From 9ec8cf269d337476e3f36607f8fa4d65134a753e Mon Sep 17 00:00:00 2001
From: Manuel Palenzuela Merino <manuel.palenzuela@datadoghq.com>
Date: Thu, 12 Mar 2026 14:30:30 +0100
Subject: [PATCH] Add Datadog code coverage upload alongside Codecov

Add datadog-ci coverage upload steps to the "appsec code coverage" CI job
to run side-by-side with existing Codecov uploads. Both LCOV reports
(extension and helper) are uploaded to Datadog for coverage parity validation.

Also adds code-coverage.datadog.yml mirroring codecov.yml ignore paths and
PR gate thresholds.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .gitlab/generate-appsec.php | 18 ++++++++++++++++++
 code-coverage.datadog.yml   | 12 ++++++++++++
 2 files changed, 30 insertions(+)
 create mode 100644 code-coverage.datadog.yml

diff --git a/.gitlab/generate-appsec.php b/.gitlab/generate-appsec.php
index 8fecd224df..aca2518395 100644
--- a/.gitlab/generate-appsec.php
+++ b/.gitlab/generate-appsec.php
@@ -230,6 +230,24 @@
       echo "Uploading helper coverage to codecov"
       cd "$CI_PROJECT_DIR"
       codecov -t "$CODECOV_TOKEN" -n appsec-helper -v -f appsec/build/coverage-helper.lcov
+    - |
+      echo "Uploading coverage to Datadog"
+      cd "$CI_PROJECT_DIR"
+
+      DATADOG_API_KEY=$(vault kv get --format=json kv/k8s/gitlab-runner/dd-trace-php/datadoghq-api-key | jq -r .data.data.key)
+      export DATADOG_API_KEY
+      export DD_SITE="datadoghq.com"
+
+      # Install datadog-ci
+      DATADOG_CI_VERSION="v2.48.0"
+      curl -L --fail "https://github.com/DataDog/datadog-ci/releases/download/${DATADOG_CI_VERSION}/datadog-ci_linux-x64" --output "/usr/local/bin/datadog-ci"
+      chmod +x /usr/local/bin/datadog-ci
+
+      echo "Uploading extension coverage to Datadog"
+      datadog-ci coverage upload --format=lcov appsec/build/coverage-ext.lcov || true
+
+      echo "Uploading helper coverage to Datadog"
+      datadog-ci coverage upload --format=lcov appsec/build/coverage-helper.lcov || true
 
 
 "push appsec images":
diff --git a/code-coverage.datadog.yml b/code-coverage.datadog.yml
new file mode 100644
index 0000000000..20f4001ff3
--- /dev/null
+++ b/code-coverage.datadog.yml
@@ -0,0 +1,12 @@
+schema-version: v1
+ignore:
+  - "appsec/build/"
+  - "appsec/tests/"
+  - "appsec/third_party/"
+gates:
+  - type: total_coverage_percentage
+    config:
+      threshold: auto
+  - type: patch_coverage_percentage
+    config:
+      threshold: 90