
.   : milestone, 17711,
Loading
  • baseline results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 18.947 ms [18.756 ms, 19.138 ms] -
appsec 18.716 ms [18.527 ms, 18.906 ms] -230.467 µs (-1.2%)
code_origins 17.551 ms [17.379 ms, 17.723 ms] -1.396 ms (-7.4%)
iast 17.777 ms [17.603 ms, 17.951 ms] -1.17 ms (-6.2%)
profiling 18.478 ms [18.294 ms, 18.663 ms] -468.589 µs (-2.5%)
tracing 17.959 ms [17.78 ms, 18.139 ms] -987.731 µs (-5.2%)
  • candidate results
Variant Request duration [CI 0.99] Δ no_agent
no_agent 19.298 ms [19.103 ms, 19.493 ms] -
appsec 18.372 ms [18.187 ms, 18.557 ms] -926.428 µs (-4.8%)
code_origins 17.96 ms [17.783 ms, 18.137 ms] -1.338 ms (-6.9%)
iast 17.833 ms [17.656 ms, 18.01 ms] -1.466 ms (-7.6%)
profiling 19.544 ms [19.344 ms, 19.745 ms] 245.986 µs (1.3%)
tracing 17.711 ms [17.538 ms, 17.885 ms] -1.587 ms (-8.2%)

Dacapo

Parameters

Baseline Candidate
baseline_or_candidate baseline candidate
git_branch master smola/ai-guard-client-ip-tags
git_commit_date 1777473948 1777475364
git_commit_sha c9cebad 3b41551
release_version 1.62.0-SNAPSHOT~c9cebadc2b 1.62.0-SNAPSHOT~3b41551f9d
See matching parameters
Baseline Candidate
application biojava biojava
ci_job_date 1777477304 1777477304
ci_job_id 1642810010 1642810010
ci_pipeline_id 110468859 110468859
cpu_model Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version Linux runner-zfyrx7zua-project-304-concurrent-1-533v37x5 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux Linux runner-zfyrx7zua-project-304-concurrent-1-533v37x5 6.8.0-1031-aws #33~22.04.1-Ubuntu SMP Thu Jun 26 14:22:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 11 metrics, 1 unstable metrics.

Execution time for biojava 
gantt
    title biojava - execution time [CI 0.99] : candidate=1.62.0-SNAPSHOT~3b41551f9d, baseline=1.62.0-SNAPSHOT~c9cebadc2b
    dateFormat X
    axisFormat %s
section baseline
no_agent (15.475 s) : 15475000, 15475000
.   : milestone, 15475000,
appsec (14.539 s) : 14539000, 14539000
.   : milestone, 14539000,
iast (18.501 s) : 18501000, 18501000
.   : milestone, 18501000,
iast_GLOBAL (17.704 s) : 17704000, 17704000
.   : milestone, 17704000,
profiling (14.799 s) : 14799000, 14799000
.   : milestone, 14799000,
tracing (14.89 s) : 14890000, 14890000
.   : milestone, 14890000,
section candidate
no_agent (15.4 s) : 15400000, 15400000
.   : milestone, 15400000,
appsec (14.912 s) : 14912000, 14912000
.   : milestone, 14912000,
iast (18.401 s) : 18401000, 18401000
.   : milestone, 18401000,
iast_GLOBAL (18.041 s) : 18041000, 18041000
.   : milestone, 18041000,
profiling (15.257 s) : 15257000, 15257000
.   : milestone, 15257000,
tracing (14.617 s) : 14617000, 14617000
.   : milestone, 14617000,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 15.475 s [15.475 s, 15.475 s] -
appsec 14.539 s [14.539 s, 14.539 s] -936.0 ms (-6.0%)
iast 18.501 s [18.501 s, 18.501 s] 3.026 s (19.6%)
iast_GLOBAL 17.704 s [17.704 s, 17.704 s] 2.229 s (14.4%)
profiling 14.799 s [14.799 s, 14.799 s] -676.0 ms (-4.4%)
tracing 14.89 s [14.89 s, 14.89 s] -585.0 ms (-3.8%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 15.4 s [15.4 s, 15.4 s] -
appsec 14.912 s [14.912 s, 14.912 s] -488.0 ms (-3.2%)
iast 18.401 s [18.401 s, 18.401 s] 3.001 s (19.5%)
iast_GLOBAL 18.041 s [18.041 s, 18.041 s] 2.641 s (17.1%)
profiling 15.257 s [15.257 s, 15.257 s] -143.0 ms (-0.9%)
tracing 14.617 s [14.617 s, 14.617 s] -783.0 ms (-5.1%)
Execution time for tomcat 
gantt
    title tomcat - execution time [CI 0.99] : candidate=1.62.0-SNAPSHOT~3b41551f9d, baseline=1.62.0-SNAPSHOT~c9cebadc2b
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.487 ms) : 1475, 1498
.   : milestone, 1487,
appsec (3.798 ms) : 3576, 4020
.   : milestone, 3798,
iast (2.275 ms) : 2206, 2345
.   : milestone, 2275,
iast_GLOBAL (2.315 ms) : 2245, 2385
.   : milestone, 2315,
profiling (2.106 ms) : 2051, 2161
.   : milestone, 2106,
tracing (2.085 ms) : 2032, 2139
.   : milestone, 2085,
section candidate
no_agent (1.483 ms) : 1472, 1495
.   : milestone, 1483,
appsec (3.839 ms) : 3617, 4061
.   : milestone, 3839,
iast (2.271 ms) : 2202, 2341
.   : milestone, 2271,
iast_GLOBAL (2.315 ms) : 2245, 2385
.   : milestone, 2315,
profiling (2.104 ms) : 2049, 2159
.   : milestone, 2104,
tracing (2.088 ms) : 2034, 2141
.   : milestone, 2088,
Loading
  • baseline results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.487 ms [1.475 ms, 1.498 ms] -
appsec 3.798 ms [3.576 ms, 4.02 ms] 2.311 ms (155.5%)
iast 2.275 ms [2.206 ms, 2.345 ms] 788.671 µs (53.0%)
iast_GLOBAL 2.315 ms [2.245 ms, 2.385 ms] 828.517 µs (55.7%)
profiling 2.106 ms [2.051 ms, 2.161 ms] 619.442 µs (41.7%)
tracing 2.085 ms [2.032 ms, 2.139 ms] 598.621 µs (40.3%)
  • candidate results
Variant Execution Time [CI 0.99] Δ no_agent
no_agent 1.483 ms [1.472 ms, 1.495 ms] -
appsec 3.839 ms [3.617 ms, 4.061 ms] 2.355 ms (158.8%)
iast 2.271 ms [2.202 ms, 2.341 ms] 787.717 µs (53.1%)
iast_GLOBAL 2.315 ms [2.245 ms, 2.385 ms] 831.28 µs (56.0%)
profiling 2.104 ms [2.049 ms, 2.159 ms] 620.965 µs (41.9%)
tracing 2.088 ms [2.034 ms, 2.141 ms] 604.25 µs (40.7%)

