|
| 1 | +--- |
| 2 | +title: Enabling App and API Protection for Go |
| 3 | +aliases: |
| 4 | + - /security_platform/application_security/getting_started/go |
| 5 | + - /security/application_security/getting_started/go |
| 6 | + - /security/application_security/threats/setup/threat_detection/go |
| 7 | + - /security/application_security/threats_detection/go |
| 8 | +further_reading: |
| 9 | +- link: "https://pkg.go.dev/github.com/DataDog/dd-trace-go/v2/appsec" |
| 10 | + tag: "Documentation" |
| 11 | + text: "Go Security API docs" |
| 12 | +- link: "/security/application_security/add-user-info/" |
| 13 | + tag: "Documentation" |
| 14 | + text: "Adding user information to traces" |
| 15 | +- link: 'https://github.com/DataDog/dd-trace-go' |
| 16 | + tag: "Source Code" |
| 17 | + text: 'Tracer source code' |
| 18 | +- link: 'https://github.com/DataDog/orchestrion' |
| 19 | + tag: "Source Code" |
| 20 | + text: 'Orchestrion source code' |
| 21 | +- link: "/security/default_rules/?category=cat-application-security" |
| 22 | + tag: "Documentation" |
| 23 | + text: "OOTB App and API Protection Rules" |
| 24 | +- link: "/security/application_security/troubleshooting" |
| 25 | + tag: "Documentation" |
| 26 | + text: "Troubleshooting App and API Protection" |
| 27 | +--- |
| 28 | + |
| 29 | +You can monitor App and API Protection for Go apps running in Docker, Kubernetes, and Amazon ECS. |
| 30 | + |
| 31 | +{{% appsec-getstarted %}} |
| 32 | + |
| 33 | +# Prerequisite |
| 34 | + |
| 35 | +- Your service framework and tools are [compatible][2] with the [Application & API Protection (AAP)][1] product. |
| 36 | +- Your deployment environment is [supported][5]. |
| 37 | +- You have one of the latest two version of [Go][4] installed (following the [Official Release Policy][5]). |
| 38 | + |
| 39 | +## Enabling Application & API Protection (AAP) |
| 40 | +### Get started |
| 41 | + |
| 42 | +1. **Install Orchestrion**: |
| 43 | + |
| 44 | + ```console |
| 45 | + $ go install github.com/DataDog/orchestrion@latest |
| 46 | + ``` |
| 47 | + |
| 48 | +2. **Register Orchestrion as a Go module** in your project directory: |
| 49 | + ```console |
| 50 | + $ orchestrion pin |
| 51 | + ``` |
| 52 | + |
| 53 | +3. Datadog has a series of pluggable packages which provide out-of-the-box support for instrumenting a series of Go libraries and frameworks. |
| 54 | + A list of these packages can be found in the [compatibility requirements][1] page. |
| 55 | + Import these packages into your application and follow the configuration instructions listed alongside each integration. |
| 56 | + |
| 57 | +4. **Recompile your program** with Orchestrion: |
| 58 | + ```console |
| 59 | + $ orchestrion go build my-program |
| 60 | + ``` |
| 61 | + More options on how to use orchestrion can be found in the [Orchestrion usage][7]. |
| 62 | + |
| 63 | + Note: If you are building without CGO on linux. Please read [Building Go applications with CGO disabled][6] for more information. |
| 64 | + |
| 65 | +5. **Redeploy your Go service and enable AAP** by setting the `DD_APPSEC_ENABLED` environment variable to `true`: |
| 66 | + ```console |
| 67 | + $ env DD_APPSEC_ENABLED=true ./my-program |
| 68 | + ``` |
| 69 | + |
| 70 | + Or one of the following methods, depending on where your application runs: |
| 71 | + |
| 72 | + {{< tabs >}} |
| 73 | +{{% tab "Docker CLI" %}} |
| 74 | + |
| 75 | +Add the following environment variable value to your Docker command line: |
| 76 | + |
| 77 | +```console |
| 78 | +$ docker run -e DD_APPSEC_ENABLED=true [...] |
| 79 | +``` |
| 80 | + |
| 81 | +{{% /tab %}} |
| 82 | +{{% tab "Dockerfile" %}} |
| 83 | + |
| 84 | +Add the following environment variable value to your application container's Dockerfile: |
| 85 | + |
| 86 | +```Dockerfile |
