Skip to content

AppSec Tests

AppSec Tests #1672

Workflow file for this run

name: AppSec Tests
on:
workflow_call: # allows to reuse this workflow
inputs:
ref:
description: 'The branch to run the workflow on'
required: true
type: string
workflow_dispatch: # manually
schedule: # nightly
- cron: "0 0 * * *"
pull_request: # on pull requests touching appsec files
paths:
- '.github/workflows/appsec.yml'
- 'internal/appsec/**'
- 'appsec/**'
- 'contrib/**/appsec.go'
merge_group: # on merge groups touching appsec files
paths:
- '.github/workflows/appsec.yml'
- 'internal/appsec/**'
- 'appsec/**'
- 'contrib/**/appsec.go'
push:
branches: release-v*
env:
DD_APPSEC_WAF_TIMEOUT: 5s
JUNIT_REPORT: /tmp/gotestsum-report
V2_BRANCH: false
jobs:
native:
strategy:
matrix:
runs-on: [ macos-13, macos-12, macos-11, ubuntu-22.04, ubuntu-20.04 ]
go-version: [ "1.21", "1.20", "1.19" ]
cgo_enabled: [ "0", "1" ] # test it compiles with and without cgo
appsec_enabled: # test it compiles with and without appsec enabled
- DD_APPSEC_ENABLED=true
- DD_APPSEC_ENABLED=false
- "" # the env var is not defined so that the remote-config path can be taken
include:
- cgocheck:
GODEBUG=cgocheck=2
- go-version: "1.21"
cgocheck: # 1.21 deprecates the GODEBUG=cgocheck=2 value, replacing it with GOEXPERIMENT=cgocheck2
GOEXPERIMENT=cgocheck2
fail-fast: false
runs-on: ${{ matrix.runs-on }}
steps:
- uses: actions/checkout@v3
with:
ref: ${{ inputs.ref || github.ref }}
- uses: actions/setup-go@v3
with:
go-version: ${{ matrix.go-version }}
- name: Go modules cache
uses: actions/cache@v3
with:
path: ~/go/pkg/mod
key: go-pkg-mod-${{ hashFiles('**/go.sum') }}
restore-keys: go-pkg-mod-
- name: go test
shell: bash
run: |
go install gotest.tools/gotestsum@latest
# Run the tests with gotestsum
env ${{ matrix.cgocheck }} CGO_ENABLED=${{ matrix.cgo_enabled }} ${{ matrix.appsec_enabled }} ./.github/workflows/apps/appsec-test-contrib-submodules.sh
- name: Upload the results to Datadog CI App
uses: ./.github/actions/dd-ci-upload
with:
dd-api-key: ${{ secrets.DD_CI_API_KEY }}
files: ${{ env.JUNIT_REPORT }}*.xml
tags: go:${{ matrix.go-version }},arch:${{ runner.arch }},os:${{ runner.os }}
# Tests cases were appsec end up being disable
waf-disabled:
strategy:
fail-fast: false
matrix:
go-args: [ "-tags datadog.no_waf", "-tags go1.22" ]
runs-on: [ macos-13, ubuntu-latest ]
appsec_enabled:
- DD_APPSEC_ENABLED=true
- "" # the env var is not defined so that the remote-config path can be taken
include:
- runs-on: windows-latest
go-args: ""
runs-on: ${{ matrix.runs-on }}
steps:
- uses: actions/checkout@v3
- uses: actions/setup-go@v3 # TODO: rely on v4 which now provides github caching by default
with:
go-version: stable
- name: Go modules cache
uses: actions/cache@v3
with:
path: ~/go/pkg/mod
key: go-pkg-mod-${{ hashFiles('**/go.sum') }}
restore-keys: go-pkg-mod-
- name: go test
shell: bash
run: |
go install gotest.tools/gotestsum@latest
# Run the tests with gotestsum
env ${{ matrix.appsec_enabled }} ./.github/workflows/apps/appsec-test-contrib-submodules.sh
- name: Upload the results to Datadog CI App
