cdk-insights 0.11.1 → 0.11.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/dist/entry.js +1 -1
  2. package/dist/index.js +1 -1
  3. package/package.json +1 -1
package/dist/entry.js CHANGED
@@ -406,7 +406,7 @@ ${o}`)};var kle=require("node:child_process"),Lle=()=>{try{return(0,kle.execFile
406
406
  `,i},Int=e=>{let t=process.env.GITHUB_STEP_SUMMARY;if(!t)return!1;try{return w6.appendFileSync(t,e),!0}catch(r){return console.error("Failed to write GitHub step summary:",r),!1}},Hle=(e,t,r,n)=>{let s=Ant(e,t);for(let a of s)console.log(a);let i=Tnt(e,t,r,n);if(Int(i)||(console.log(`
407
407
  --- Job Summary ---`),console.log(i)),process.env.GITHUB_OUTPUT)try{let a=process.env.GITHUB_OUTPUT,c=[`total_issues=${Object.values(r).reduce((u,l)=>u+l,0)}`,`critical_issues=${r.CRITICAL}`,`high_issues=${r.HIGH}`,`has_critical=${r.CRITICAL>0}`];w6.appendFileSync(a,`${c.join(`
408
408
  `)}
409
- `)}catch(a){console.error("Failed to write GitHub outputs:",a)}};var Vle=(e,t,r,n,s)=>{switch(Ae.info(`Generating output in format: ${e}`),e){case"markdown":{let i=If(t,r,s,n),o=`${t}_analysis_report.md`;try{A6.writeFileSync(o,i),Ae.info(`\u{1F4C4} Saved Markdown report to ${o}`)}catch(a){let c=a instanceof Error?a.message:String(a);throw Ae.error(`\u274C Failed to write Markdown report to ${o}: ${c}`),new Error(`Failed to write Markdown report: ${c}`)}break}case"table":{AD(r);break}case"json":qle(t,s,r),Ae.info(`\u{1F4C4} JSON report written to: ${t}_analysis_report.json`);break;case"sarif":{let i=zle(t,r),o=`${t}_analysis_report.sarif`;try{A6.writeFileSync(o,JSON.stringify(i,null,2)),Ae.info(`\u{1F4C4} SARIF report written to: ${o}`),console.log(JSON.stringify(i,null,2))}catch(a){let c=a instanceof Error?a.message:String(a);throw Ae.error(`\u274C Failed to write SARIF report to ${o}: ${c}`),new Error(`Failed to write SARIF report: ${c}`)}break}case"github-actions":{Hle(t,r,s.severityCounts,s.totalResources);break}default:wD(t,s);break}};var T6=(e,t,r)=>{let n=0,s=0,i={CRITICAL:0,HIGH:0,MEDIUM:0,LOW:0},o={"Operational Excellence":0,Security:0,"Cost Optimization":0,Reliability:0,"Performance Efficiency":0,Sustainability:0};for(let u in e){let l=[...e[u].sources.cdkInsights?.issues??[],...e[u].sources.cdkNag?.issues??[]],d=!r||r.has(u);l.length>0&&d&&s++,n+=l.length;for(let p of l)i[p.severity]+=1,o[p.wafPillar]+=1}let a=t,c=Number.parseFloat((s/a*100).toFixed(1));return{totalResources:a,resourcesWithIssues:s,percentWithIssues:c,totalIssues:n,severityCounts:i,wafIssues:o,generatedBy:"cdk-insights",generatedAt:new Date().toISOString()}};var Kle=A(require("node:crypto")),Jle=e=>Kle.createHash("sha256").update(JSON.stringify(e)).digest("hex");var Pnt=[/depends\s*on.*(?:not\s*(?:be\s*)?available|may\s*not\s*exist|circular)/i,/dependson.*relationship/i,/resource.*depends.*another.*resource/i,/dependency.*(?:not\s*)?(?:be\s*)?ready/i,/lacks?\s*(?:meaningful\s*)?tags?(?:\s*for)?/i,/missing.*tags?.*(?:metadata|identification)/i,/no\s*tags?\s*(?:defined|configured|specified)/i,/\[redacted\].*(?:incomplete|invalid|malformed|missing)/i,/incomplete.*\[redacted\]/i,/placeholder.*value/i,/missing.*closing.*brace/i,/cdk.*metadata.*exposed/i,/metadata.*cdk.*path/i],Rnt=[/tags?/i,/naming\s*convention/i,/resource\s*name.*not.*descriptive/i,/lacks?\s*description/i,/missing\s*description/i],Fnt=e=>Pnt.some(t=>t.test(e)),Ont=e=>Rnt.some(t=>t.test(e)),Zle=(e,t=!1)=>e.filter(r=>{let n=r.issue||"";return!(Fnt(n)||t&&Ont(n))});var Yle=({staticRecommendations:e,aiRecommendations:t,recommendationMap:r,ruleFilter:n,filterIssuesByRule:s,_displayNameMap:i={}})=>{let o={...r};for(let[d,{issues:p}]of Object.entries(e))o[d]&&o[d].sources.cdkInsights.issues.push(...p);let a=0,c=0,u=0,l=0;for(let[d,p]of Object.entries(t)){if(!p||!Array.isArray(p.issues)){Ae.warn(`\u26A0\uFE0F No AI issues for resource '${d}', skipping.`);continue}let f=d;if(!o[f]){Ae.warn(`\u26A0\uFE0F AI recommendations for unknown resource '${f}', skipping enrichment.`);continue}let m=o[f],g=n.length>0?s(p.issues,n):p.issues,x=Zle(g,m.isGenerated).map(D=>{switch(D.severity||(Ae.debug(`AI recommendation missing severity for resource '${f}', defaulting to MEDIUM`),D.severity="MEDIUM"),D.severity.toUpperCase()){case"CRITICAL":a++;break;case"HIGH":c++;break;case"MEDIUM":u++;break;case"LOW":l++;break;default:Ae.warn(`\u26A0\uFE0F Unknown severity '${D.severity}' for resource '${f}', defaulting to MEDIUM`),D.severity="MEDIUM",u++;break}return{resourceName:D.resourceName||m.resourceName,resourceId:f,friendlyName:m.friendlyName,displayName:m.displayName,locationHint:D.locationHint||m.locationHint,constructPath:m.cdkPath,githubUrl:m.githubUrl,docUrl:m.docUrl,issue:D.issue||"AI analysis issue",recommendation:D.recommendation||"No specific recommendation provided",severity:D.severity,wafPillar:(()=>{if(D.wafPillar)switch(D.wafPillar.toLowerCase().trim()){case"security":return"Security";case"operational excellence":return"Operational Excellence";case"cost optimization":return"Cost Optimization";case"reliability":return"Reliability";case"performance efficiency":return"Performance Efficiency";case"sustainability":return"Sustainability";default:return"Security"}return"Security"})(),codeSnippet:D.codeSnippet||"",foundBy:D.foundBy??"cdkInsights"}}),v=gD(x,m.cdkPath);m.sources.cdkInsights.issues.push(...v)}return{updatedMap:o,criticalCount:a,highCount:c,mediumCount:u,lowCount:l}};var Qle=e=>{if(!e||e.length===0)return 0;let t=e.length,r=new Map;for(let s of e)r.set(s,(r.get(s)||0)+1);let n=0;for(let s of r.values()){let i=s/t;n-=i*Math.log2(i)}return n},I6=(e,t=!1)=>{if(e.length<16||knt(e)||Qle(e)<(t?4:4.5))return!1;let s=/[A-Z]/.test(e),i=/[a-z]/.test(e),o=/[0-9]/.test(e),a=/[^A-Za-z0-9]/.test(e),c=[s,i,o,a].filter(Boolean).length;return t?c>=1:c>=2},knt=e=>{if(/^https?:\/\//i.test(e)||/^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$/.test(e)||/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i.test(e)||/^arn:aws[a-z-]*:[a-z0-9-]+:[a-z0-9-]*:\d*:/.test(e)||/^(\/|\.\/|\.\.\/|[A-Za-z]:\\)/.test(e)||/^s3:\/\/[a-z0-9.