-
Notifications
You must be signed in to change notification settings - Fork 1.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Update docs for AppSec on Ruby 1.1.0
- Loading branch information
Showing
2 changed files
with
124 additions
and
18 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -292,11 +292,51 @@ if span, ok := tracer.SpanFromContext(request.Context()); ok { | |
{{< programming-lang lang="ruby" >}} | ||
Use either API to add user information to a trace so that you can monitor authenticated requests in the application. | ||
{{< tabs >}} | ||
{{% tab "Using `Datadog::Kit::Identity.set_user` %}} | ||
Starting with `ddtrace` 1.1.0, a convenience `set_user` method is available: | ||
```ruby | ||
# Get the active trace | ||
trace = Datadog::Tracing.active_trace | ||
|
||
# Set mandatory user id tag | ||
Datadog::Kit::Identity.set_user(trace, id: 'd131dd02c56eeec4') | ||
|
||
# Or set any of these optional user monitoring tags | ||
Datadog::Kit::Identity.set_user( | ||
trace, | ||
|
||
# mandatory id | ||
id: 'd131dd02c56eeec4', | ||
|
||
# optional tags with known semantics | ||
name: 'Jean Example', | ||
email:, '[email protected]', | ||
session_id:, '987654321', | ||
role: 'admin', | ||
scope: 'read:message, write:files', | ||
|
||
# optional free-form tags | ||
another_tag: 'another_value', | ||
) | ||
``` | ||
{{% /tab %}} | ||
{{% tab "Using trace `set_tag`" %}} | ||
Note: `Datadog::Kit::Identity.set_user` is the recommended way to set user information. | ||
Use the the Ruby tracer's API for adding custom tags to a trace, and add user information so that you can monitor authenticated requests in the application. | ||
User monitoring tags are applied on the trace and start with the prefix `usr` followed by the name of the field. For example, `usr.name` is a user monitoring tag that tracks the user’s name. | ||
User monitoring tags are applied on the trace and start with the prefix `usr.` followed by the name of the field. For example, `usr.name` is a user monitoring tag that tracks the user’s name. | ||
The example below shows how to obtain the root span and add relevant user monitoring tags: | ||
The example below shows how to obtain the active trace and add relevant user monitoring tags: | ||
**Notes**: | ||
- Tag values must be strings. | ||
|
@@ -309,14 +349,21 @@ trace = Datadog::Tracing.active_trace | |
# Set mandatory user id tag | ||
trace.set_tag('usr.id', 'd131dd02c56eeec4') | ||
|
||
# Set optional user monitoring tags | ||
# Set optional user monitoring tags with known sematics | ||
trace.set_tag('usr.name', 'Jean Example') | ||
trace.set_tag('usr.email', '[email protected]') | ||
trace.set_tag('usr.session_id', '987654321') | ||
trace.set_tag('usr.role', 'admin') | ||
trace.set_tag('usr.scope', 'read:message, write:files') | ||
|
||
# Set free-form tags: | ||
trace.set_tag('usr.another_tag', 'another_value') | ||
``` | ||
{{% /tab %}} | ||
{{< /tabs >}} | ||
{{< /programming-lang >}} | ||
{{< programming-lang lang="php" >}} | ||
|
@@ -386,11 +433,34 @@ The data that you collect with Datadog can contain sensitive information that yo | |
By default, ASM collects information from suspicious requests to help you understand why the request was flagged as suspicious. Before sending the data, ASM scans it for patterns and keywords that indicate that the data is sensitive. If the data is deemed sensitive, it is replaced with a `<redacted>` flag, so you observe that although the request was suspicious, the request data could not be collected because of data security concerns. | ||
To protect users' data, sensitive data scanning is activated by default in ASM. You can customize the configuration by using the following environment variables. The scanning is based on the [RE2 syntax][2], so to customize scanning, set the value of these environment variables to a valid RE2 patten: | ||
To protect users' data, sensitive data scanning is activated by default in ASM. You can customize the configuration by using the following environment variables. The scanning is based on the [RE2 syntax][2], so to customize scanning, set the value of these environment variables to a valid RE2 pattern: | ||
* `DD_APPSEC_OBFUSCATION_PARAMETER_KEY_REGEXP` - Pattern for scanning for keys whose values commonly contain sensitive data. If found, the key, all corresponding values, and any child nodes are redacted. | ||
* `DD_APPSEC_OBFUSCATION_PARAMETER_KEY_REGEXP` - Pattern for scanning for keys whose values commonly contain sensitive data. If found, the values and any child nodes associated with the key are redacted. | ||
* `DD_APPSEC_OBFUSCATION_PARAMETER_VALUE_REGEXP` - Pattern for scanning for values that could indicate sensitive data. If found, the value and all its child nodes are redacted. | ||
{{< programming-lang-wrapper langs="ruby" >}} | ||
{{< programming-lang lang="ruby" >}} | ||
It is also possible to configure these patterns from code: | ||
```ruby | ||
Datadog.configure do |c| | ||
# ... | ||
|
||
# Set custom RE2 regexes | ||
c.appsec.obfuscator_key_regex = '...' | ||
c.appsec.obfuscator_value_regex = '...' | ||
end | ||
``` | ||
Note: this feature is available starting with `ddtrace` 1.1.0. | ||
{{< /programming-lang >}} | ||
{{< /programming-lang-wrapper >}} | ||
The following are examples of data that are flagged as sensitive by default: | ||
* `pwd`, `password`, `ipassword`, `pass_phrase` | ||
|