refactor(appsec): disable error scrubbing on WAF error codes (#4159)

eliottness · kakkoyun · web-flow · commit e44b6e9ef8fe · 2025-11-21T13:57:57.000Z
Co-authored-by: kakkoyun &lt;kakkoyun@users.noreply.github.com&gt;
Co-authored-by: eliott.bouhana &lt;eliott.bouhana@datadoghq.com&gt;
diff --git a/internal/appsec/emitter/waf/metrics.go b/internal/appsec/emitter/waf/metrics.go
@@ -351,7 +351,9 @@ func (m *ContextMetrics) IncWafError(addrs libddwaf.RunAddressData, in error) {
 
 	if !errors.Is(in, waferrors.ErrTimeout) {
 		logger := m.logger.With(telemetry.WithTags(m.baseTags))
-		logger.Error("unexpected WAF error", slog.Any("error", telemetrylog.NewSafeError(in)))
+		// This a known error origin all the ways to the tip of the error chain and since it impact WAF
+		// behavior we really want to log it so we can investigate it so we don't wrap it in a safe error
+		logger.Error("unexpected WAF error", slog.String("error.message", in.Error()))
 	}
 
 	switch addrs.TimerKey {

Original file line number	Diff line number	Diff line change
`@@ -351,7 +351,9 @@ func (m *ContextMetrics) IncWafError(addrs libddwaf.RunAddressData, in error) {`
`351`	`351`
`352`	`352`	`if !errors.Is(in, waferrors.ErrTimeout) {`
`353`	`353`	`logger := m.logger.With(telemetry.WithTags(m.baseTags))`
`354`		`- logger.Error("unexpected WAF error", slog.Any("error", telemetrylog.NewSafeError(in)))`
	`354`	`+ // This a known error origin all the ways to the tip of the error chain and since it impact WAF`
	`355`	`+ // behavior we really want to log it so we can investigate it so we don't wrap it in a safe error`
	`356`	`+ logger.Error("unexpected WAF error", slog.String("error.message", in.Error()))`
`355`	`357`	`}`
`356`	`358`
`357`	`359`	`switch addrs.TimerKey {`