-]+\//.test(e))return!0;if(/^[A-Za-z0-9+/]{4,}={0,2}$/.test(e)){let t=new Set(e).size;if(e.length>50&&t<10)return!0}return!!Lnt(e)},Lnt=e=>{let t=e.length;for(let r=1;r<=t/2;r++)if(e.slice(0,r).repeat(Math.ceil(t/r)).slice(0,t)===e)return!0;return!1};var Nnt=[/api[_-]?key/i,/secret[_-]?key/i,/^password$/i,/^passwd$/i,/credential/i,/private[_-]?key/i,/access[_-]?key/i,/auth[_-]?token/i,/bearer[_-]?token/i,/refresh[_-]?token/i,/client[_-]?secret/i,/app[_-]?secret/i,/secret[_-]?value/i,/aws[_-]?secret/i,/aws[_-]?access[_-]?key/i,/aws[_-]?session[_-]?token/i,/db[_-]?password/i,/database[_-]?password/i,/master[_-]?password/i,/master[_-]?user[_-]?password/i,/admin[_-]?password/i,/root[_-]?password/i,/connection[_-]?string/i,/stripe[_-]?key/i,/stripe[_-]?secret/i,/github[_-]?token/i,/gitlab[_-]?token/i,/slack[_-]?token/i,/slack[_-]?webhook/i,/discord[_-]?token/i,/twilio[_-]?token/i,/sendgrid[_-]?key/i,/mailgun[_-]?key/i,/datadog[_-]?key/i,/new[_-]?relic[_-]?key/i,/sentry[_-]?dsn/i,/webhook[_-]?secret/i,/signing[_-]?key/i,/signing[_-]?secret/i,/encryption[_-]?key/i,/jwt[_-]?secret/i,/hmac[_-]?key/i,/ssh[_-]?key/i,/ssh[_-]?private/i,/pem[_-]?key/i,/rsa[_-]?key/i],Mnt=[/^A[BGIK-Z][A-Z]{2}[0-9A-Z]{16}$/,/^[A-Za-z0-9/+=]{40}$/,/-----BEGIN (RSA |EC |DSA |OPENSSH |ENCRYPTED )?PRIVATE KEY-----/,/-----BEGIN PGP PRIVATE KEY BLOCK-----/,/^eyJ[A-Za-z0-9_-]+\.eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+$/,/^gh[pousr]_[A-Za-z0-9]{36,}$/,/^[srp]k_(live|test)_[A-Za-z0-9]{24,}$/,/^xox[bpas]-[A-Za-z0-9-]+$/,/^SK[a-f0-9]{32}$/i,/^SG\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+$/],jnt=[/\{\{resolve:secretsmanager:/,/{{resolve:secretsmanager:/,/\{\{resolve:ssm:/,/{{resolve:ssm:/,/\{\{resolve:ssm-secure:/,/{{resolve:ssm-secure:/,/!Ref\s+\w+/,/!GetAtt\s+[\w.]+/,/!Sub\s+/,/\$\{[\w:.]+\}/,/\$\{Token\[/,/\[\[token:/i,/\${Token\[TOKEN\.\d+\]\}/,/^arn:aws[a-z-]*:[a-z0-9-]+:[a-z0-9-]*:\d*:/],Bnt=[/^<[^>]+>$/,/^CHANGE[_-]?ME$/i,/^REPLACE[_-]?ME$/i,/^TODO$/i,/^TODO:/i,/^FIXME$/i,/^XXX$/i,/^YOUR[_-]/i,/^INSERT[_-]/i,/^ENTER[_-]/i,/^\*+$/,/^x+$/i,/^\s*$/,/^default$/i,/^example$/i,/^sample$/i,/^test$/i,/^demo$/i,/^dummy$/i,/^fake$/i,/^mock$/i,/^placeholder$/i],P6=e=>Nnt.some(t=>t.test(e)),R6=e=>Mnt.some(t=>t.test(e)),F6=e=>jnt.some(t=>t.test(e)),O6=e=>Bnt.some(t=>t.test(e)),TD=e=>{if(typeof e!="object"||e===null)return!1;let t=["Ref","Fn::GetAtt","Fn::Sub","Fn::Join","Fn::ImportValue","Fn::If","Fn::Select","Fn::Split","Fn::Base64","Fn::Cidr","Fn::FindInMap","Fn::GetAZs","Fn::Transform"],r=Object.keys(e);return r.length===1&&t.includes(r[0])},k6=e=>{let t=[{patterns:[/api[_-]?key/i,/access[_-]?key/i],category:"api_key"},{patterns:[/password/i,/passwd/i],category:"password"},{patterns:[/private[_-]?key/i,/ssh[_-]?key/i,/pem[_-]?key/i,/rsa[_-]?key/i],category:"private_key"},{patterns:[/aws[_-]?secret/i,/aws[_-]?access/i],category:"aws_credentials"},{patterns:[/token/i,/bearer/i],category:"token"},{patterns:[/secret/i,/credential/i],category:"secret"},{patterns:[/connection[_-]?string/i,/database/i,/db[_-]/i],category:"database"},{patterns:[/webhook/i,/signing/i,/encryption/i,/hmac/i,/jwt/i],category:"encryption_key"}];for(let{patterns:r,category:n}of t)if(r.some(s=>s.test(e)))return n;return"secret"};var zg=e=>{let t={api_key:`Use AWS Secrets Manager to store API keys securely:
409
+ `)}catch(a){console.error("Failed to write GitHub outputs:",a)}};var Vle=(e,t,r,n,s)=>{switch(Ae.info(`Generating output in format: ${e}`),e){case"markdown":{let i=If(t,r,s,n),o=`${t}_analysis_report.md`;try{A6.writeFileSync(o,i),Ae.info(`\u{1F4C4} Saved Markdown report to ${o}`)}catch(a){let c=a instanceof Error?a.message:String(a);throw Ae.error(`\u274C Failed to write Markdown report to ${o}: ${c}`),new Error(`Failed to write Markdown report: ${c}`)}break}case"table":{AD(r);break}case"json":qle(t,s,r),Ae.info(`\u{1F4C4} JSON report written to: ${t}_analysis_report.json`);break;case"sarif":{let i=zle(t,r),o=`${t}_analysis_report.sarif`;try{A6.writeFileSync(o,JSON.stringify(i,null,2)),Ae.info(`\u{1F4C4} SARIF report written to: ${o}`),console.log(JSON.stringify(i,null,2))}catch(a){let c=a instanceof Error?a.message:String(a);throw Ae.error(`\u274C Failed to write SARIF report to ${o}: ${c}`),new Error(`Failed to write SARIF report: ${c}`)}break}case"github-actions":{Hle(t,r,s.severityCounts,s.totalResources);break}default:wD(t,s);break}};var T6=(e,t,r)=>{let n=0,s=0,i={CRITICAL:0,HIGH:0,MEDIUM:0,LOW:0},o={"Operational Excellence":0,Security:0,"Cost Optimization":0,Reliability:0,"Performance Efficiency":0,Sustainability:0};for(let u in e){let l=[...e[u].sources.cdkInsights?.issues??[],...e[u].sources.cdkNag?.issues??[]],d=!r||r.has(u);l.length>0&&d&&s++,n+=l.length;for(let p of l)i[p.severity]+=1,o[p.wafPillar]+=1}let a=t,c=Number.parseFloat((s/a*100).toFixed(1));return{totalResources:a,resourcesWithIssues:s,percentWithIssues:c,totalIssues:n,severityCounts:i,wafIssues:o,generatedBy:"cdk-insights",generatedAt:new Date().toISOString()}};var Kle=A(require("node:crypto")),Jle=e=>Kle.createHash("sha256").update(JSON.stringify(e)).digest("hex");var Pnt=[/depends\s*on.*(?:not\s*(?:be\s*)?available|may\s*not\s*exist|circular)/i,/dependson.*relationship/i,/resource.*depends.*another.*resource/i,/dependency.*(?:not\s*)?(?:be\s*)?ready/i,/lacks?\s*(?:meaningful\s*)?tags?(?:\s*for)?/i,/missing.*tags?.*(?:metadata|identification)/i,/no\s*tags?\s*(?:defined|configured|specified)/i,/\[redacted\].*(?:incomplete|invalid|malformed|missing)/i,/incomplete.*\[redacted\]/i,/placeholder.*value/i,/missing.*closing.*brace/i,/replac(?:e|ing).*\[redacted\]/i,/\[redacted\].*(?:should|could|must)\s*be/i,/trust.*policy.*any.*service.*\[redacted\]/i,/any.*service.*within.*account.*\[redacted\]/i,/cdk.*metadata.*exposed/i,/metadata.*cdk.*path/i],Rnt=[/tags?/i,/naming\s*convention/i,/resource\s*name.*not.*descriptive/i,/lacks?\s*description/i,/missing\s*description/i],Fnt=e=>Pnt.some(t=>t.test(e)),Ont=e=>Rnt.some(t=>t.test(e)),Zle=(e,t=!1)=>e.filter(r=>{let n=r.issue||"";return!(Fnt(n)||t&&Ont(n))});var Yle=({staticRecommendations:e,aiRecommendations:t,recommendationMap:r,ruleFilter:n,filterIssuesByRule:s,_displayNameMap:i={}})=>{let o={...r};for(let[d,{issues:p}]of Object.entries(e))o[d]&&o[d].sources.cdkInsights.issues.push(...p);let a=0,c=0,u=0,l=0;for(let[d,p]of Object.entries(t)){if(!p||!Array.isArray(p.issues)){Ae.warn(`\u26A0\uFE0F No AI issues for resource '${d}', skipping.`);continue}let f=d;if(!o[f]){Ae.warn(`\u26A0\uFE0F AI recommendations for unknown resource '${f}', skipping enrichment.`);continue}let m=o[f],g=n.length>0?s(p.issues,n):p.issues,x=Zle(g,m.isGenerated).map(D=>{switch(D.severity||(Ae.debug(`AI recommendation missing severity for resource '${f}', defaulting to MEDIUM`),D.severity="MEDIUM"),D.severity.toUpperCase()){case"CRITICAL":a++;break;case"HIGH":c++;break;case"MEDIUM":u++;break;case"LOW":l++;break;default:Ae.warn(`\u26A0\uFE0F Unknown severity '${D.severity}' for resource '${f}', defaulting to MEDIUM`),D.severity="MEDIUM",u++;break}return{resourceName:D.resourceName||m.resourceName,resourceId:f,friendlyName:m.friendlyName,displayName:m.displayName,locationHint:D.locationHint||m.locationHint,constructPath:m.cdkPath,githubUrl:m.githubUrl,docUrl:m.docUrl,issue:D.issue||"AI analysis issue",recommendation:D.recommendation||"No specific recommendation provided",severity:D.severity,wafPillar:(()=>{if(D.wafPillar)switch(D.wafPillar.toLowerCase().trim()){case"security":return"Security";case"operational excellence":return"Operational Excellence";case"cost optimization":return"Cost Optimization";case"reliability":return"Reliability";case"performance efficiency":return"Performance Efficiency";case"sustainability":return"Sustainability";default:return"Security"}return"Security"})(),codeSnippet:D.codeSnippet||"",foundBy:D.foundBy??"cdkInsights"}}),v=gD(x,m.cdkPath);m.sources.cdkInsights.issues.push(...v)}return{updatedMap:o,criticalCount:a,highCount:c,mediumCount:u,lowCount:l}};var Qle=e=>{if(!e||e.length===0)return 0;let t=e.length,r=new Map;for(let s of e)r.set(s,(r.get(s)||0)+1);let n=0;for(let s of r.values()){let i=s/t;n-=i*Math.log2(i)}return n},I6=(e,t=!1)=>{if(e.length<16||knt(e)||Qle(e)<(t?4:4.5))return!1;let s=/[A-Z]/.test(e),i=/[a-z]/.test(e),o=/[0-9]/.test(e),a=/[^A-Za-z0-9]/.test(e),c=[s,i,o,a].filter(Boolean).length;return t?c>=1:c>=2},knt=e=>{if(/^https?:\/\//i.test(e)||/^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$/.test(e)||/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i.test(e)||/^arn:aws[a-z-]*:[a-z0-9-]+:[a-z0-9-]*:\d*:/.test(e)||/^(\/|\.\/|\.\.\/|[A-Za-z]:\\)/.test(e)||/^s3:\/\/[a-z0-9.-]+\//.test(e))return!0;if(/^[A-Za-z0-9+/]{4,}={0,2}$/.test(e)){let t=new Set(e).size;if(e.length>50&&t<10)return!0}return!!Lnt(e)},Lnt=e=>{let t=e.length;for(let r=1;r<=t/2;r++)if(e.slice(0,r).repeat(Math.ceil(t/r)).slice(0,t)===e)return!0;return!1};var Nnt=[/api[_-]?key/i,/secret[_-]?key/i,/^password$/i,/^passwd$/i,/credential/i,/private[_-]?key/i,/access[_-]?key/i,/auth[_-]?token/i,/bearer[_-]?token/i,/refresh[_-]?token/i,/client[_-]?secret/i,/app[_-]?secret/i,/secret[_-]?value/i,/aws[_-]?secret/i,/aws[_-]?access[_-]?key/i,/aws[_-]?session[_-]?token/i,/db[_-]?password/i,/database[_-]?password/i,/master[_-]?password/i,/master[_-]?user[_-]?password/i,/admin[_-]?password/i,/root[_-]?password/i,/connection[_-]?string/i,/stripe[_-]?key/i,/stripe[_-]?secret/i,/github[_-]?token/i,/gitlab[_-]?token/i,/slack[_-]?token/i,/slack[_-]?webhook/i,/discord[_-]?token/i,/twilio[_-]?token/i,/sendgrid[_-]?key/i,/mailgun[_-]?key/i,/datadog[_-]?key/i,/new[_-]?relic[_-]?key/i,/sentry[_-]?dsn/i,/webhook[_-]?secret/i,/signing[_-]?key/i,/signing[_-]?secret/i,/encryption[_-]?key/i,/jwt[_-]?secret/i,/hmac[_-]?key/i,/ssh[_-]?key/i,/ssh[_-]?private/i,/pem[_-]?key/i,/rsa[_-]?key/i],Mnt=[/^A[BGIK-Z][A-Z]{2}[0-9A-Z]{16}$/,/^[A-Za-z0-9/+=]{40}$/,/-----BEGIN (RSA |EC |DSA |OPENSSH |ENCRYPTED )?PRIVATE KEY-----/,/-----BEGIN PGP PRIVATE KEY BLOCK-----/,/^eyJ[A-Za-z0-9_-]+\.eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+$/,/^gh[pousr]_[A-Za-z0-9]{36,}$/,/^[srp]k_(live|test)_[A-Za-z0-9]{24,}$/,/^xox[bpas]-[A-Za-z0-9-]+$/,/^SK[a-f0-9]{32}$/i,/^SG\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+$/],jnt=[/\{\{resolve:secretsmanager:/,/{{resolve:secretsmanager:/,/\{\{resolve:ssm:/,/{{resolve:ssm:/,/\{\{resolve:ssm-secure:/,/{{resolve:ssm-secure:/,/!Ref\s+\w+/,/!GetAtt\s+[\w.]+/,/!Sub\s+/,/\$\{[\w:.]+\}/,/\$\{Token\[/,/\[\[token:/i,/\${Token\[TOKEN\.\d+\]\}/,/^arn:aws[a-z-]*:[a-z0-9-]+:[a-z0-9-]*:\d*:/],Bnt=[/^<[^>]+>$/,/^CHANGE[_-]?ME$/i,/^REPLACE[_-]?ME$/i,/^TODO$/i,/^TODO:/i,/^FIXME$/i,/^XXX$/i,/^YOUR[_-]/i,/^INSERT[_-]/i,/^ENTER[_-]/i,/^\*+$/,/^x+$/i,/^\s*$/,/^default$/i,/^example$/i,/^sample$/i,/^test$/i,/^demo$/i,/^dummy$/i,/^fake$/i,/^mock$/i,/^placeholder$/i],P6=e=>Nnt.some(t=>t.test(e)),R6=e=>Mnt.some(t=>t.test(e)),F6=e=>jnt.some(t=>t.test(e)),O6=e=>Bnt.some(t=>t.test(e)),TD=e=>{if(typeof e!="object"||e===null)return!1;let t=["Ref","Fn::GetAtt","Fn::Sub","Fn::Join","Fn::ImportValue","Fn::If","Fn::Select","Fn::Split","Fn::Base64","Fn::Cidr","Fn::FindInMap","Fn::GetAZs","Fn::Transform"],r=Object.keys(e);return r.length===1&&t.includes(r[0])},k6=e=>{let t=[{patterns:[/api[_-]?key/i,/access[_-]?key/i],category:"api_key"},{patterns:[/password/i,/passwd/i],category:"password"},{patterns:[/private[_-]?key/i,/ssh[_-]?key/i,/pem[_-]?key/i,/rsa[_-]?key/i],category:"private_key"},{patterns:[/aws[_-]?secret/i,/aws[_-]?access/i],category:"aws_credentials"},{patterns:[/token/i,/bearer/i],category:"token"},{patterns:[/secret/i,/credential/i],category:"secret"},{patterns:[/connection[_-]?string/i,/database/i,/db[_-]/i],category:"database"},{patterns:[/webhook/i,/signing/i,/encryption/i,/hmac/i,/jwt/i],category:"encryption_key"}];for(let{patterns:r,category:n}of t)if(r.some(s=>s.test(e)))return n;return"secret"};var zg=e=>{let t={api_key:`Use AWS Secrets Manager to store API keys securely:
410
410
 
411
411
  // CDK TypeScript example:
412
412
  import { Secret } from 'aws-cdk-lib/aws-secretsmanager';
package/dist/index.js CHANGED
@@ -296,7 +296,7 @@ ${i}`)};var L4=require("node:child_process"),N4=()=>{try{return(0,L4.execFileSyn
296
296
  `,o},aDe=e=>{let t=process.env.GITHUB_STEP_SUMMARY;if(!t)return!1;try{return y0.appendFileSync(t,e),!0}catch(r){return console.error("Failed to write GitHub step summary:",r),!1}},HH=(e,t,r,s)=>{let n=oDe(e,t);for(let a of n)console.log(a);let o=iDe(e,t,r,s);if(aDe(o)||(console.log(`
297
297
  --- Job Summary ---`),console.log(o)),process.env.GITHUB_OUTPUT)try{let a=process.env.GITHUB_OUTPUT,c=[`total_issues=${Object.values(r).reduce((u,l)=>u+l,0)}`,`critical_issues=${r.CRITICAL}`,`high_issues=${r.HIGH}`,`has_critical=${r.CRITICAL>0}`];y0.appendFileSync(a,`${c.join(`
298
298
  `)}
299