@smola
Collect client IP tags for AI Guard requests
041ae77 
When DD_AI_GUARD_ENABLED=true, resolve the client IP eagerly during HTTP
server request decoration and stash it on the request context. Apply the
tags (http.client_ip and network.client.ip) on the local root span only
when an ai_guard span is actually created, so non-AI requests of an
AI-Guard-enabled service do not get IP tags.

APPSEC-62199
@smola smola force-pushed the smola/ai-guard-client-ip-tags branch from 3b41551 to 041ae77 Compare May 6, 2026 08:00
@smola smola changed the title Smola/ai guard client ip tags Collect client IP tags for AI Guard requests May 6, 2026
@smola smola added type: enhancement Enhancements and improvements tag: ai generated Largely based on code generated by an AI or LLM comp: ai-guard AI Guard labels May 6, 2026
@smola smola marked this pull request as ready for review May 6, 2026 10:11
@smola smola requested review from a team as code owners May 6, 2026 10:11
@smola smola requested review from a team, daniel-romano-DD, manuel-alvarez-alvarez and mtoffl01 and removed request for a team May 6, 2026 10:11
chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed May 6, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 041ae77c3d

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

Comment thread ...rap/src/main/java/datadog/trace/bootstrap/instrumentation/decorator/HttpServerDecorator.java
Comment on lines +270 to +271
final boolean shouldStashIps =
!shouldTagIps && traceClientIpResolverEnabled && config.isAiGuardEnabled();
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot May 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Enable IP header extraction for AI Guard-only mode

In the AI Guard-only configuration (DD_AI_GUARD_ENABLED=true with AppSec and dd.trace.client-ip.enabled off), this branch asks the resolver to stash IPs, but the extracted context never contains the forwarding headers: ContextInterpreter.reset still sets collectIpHeaders only for clientIpWithoutAppSec || clientIpResolutionEnabled && APPSEC_ACTIVE. As a result ClientIpAddressResolver.resolve(extracted, span) sees null X-Forwarded-For/Forwarded headers and falls back to the socket peer, so http.client_ip on the ai_guard trace is wrong in the mode this change adds.

Useful? React with 👍 / 👎.

manuel-alvarez-alvarez
manuel-alvarez-alvarez approved these changes May 6, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@manuel-alvarez-alvarez manuel-alvarez-alvarez left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, to review the Codex comment

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

@manuel-alvarez-alvarez manuel-alvarez-alvarez manuel-alvarez-alvarez approved these changes

@daniel-romano-DD daniel-romano-DD Awaiting requested review from daniel-romano-DD daniel-romano-DD is a code owner automatically assigned from DataDog/asm-java

@mtoffl01 mtoffl01 Awaiting requested review from mtoffl01 mtoffl01 is a code owner automatically assigned from DataDog/apm-sdk-capabilities-java

Assignees

No one assigned

Labels

comp: ai-guard AI Guard tag: ai generated Largely based on code generated by an AI or LLM type: enhancement Enhancements and improvements

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@smola @manuel-alvarez-alvarez