AppSec Lambda: Analyze HTTP response

[claponcet]

What Does This Do

Adds AppSec response analysis for AWS Lambda: LambdaAppSecHandler.processResponseData
parses the Lambda response object and fires the WAF gateway events (responseStarted,
responseHeader, responseHeaderDone, responseBody) with the extracted status code,
headers, and body.

Trigger-type detection (API Gateway v1/v2, ALB, Lambda URL, WebSocket) is added to
processRequestStart and stored in a ThreadLocal. processResponseData uses it to
decide whether to parse the response as an API-GW envelope or fall back to treating the
whole payload as a plain response body, matching how non-envelope HTTP triggers behave.

CoreTracer.notifyAppSecEnd is extended to receive the raw result object so it can be
forwarded to processResponseData from the Lambda handler instrumentation.

Additional extraction improvements:

• Response header keys are lowercased (Locale.ROOT) to normalise casing across API GW / ALB variants
• isBase64Encoded accepts "true" (string) in addition to Boolean.TRUE

LambdaHandlerInstrumentationTest and LambdaAppSecHandlerTest migrated from Spock/Groovy
to JUnit 5 Java, with new test cases for response analysis and trigger-type gating.

Motivation

Allows the WAF to inspect Lambda HTTP responses for threats.

Additional Notes

Contributor Checklist

• Format the title according to the contribution guidelines
• Assign the type: and (comp: or inst:) labels in addition to any other useful labels
• Avoid using close, fix, or any linking keywords when referencing an issue
  Use solves instead, and assign the PR milestone to the issue
• Update the CODEOWNERS file on source file addition, migration, or deletion
• Update public documentation with any new configuration flags or behaviors
• Add your completed PR to the merge queue by commenting /merge.

Jira ticket: APPSEC-60532

[dd-octo-sts]

🟢 Java Benchmark SLOs — All performance SLOs passed

Suite	Status
Startup	🟢 pass

SLO thresholds are defined here based on automatically generated metrics. A warning is raised when results are within 5% of the threshold.

PR vs. master results

Scenario	Candidate	master	Δ (95% CI of mean)
startup:insecure-bank:iast:Agent	13.96 s	13.96 s	[-1.0%; +1.0%] (no difference)
startup:insecure-bank:tracing:Agent	12.95 s	12.99 s	[-1.1%; +0.5%] (no difference)
startup:petclinic:appsec:Agent	17.44 s	17.46 s	[-1.2%; +0.9%] (no difference)
startup:petclinic:iast:Agent	17.37 s	17.63 s	[-2.4%; -0.6%] (maybe better)
startup:petclinic:profiling:Agent	17.40 s	17.49 s	[-1.4%; +0.4%] (no difference)
startup:petclinic:sca:Agent	17.53 s	17.47 s	[-0.5%; +1.2%] (no difference)
startup:petclinic:tracing:Agent	16.67 s	16.70 s	[-1.2%; +0.8%] (no difference)

Commit: 868f9a13 · CI Pipeline · Benchmarking Platform UI

---

Load and DaCapo benchmarks can be triggered manually in the GitLab pipeline. Results will appear in the Benchmarking Platform UI after completion.

[claponcet]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 3d2a12a4fb

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 868f9a139e

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Forward response cookies from v2 payloads

For API Gateway HTTP API v2 and Lambda Function URL responses, cookies can be returned in the top-level cookies array and are sent to clients as Set-Cookie headers, but this extraction only reads headers and multiValueHeaders. In those responses AppSec never receives the response cookies, so rules/redaction depending on Set-Cookie are skipped; merge response.get("cookies") into the forwarded response headers before responseHeaderDone.

Useful? React with 👍 / 👎.