uses: ./.github/actions/dd-ci-upload
with:
dd-api-key: ${{ secrets.DD_CI_API_KEY }}
files: ${{ env.JUNIT_REPORT }}*.xml
tags: go:${{ matrix.go-version }},arch:${{ runner.arch }},os:${{ runner.os }}
# Same tests but on the official golang container for linux
golang-linux-container:
runs-on: ubuntu-latest
container:
image: golang:${{ matrix.go-version }}-${{ matrix.distribution }}
strategy:
matrix:
go-version: [ "1.21", "1.20", "1.19" ]
distribution: [ bookworm, bullseye, buster, alpine ]
cgo_enabled: # test it compiles with and without cgo
- 0
- 1
appsec_enabled: # test it compiles with and without appsec enabled
- DD_APPSEC_ENABLED=true
- DD_APPSEC_ENABLED=false
- "" # the env var is not defined so that the remote-config path can be taken
exclude:
- go-version: "1.21"
distribution: buster
fail-fast: false
steps:
- uses: actions/checkout@v3
with:
ref: ${{ inputs.ref || github.ref }}
# Install gcc and the libc headers on alpine images
- if: ${{ matrix.distribution == 'alpine' }}
run: apk add gcc musl-dev libc6-compat git bash
- name: Go modules cache
uses: actions/cache@v3
with:
path: ~/go/pkg/mod
key: go-pkg-mod-${{ hashFiles('**/go.sum') }}
restore-keys: go-pkg-mod-
- name: go test
run: |
# Install gotestsum to get the results in a junit file
go install gotest.tools/gotestsum@latest
# Run the tests with gotestsum
env CGO_ENABLED=${{ matrix.cgo_enabled }} ${{ matrix.appsec_enabled }} /bin/bash ./.github/workflows/apps/appsec-test-contrib-submodules.sh
- name: Upload the results to Datadog CI App
if: matrix.distribution != 'alpine' # datadog-ci CLI doesn't work on alpine
uses: ./.github/actions/dd-ci-upload
with:
dd-api-key: ${{ secrets.DD_CI_API_KEY }}
files: ${{ env.JUNIT_REPORT }}*.xml
tags: go:${{ matrix.go-version }},arch:${{ runner.arch }},os:${{ runner.os }},distribution:${{ matrix.distribution }}
linux-arm64:
runs-on: ubuntu-latest
strategy:
matrix:
cgo_enabled: # test it compiles with and without the cgo
- 0
- 1
appsec_enabled: # test it compiles with and without appsec enabled
- true
- false
fail-fast: false
steps:
- uses: actions/checkout@v3
with:
ref: ${{ inputs.ref || github.ref }}
- name: Go modules cache
uses: actions/cache@v3
with:
path: ~/go/pkg/mod
key: go-pkg-mod-${{ hashFiles('**/go.sum') }}
restore-keys: go-pkg-mod-
- name: Set up QEMU
uses: docker/setup-qemu-action@v2
with:
platforms: arm64
- run: |
env CGO_ENABLED=${{ matrix.cgo_enabled }} DD_APPSEC_ENABLED=${{ matrix.appsec_enabled }} DD_APPSEC_WAF_TIMEOUT=$DD_APPSEC_WAF_TIMEOUT ./.github/workflows/apps/appsec-test-contrib-submodules.sh docker linux/arm64
smoke-tests:
uses: DataDog/appsec-go-test-app/.github/workflows/smoke-tests.yml@main
if: inputs.ref != 'refs/heads/v2-dev'
with:
dd-trace-go-version: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}
smoke-tests-v2:
# TODO(darccio): change to main branch on v2 release
uses: DataDog/appsec-go-test-app/.github/workflows/smoke-tests.yml@dario.castane/AIT-3705/dd-trace-go.v2
if: inputs.ref == 'refs/heads/v2-dev'
with:
dd-trace-go-version: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }}