Enable secure random ID generation for AWS Lambda MicroVM environments

[litianningdatadog]

https://datadoghq.atlassian.net/browse/SVLS-9287

Background

For Firecracker-based container technology, in order to reduce cold-start latency, the system snapshots the entire process memory of a warmed-up instance and reuses it to launch new ones. Every resumed instance starts from the same frozen memory image — including any userspace state that was initialized before the snapshot was taken.

Summary

• Extends the existing secureRandom logic to also activate when running in AWS Lambda MicroVM environments (detected via the AWS_LAMBDA_MICROVM_IMAGE_ARN environment variable)
• MicroVM environments, like SnapStart, benefit from SecureRandom-based ID generation because memory snapshots can cause ID collisions with standard random sources
• Adds ConfigSecureRandomTest with 5 JUnit 5 tests covering all activation paths (default, SnapStart, MicroVM ARN, empty ARN, config property)

Test plan

• ./gradlew :internal-api:test --tests datadog.trace.api.ConfigSecureRandomTest passes
• Verify secureRandom = true when AWS_LAMBDA_MICROVM_IMAGE_ARN is set to a non-empty value
• Verify secureRandom = false (default) when AWS_LAMBDA_MICROVM_IMAGE_ARN is empty or unset
• Integration shows secureRandom = true

🤖 Generated with Claude Code

[datadog-prod-us1-4]

✨ Fix all issues with BitsAI

⚠️ Warnings

🚦 1 Pipeline job failed

Check pull requests | Check pull requests     

Useful? React with 👍 / 👎

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 0672981 | Docs | Datadog PR Page | Give us feedback!}

[dd-octo-sts]

Hi! 👋 Thanks for your pull request! 🎉

To help us review it, please make sure to:

• Add at least one type, and one component or instrumentation label to the pull request

If you need help, please check our contributing guidelines.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 1c7afe3fa0

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[dd-octo-sts]

🟢 Java Benchmark SLOs — All performance SLOs passed

Suite	Status
Startup	🟢 pass

SLO thresholds are defined here based on automatically generated metrics. A warning is raised when results are within 5% of the threshold.

PR vs. master results

Scenario	Candidate	master	Δ (95% CI of mean)
startup:insecure-bank:iast:Agent	14.02 s	13.93 s	[-0.0%; +1.3%] (no difference)
startup:insecure-bank:tracing:Agent	12.88 s	12.96 s	[-1.3%; +0.1%] (no difference)
startup:petclinic:appsec:Agent	16.75 s	16.57 s	[-0.1%; +2.2%] (no difference)
startup:petclinic:iast:Agent	16.82 s	16.86 s	[-0.9%; +0.4%] (no difference)
startup:petclinic:profiling:Agent	16.60 s	16.81 s	[-2.4%; -0.1%] (maybe better)
startup:petclinic:sca:Agent	16.82 s	16.83 s	[-1.1%; +1.0%] (no difference)
startup:petclinic:tracing:Agent	15.51 s	16.06 s	[-7.6%; +0.8%] (no difference)

Commit: 06729819 · CI Pipeline · Benchmarking Platform UI

---

Load and DaCapo benchmarks can be triggered manually in the GitLab pipeline. Results will appear in the Benchmarking Platform UI after completion.