| 87 | +ENV DD_APPSEC_ENABLED=true |
| 88 | +``` |
| 89 | + |
| 90 | +A more detailed guide on how to create a fitting dockerfile is available [here][3]. |
| 91 | + |
| 92 | +{{% /tab %}} |
| 93 | +{{% tab "Kubernetes" %}} |
| 94 | + |
| 95 | +Update your application's deployment configuration file for APM and add the AAP environment variable: |
| 96 | + |
| 97 | +```yaml |
| 98 | +spec: |
| 99 | + template: |
| 100 | + spec: |
| 101 | + containers: |
| 102 | + - name: <CONTAINER_NAME> |
| 103 | + image: <CONTAINER_IMAGE>/<TAG> |
| 104 | + env: |
| 105 | + - name: DD_APPSEC_ENABLED |
| 106 | + value: "true" |
| 107 | +``` |
| 108 | +
|
| 109 | +{{% /tab %}} |
| 110 | +{{% tab "Amazon ECS" %}} |
| 111 | +
|
| 112 | +Update your application's ECS task definition JSON file, by adding this in the environment section: |
| 113 | +
|
| 114 | +```json |
| 115 | +"environment": [ |
| 116 | + ..., |
| 117 | + { |
| 118 | + "name": "DD_APPSEC_ENABLED", |
| 119 | + "value": "true" |
| 120 | + } |
| 121 | +] |
| 122 | +``` |
| 123 | + |
| 124 | +{{% /tab %}} |
| 125 | + |
| 126 | +{{< /tabs >}} |
| 127 | + |
| 128 | +{{% app_and_api_protection_verify_setup %}} |
| 129 | + |
| 130 | +{{% appsec-getstarted-2 %}} |
| 131 | + |
| 132 | +{{< img src="/security/application_security/appsec-getstarted-threat-and-vuln_2.mp4" alt="Video showing Signals explorer and details, and Vulnerabilities explorer and details." video="true" >}} |
| 133 | + |
| 134 | +### Building without CGO |
| 135 | + |
| 136 | +If you are building your Go application without CGO, you can still enable AAP by following these steps: |
| 137 | + |
| 138 | +1. **Add the `appsec` build tag** when compiling your application: |
| 139 | + ```console |
| 140 | + $ CGO_ENABLED=0 orchestrion go build -tags appsec my-program |
| 141 | + ``` |
| 142 | + |
| 143 | + Using `CGO_ENABLED=0` usually guarantees a statically-linked binary. This will NOT be the case in this setup. |
| 144 | + |
| 145 | +2. **Install `libc.so.6` and `libpthread.so.0`** on your system, as these libraries are required by the Datadog WAF: |
| 146 | + This can be done by installing the `glibc` package on your system via your package manager. Read more on [Creating a Dockerfile for AAP][3] |
| 147 | + |
| 148 | +3. **Redeploy your Go service** with the `DD_APPSEC_ENABLED=true` environment variable set, as described above. |
| 149 | + |
| 150 | +## Using AAP without APM tracing |
| 151 | + |
| 152 | +If you want to use Application & API Protection without APM tracing functionality, you can deploy with tracing disabled: |
| 153 | + |
| 154 | +1. Configure your tracing library with the `DD_APM_TRACING_ENABLED=false` environment variable in addition to the `DD_APPSEC_ENABLED=true` environment variable. |
| 155 | +2. This configuration will reduce the amount of APM data sent to Datadog to the minimum required by App and API Protection products. |
| 156 | + |
| 157 | +For more details, see [Standalone App and API Protection][standalone_billing_guide]. |
| 158 | +[standalone_billing_guide]: /security/application_security/guide/standalone_application_security/ |
| 159 | + |
| 160 | +## Further Reading |
| 161 | + |
| 162 | +{{< partial name="whats-next/whats-next.html" >}} |
| 163 | + |
| 164 | +[1]: /security/application_security/setup/compatibility/go/?tab=v2#web-framework-compatibility |
| 165 | +[2]: /security/application_security/setup/compatibility/go/ |
| 166 | +[3]: /security/application_security/setup/go/dockerfile |
| 167 | +[4]: https://go.dev/ |
| 168 | +[5]: https://go.dev/doc/devel/release#policy |
| 169 | +[6]: /security/application_security/setup/go#building-without-cgo |
| 170 | +[7]: /tracing/trace_collection/automatic_instrumentation/dd_libraries/go/?tab=compiletimeinstrumentation#usage |
0 commit comments