- `)}catch(a){console.error("Failed to write GitHub outputs:",a)}};var zH=(e,t,r,s,n)=>{switch(ae.info(`Generating output in format: ${e}`),e){case"markdown":{let o=Ja(t,r,n,s),i=`${t}_analysis_report.md`;try{v0.writeFileSync(i,o),ae.info(`\u{1F4C4} Saved Markdown report to ${i}`)}catch(a){let c=a instanceof Error?a.message:String(a);throw ae.error(`\u274C Failed to write Markdown report to ${i}: ${c}`),new Error(`Failed to write Markdown report: ${c}`)}break}case"table":{Dg(r);break}case"json":jH(t,n,r),ae.info(`\u{1F4C4} JSON report written to: ${t}_analysis_report.json`);break;case"sarif":{let o=$H(t,r),i=`${t}_analysis_report.sarif`;try{v0.writeFileSync(i,JSON.stringify(o,null,2)),ae.info(`\u{1F4C4} SARIF report written to: ${i}`),console.log(JSON.stringify(o,null,2))}catch(a){let c=a instanceof Error?a.message:String(a);throw ae.error(`\u274C Failed to write SARIF report to ${i}: ${c}`),new Error(`Failed to write SARIF report: ${c}`)}break}case"github-actions":{HH(t,r,n.severityCounts,n.totalResources);break}default:yg(t,n);break}};var b0=(e,t,r)=>{let s=0,n=0,o={CRITICAL:0,HIGH:0,MEDIUM:0,LOW:0},i={"Operational Excellence":0,Security:0,"Cost Optimization":0,Reliability:0,"Performance Efficiency":0,Sustainability:0};for(let u in e){let l=[...e[u].sources.cdkInsights?.issues??[],...e[u].sources.cdkNag?.issues??[]],d=!r||r.has(u);l.length>0&&d&&n++,s+=l.length;for(let m of l)o[m.severity]+=1,i[m.wafPillar]+=1}let a=t,c=Number.parseFloat((n/a*100).toFixed(1));return{totalResources:a,resourcesWithIssues:n,percentWithIssues:c,totalIssues:s,severityCounts:o,wafIssues:i,generatedBy:"cdk-insights",generatedAt:new Date().toISOString()}};var GH=_(require("node:crypto")),qH=e=>GH.createHash("sha256").update(JSON.stringify(e)).digest("hex");var Eg=_(require("node:fs")),VH=_(require("node:path")),KH=e=>{let t=VH.join(e,"manifest.json");if(!Eg.existsSync(t))return{};try{return JSON.parse(Eg.readFileSync(t,"utf-8"))}catch{return{}}};var cDe=[/depends\s*on.*(?:not\s*(?:be\s*)?available|may\s*not\s*exist|circular)/i,/dependson.*relationship/i,/resource.*depends.*another.*resource/i,/dependency.*(?:not\s*)?(?:be\s*)?ready/i,/lacks?\s*(?:meaningful\s*)?tags?(?:\s*for)?/i,/missing.*tags?.*(?:metadata|identification)/i,/no\s*tags?\s*(?:defined|configured|specified)/i,/\[redacted\].*(?:incomplete|invalid|malformed|missing)/i,/incomplete.*\[redacted\]/i,/placeholder.*value/i,/missing.*closing.*brace/i,/cdk.*metadata.*exposed/i,/metadata.*cdk.*path/i],uDe=[/tags?/i,/naming\s*convention/i,/resource\s*name.*not.*descriptive/i,/lacks?\s*description/i,/missing\s*description/i],lDe=e=>cDe.some(t=>t.test(e)),dDe=e=>uDe.some(t=>t.test(e)),JH=(e,t=!1)=>e.filter(r=>{let s=r.issue||"";return!(lDe(s)||t&&dDe(s))});var ZH=({staticRecommendations:e,aiRecommendations:t,recommendationMap:r,ruleFilter:s,filterIssuesByRule:n,_displayNameMap:o={}})=>{let i={...r};for(let[d,{issues:m}]of Object.entries(e))i[d]&&i[d].sources.cdkInsights.issues.push(...m);let a=0,c=0,u=0,l=0;for(let[d,m]of Object.entries(t)){if(!m||!Array.isArray(m.issues)){ae.warn(`\u26A0\uFE0F No AI issues for resource '${d}', skipping.`);continue}let p=d;if(!i[p]){ae.warn(`\u26A0\uFE0F AI recommendations for unknown resource '${p}', skipping enrichment.