Enabling App and API Protection for Go

Docs > Datadog Security > App and API Protection > Enabling App and API Protection > Enabling App and API Protection for Go

You can monitor App and API Protection for Go apps running in Docker, Kubernetes, and Amazon ECS.

Prerequisites

1-Click Enablement
If your service is running with an Agent with Remote Configuration enabled and a tracing library version that supports it, hover over the Not Enabled indicator in the AAP Status column and click Enable AAP. There's no need to re-launch the service with the DD_APPSEC_ENABLED=true or --enable-appsec flags.

The Datadog Agent is installed and configured for your application’s operating system or container, cloud, or virtual environment.
Datadog APM is configured for your application or service, and traces are being received by Datadog.
If your service is running with an Agent with Remote Configuration enabled and a tracing library version that supports it, you can block attackers from the Datadog UI without additional configuration of the Agent or tracing libraries.

Prerequisite

Your service framework and tools are compatible with the Application & API Protection (AAP) product.
Your deployment environment is supported.
You have one of the latest two version of Go installed (following the Official Release Policy).

Enabling Application & API Protection (AAP)

Get started

Install Orchestrion:

$ go install github.com/DataDog/orchestrion@latest


2. **Register Orchestrion as a Go module** in your project directory:
```console
$ orchestrion pin

Datadog has a series of pluggable packages which provide out-of-the-box support for instrumenting a series of Go libraries and frameworks. A list of these packages can be found in the compatibility requirements page. Import these packages into your application and follow the configuration instructions listed alongside each integration.
Recompile your program with Orchestrion:
```
$ orchestrion go build my-program
```

More options on how to use orchestrion can be found in the Orchestrion usage.

Note: If you are building without CGO on linux. Please read Building Go applications with CGO disabled for more information.

Redeploy your Go service and enable AAP by setting the DD_APPSEC_ENABLED environment variable to true:
```
$ env DD_APPSEC_ENABLED=true ./my-program
```
Or one of the following methods, depending on where your application runs:
Add the following environment variable value to your Docker command line:
$ docker run -e DD_APPSEC_ENABLED=true [...]
Add the following environment variable value to your application container’s Dockerfile:
ENV DD_APPSEC_ENABLED=true
A more detailed guide on how to create a fitting dockerfile is available [here][3].
Update your application’s deployment configuration file for APM and add the AAP environment variable:
spec: template: spec: containers: - name: <CONTAINER_NAME> image: <CONTAINER_IMAGE>/<TAG> env: - name: DD_APPSEC_ENABLED value: "true"
Update your application’s ECS task definition JSON file, by adding this in the environment section:
"environment": [ ..., { "name": "DD_APPSEC_ENABLED", "value": "true" } ]

4. Verify setup

To verify that App and API Protection is working correctly:

Send some traffic to your application
Check the Application Signals Explorer in Datadog
Look for security signals and vulnerabilities
The library collects security data from your application and sends it to the Agent, which sends it to Datadog, where out-of-the-box detection rules flag attacker techniques and potential misconfigurations so you can take steps to remediate.
To see App and API Protection threat detection in action, send known attack patterns to your application. For example, trigger the Security Scanner Detected rule by running a file that contains the following curl script:
```
for ((i=1;i<=250;i++)); 
do
# Target existing service’s routes
curl https://your-application-url/existing-route -A Arachni/v1.0;
# Target non existing service’s routes
curl https://your-application-url/non-existing-route -A Arachni/v1.0;
done
```
A few minutes after you enable your application and exercise it, threat information appears in the Application Trace and Signals Explorer in Datadog.

Building without CGO

If you are building your Go application without CGO, you can still enable AAP by following these steps:

Add the appsec build tag when compiling your application:

$ CGO_ENABLED=0 orchestrion go build -tags appsec my-program

Using CGO_ENABLED=0 usually guarantees a statically-linked binary. This will NOT be the case in this setup.

Install libc.so.6 and libpthread.so.0 on your system, as these libraries are required by the Datadog WAF: This can be done by installing the glibc package on your system via your package manager. Read more on Creating a Dockerfile for AAP
Redeploy your Go service with the DD_APPSEC_ENABLED=true environment variable set, as described above.

Using AAP without APM tracing

If you want to use Application & API Protection without APM tracing functionality, you can deploy with tracing disabled:

Configure your tracing library with the DD_APM_TRACING_ENABLED=false environment variable in addition to the DD_APPSEC_ENABLED=true environment variable.
This configuration will reduce the amount of APM data sent to Datadog to the minimum required by App and API Protection products.

For more details, see [Standalone App and API Protection][standalone_billing_guide]. [standalone_billing_guide]: /security/application_security/guide/standalone_application_security/