DataDog · RomainMuller · Oct 27, 2025 · Oct 27, 2025 · Oct 27, 2025
@@ -10,6 +10,7 @@ package libddwaf
 import (
 	"bytes"
 	"encoding/json"
+	"io"
 	"maps"
 	"net/http"
 	"os"
@@ -317,7 +318,10 @@ func TestBuilder(t *testing.T) {
 		resp, err := http.DefaultClient.Do(req)
 		require.NoError(t, err)
 		defer resp.Body.Close()
-		require.Equal(t, http.StatusOK, resp.StatusCode)
+		require.Equal(t, http.StatusOK, resp.StatusCode, "failed to get latest release of DataDog/appsec-event-rules: %s\n%s", resp.Status, func() string {
+			body, _ := io.ReadAll(resp.Body)
+			return string(body)
+		}())
 
 		var release struct {
 			TagName string `json:"tag_name"`

@@ -76,6 +76,8 @@ func decodeDiagnostics(obj *bindings.WAFObject) (Diagnostics, error) {
 			diags.RulesOverrides, err = decodeFeature(objElem)
 		case "processors":
 			diags.Processors, err = decodeFeature(objElem)
+		case "processor_overrides":
+			diags.ProcessorOverrides, err = decodeFeature(objElem)
 		case "scanners":
 			diags.Scanners, err = decodeFeature(objElem)
 		case "ruleset_version":

@@ -29,6 +29,8 @@ type Diagnostics struct {
 	ExclusionData *Feature
 	// Processors contains information about the loaded processors.
 	Processors *Feature
+	// ProcessorOverrides contains information about the loaded processor overrides.
+	ProcessorOverrides *Feature
 	// Scanners contains information about the loaded scanners.
 	Scanners *Feature
 	// Version is the version of the parsed ruleset if available.
@@ -38,15 +40,16 @@ type Diagnostics struct {
 // EachFeature calls the provided callback for each (non-nil) feature in this diagnostics object.
 func (d *Diagnostics) EachFeature(cb func(string, *Feature)) {
 	byName := map[string]*Feature{
-		"rules":           d.Rules,
-		"custom_rules":    d.CustomRules,
-		"actions":         d.Actions,
-		"exclusions":      d.Exclusions,
-		"rules_overrides": d.RulesOverrides,
-		"rules_data":      d.RulesData,
-		"exclusion_data":  d.ExclusionData,
-		"processors":      d.Processors,
-		"scanners":        d.Scanners,
+		"rules":               d.Rules,
+		"custom_rules":        d.CustomRules,
+		"actions":             d.Actions,
+		"exclusions":          d.Exclusions,
+		"rules_overrides":     d.RulesOverrides,
+		"rules_data":          d.RulesData,
+		"exclusion_data":      d.ExclusionData,
+		"processors":          d.Processors,
+		"processor_overrides": d.ProcessorOverrides,
+		"scanners":            d.Scanners,
 	}
 
 	for name, feat := range byName {

@@ -33,3 +33,23 @@ func TestDecodeDiagnosticsExclusionData(t *testing.T) {
 	require.NotNil(t, diags.ExclusionData)
 	require.Contains(t, diags.ExclusionData.Loaded, "id1")
 }
+
+func TestDecodeProcessorOverrides(t *testing.T) {
+	var pinner runtime.Pinner
+	defer pinner.Unpin()
+
+	encoder, err := newEncoder(newUnlimitedEncoderConfig(&pinner))
+	require.NoError(t, err)
+
+	obj, err := encoder.Encode(map[string]any{
+		"processor_overrides": map[string]any{
+			"loaded": []any{"id1"},
+		},
+	})
+	require.NoError(t, err)
+
+	diags, err := decodeDiagnostics(obj)
+	require.NoError(t, err)
+	require.NotNil(t, diags.ProcessorOverrides)
+	require.Contains(t, diags.ProcessorOverrides.Loaded, "id1")
+}
@@ -26,6 +26,7 @@ import (
 	"github.com/DataDog/go-libddwaf/v4/internal/lib"
 	"github.com/DataDog/go-libddwaf/v4/timer"
 	"github.com/DataDog/go-libddwaf/v4/waferrors"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 
@@ -1286,3 +1287,57 @@ func BenchmarkEncoder(b *testing.B) {
 		})
 	}
 }
+
+func TestProcessorOverrides(t *testing.T) {
+	rules := `{
+	"processor_overrides": [
+		{
+			"target": [{ "id": "extract-content" }],
+			"scanners": {
+				"include": [
+					{ "id": "test-scanner-001" },
+					{ "id": "test-scanner-custom-001" }
+				],
+				"exclude": []
+			}
+		}
+	],
+	"scanners": [
+		{
+			"id": "test-scanner-custom-001",
+			"name": "Custom scanner",
+			"key": {
+				"operator": "match_regex",
+				"parameters": {
+					"regex": "\\btestcard\\b",
+					"options": { "case_sensitive": false, "min_length": 2 }
+				}
+			},
+			"value": {
+				"operator": "match_regex",
+				"parameters": {
+					"regex": "\\b1234567890\\b",
+					"options": { "case_sensitive": false, "min_length": 5 }
+				}
+			},
+			"tags": { "type": "card", "category": "testcategory" }
+		}
+	]
+}`
+
+	builder, err := NewBuilder("", "")
+	require.NoError(t, err)
+
+	var parsed map[string]any
+	require.NoError(t, json.Unmarshal([]byte(rules), &parsed))
+	diag, err := builder.AddOrUpdateConfig("/", parsed)
+	require.NoError(t, err)
+	assert.Equal(t, &Feature{
+		Errors:   nil,
+		Warnings: nil,
+		Error:    "",
+		Loaded:   []string{"index:0"},
+		Failed:   nil,
+		Skipped:  nil,
+	}, diag.ProcessorOverrides)
+}