DataDog · cataphract · Mar 17, 2026 · Mar 16, 2026 · Mar 16, 2026
@@ -44,6 +44,7 @@ manifest:
         php-fpm-8.3: v1.17.0-dev
         apache-mod-8.4: v1.17.0-dev
         php-fpm-8.4: v1.17.0-dev
+        php-fpm-8.5: v1.17.0-dev
   tests/appsec/api_security/test_endpoints.py::Test_LLM_Endpoint::test_openai_latest_completions_create:
     - weblog_declaration:
         "*": irrelevant (openai only supports PHP >= 8.2)
@@ -53,6 +54,7 @@ manifest:
         php-fpm-8.3: v1.17.0-dev
         apache-mod-8.4: v1.17.0-dev
         php-fpm-8.4: v1.17.0-dev
+        php-fpm-8.5: v1.17.0-dev
   tests/appsec/api_security/test_endpoints.py::Test_LLM_Endpoint::test_openai_latest_responses_create:
     - weblog_declaration:
         "*": irrelevant (openai only supports PHP >= 8.2)
@@ -62,6 +64,7 @@ manifest:
         php-fpm-8.3: v1.17.0-dev
         apache-mod-8.4: v1.17.0-dev
         php-fpm-8.4: v1.17.0-dev
+        php-fpm-8.5: v1.17.0-dev
   tests/appsec/api_security/test_endpoints.py::Test_LLM_Endpoint::test_openai_legacy_chat_completions_create: irrelevant (language not implementing this feature)
   tests/appsec/api_security/test_endpoints.py::Test_LLM_Endpoint::test_openai_legacy_completions_create: irrelevant (language not implementing this feature)
   tests/appsec/api_security/test_endpoints.py::Test_LLM_Endpoint::test_root_has_no_llm_tags: irrelevant (language not implementing this feature)

@@ -150,12 +150,22 @@ def validate_metric_variant_v2(
     )
 
 
-def validate_metric_tag_version(tag_prefix: str, min_version: list[int], metric: dict) -> bool:
+def _parse_semver(version_str: str) -> tuple:
+    """Parse a semver string into a comparable tuple.
+
+    Release versions sort above pre-releases with the same base: 2.0.0 > 2.0.0-beta0.
+    Pre-release suffixes are compared lexicographically: beta0 > alpha1 > alpha0.
+    """
+    base, _, suffix = version_str.partition("-")
+    return tuple(int(x) for x in base.split(".")) + (suffix if suffix else "~",)
+
+
+def validate_metric_tag_version(tag_prefix: str, min_version: str, metric: dict) -> bool:
+    min_ver = _parse_semver(min_version)
     for tag in metric["tags"]:
         if tag.startswith(tag_prefix + ":"):
             version_str = tag.split(":")[1]
-            current_version = list(map(int, version_str.split(".")))
-            if current_version >= min_version:
+            if _parse_semver(version_str) >= min_ver:
                 return True
     return False
 
@@ -207,10 +217,9 @@ class BaseRulesVersion:
     def test_min_version(self) -> None:
         """Checks data in waf.init metric to verify waf version"""
 
-        min_version_array = list(map(int, self.min_version.split(".")))
         series = find_series("appsec", "waf.init", is_metrics=True)
         assert series
-        assert any(validate_metric_tag_version("event_rules_version", min_version_array, s) for s in series)
+        assert any(validate_metric_tag_version("event_rules_version", self.min_version, s) for s in series)
 
 
 class BaseWAFVersion:
@@ -221,7 +230,6 @@ class BaseWAFVersion:
     def test_min_version(self) -> None:
         """Checks data in waf.init metric to verify waf version"""
 
-        min_version_array = list(map(int, self.min_version.split(".")))
         series = find_series("appsec", "waf.init", is_metrics=True)
         assert series
-        assert any(validate_metric_tag_version("waf_version", min_version_array, s) for s in series)
+        assert any(validate_metric_tag_version("waf_version", self.min_version, s) for s in series)
@@ -6,12 +6,14 @@ IS_APACHE=${1:-0}
 
 cd /binaries
 
-PKG=$(find /binaries -maxdepth 1 -name 'dd-library-php-*-linux-gnu.tar.gz')
+ARCH=$(uname -m)
+PKG=$(find /binaries -maxdepth 1 -name "dd-library-php-*-${ARCH}-linux-gnu.tar.gz")
 SETUP=/binaries/datadog-setup.php
 
 DDTRACE_SO=/binaries/ddtrace.so
 DDAPPSEC_SO=/binaries/ddappsec.so
 APPSEC_HELPER_SO=/binaries/libddappsec-helper.so
+APPSEC_RUST_HELPER_SO=/binaries/libddappsec-helper-rust.so
 LIBDDWAF_SO=/binaries/libddwaf.so
 
 # Determine INI file location
@@ -90,6 +92,17 @@ if [ -f $DDAPPSEC_SO ] && [ -f $APPSEC_HELPER_SO ]; then
   fi
 fi
 
+# Install the Rust helper alongside the C++ helper so DD_APPSEC_HELPER_RUST_REDIRECTION works
+if [ -f $APPSEC_RUST_HELPER_SO ]; then
+  INSTALLED_HELPER=$(find /root /opt -name libddappsec-helper.so 2>/dev/null | grep -v /binaries | head -1)
+  if [ -n "$INSTALLED_HELPER" ]; then
+    echo "Installing Rust helper at $(dirname "$INSTALLED_HELPER")/libddappsec-helper-rust.so"
+    cp -f $APPSEC_RUST_HELPER_SO "$(dirname "$INSTALLED_HELPER")/libddappsec-helper-rust.so"
+  else
+    echo "Warning: Could not find installed libddappsec-helper.so to install Rust helper alongside"
+  fi
+fi
+
 if [ -f $LIBDDWAF_SO ]; then
   echo "Copying libddwaf.so from /binaries"
   INSTALLED_HELPER=$(find /root /opt -name libddappsec-helper.so 2>/dev/null | grep -v /binaries | head -1)

@@ -0,0 +1,24 @@
+
+FROM ubuntu:24.04
+ARG PHP_VERSION=8.5
+
+ADD binaries* /binaries/
+ADD utils/build/docker/php /tmp/php
+
+ENV DD_TRACE_ENABLED=1
+ENV DD_TRACE_GENERATE_ROOT_SPAN=1
+ENV DD_TRACE_AGENT_FLUSH_AFTER_N_REQUESTS=0
+ENV DD_TRACE_HEADER_TAGS=user-agent
+ENV DD_APPSEC_HELPER_RUST_REDIRECTION=1
+
+RUN chmod +x /tmp/php/php-fpm/build.sh
+RUN /tmp/php/php-fpm/build.sh $PHP_VERSION
+RUN rm -rf /tmp/php/
+
+EXPOSE 7777/tcp
+
+WORKDIR /binaries
+ENTRYPOINT []
+RUN echo "#!/bin/bash\ndumb-init /entrypoint.sh" > app.sh
+RUN chmod +x app.sh
+CMD [ "./app.sh" ]