`);continue}let f=i[p],g=s.length>0?n(m.issues,s):m.issues,S=JH(g,f.isGenerated).map(w=>{switch(w.severity||(ae.debug(`AI recommendation missing severity for resource '${p}', defaulting to MEDIUM`),w.severity="MEDIUM"),w.severity.toUpperCase()){case"CRITICAL":a++;break;case"HIGH":c++;break;case"MEDIUM":u++;break;case"LOW":l++;break;default:ae.warn(`\u26A0\uFE0F Unknown severity '${w.severity}' for resource '${p}', defaulting to MEDIUM`),w.severity="MEDIUM",u++;break}return{resourceName:w.resourceName||f.resourceName,resourceId:p,friendlyName:f.friendlyName,displayName:f.displayName,locationHint:w.locationHint||f.locationHint,constructPath:f.cdkPath,githubUrl:f.githubUrl,docUrl:f.docUrl,issue:w.issue||"AI analysis issue",recommendation:w.recommendation||"No specific recommendation provided",severity:w.severity,wafPillar:(()=>{if(w.wafPillar)switch(w.wafPillar.toLowerCase().trim()){case"security":return"Security";case"operational excellence":return"Operational Excellence";case"cost optimization":return"Cost Optimization";case"reliability":return"Reliability";case"performance efficiency":return"Performance Efficiency";case"sustainability":return"Sustainability";default:return"Security"}return"Security"})(),codeSnippet:w.codeSnippet||"",foundBy:w.foundBy??"cdkInsights"}}),b=tg(S,f.cdkPath);f.sources.cdkInsights.issues.push(...b)}return{updatedMap:i,criticalCount:a,highCount:c,mediumCount:u,lowCount:l}};var YH=e=>{if(!e||e.length===0)return 0;let t=e.length,r=new Map;for(let n of e)r.set(n,(r.get(n)||0)+1);let s=0;for(let n of r.values()){let o=n/t;s-=o*Math.log2(o)}return s},S0=(e,t=!1)=>{if(e.length<16||pDe(e)||YH(e)<(t?4:4.5))return!1;let n=/[A-Z]/.test(e),o=/[a-z]/.test(e),i=/[0-9]/.test(e),a=/[^A-Za-z0-9]/.test(e),c=[n,o,i,a].filter(Boolean).length;return t?c>=1:c>=2},pDe=e=>{if(/^https?:\/\//i.test(e)||/^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$/.test(e)||/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i.test(e)||/^arn:aws[a-z-]*:[a-z0-9-]+:[a-z0-9-]*:\d*:/.test(e)||/^(\/|\.\/|\.\.\/|[A-Za-z]:\\)/.test(e)||/^s3:\/\/[a-z0-9.-]+\//.test(e))return!0;if(/^[A-Za-z0-9+/]{4,}={0,2}$/.test(e)){let t=new Set(e).size;if(e.length>50&&t<10)return!0}return!!mDe(e)},mDe=e=>{let t=e.length;for(let r=1;r<=t/2;r++)if(e.slice(0,r).repeat(Math.ceil(t/r)).slice(0,t)===e)return!0;return!1};var fDe=[/api[_-]?key/i,/secret[_-]?key/i,/^password$/i,/^passwd$/i,/credential/i,/private[_-]?key/i,/access[_-]?key/i,/auth[_-]?token/i,/bearer[_-]?token/i,/refresh[_-]?token/i,/client[_-]?secret/i,/app[_-]?secret/i,/secret[_-]?value/i,/aws[_-]?secret/i,/aws[_-]?access[_-]?key/i,/aws[_-]?session[_-]?token/i,/db[_-]?password/i,/database[_-]?password/i,/master[_-]?password/i,/master[_-]?user[_-]?password/i,/admin[_-]?password/i,/root[_-]?password/i,/connection[_-]?string/i,/stripe[_-]?key/i,/stripe[_-]?secret/i,/github[_-]?token/i,/gitlab[_-]?token/i,/slack[_-]?token/i,/slack[_-]?webhook/i,/discord[_-]?token/i,/twilio[_-]?token/i,/sendgrid[_-]?key/i,/mailgun[_-]?key/i,/datadog[_-]?key/i,/new[_-]?relic[_-]?key/i,/sentry[_-]?dsn/i,/webhook[_-]?secret/i,/signing[_-]?key/i,/signing[_-]?secret/i,/encryption[_-]?key/i,/jwt[_-]?secret/i,/hmac[_-]?key/i,/ssh[_-]?key/i,/ssh[_-]?private/i,/pem[_-]?key/i,/rsa[_-]?key/i],gDe=[/^A[BGIK-Z][A-Z]{2}[0-9A-Z]{16}$/,/^[A-Za-z0-9/+=]{40}$/,/-----BEGIN (RSA |EC |DSA |OPENSSH |ENCRYPTED )?PRIVATE KEY-----/,/-----BEGIN PGP PRIVATE KEY BLOCK-----/,/^eyJ[A-Za-z0-9_-]+\.eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+$/,/^gh[pousr]_[A-Za-z0-9]{36,}$/,/^[srp]k_(live|test)_[A-Za-z0-9]{24,}$/,/^xox[bpas]-[A-Za-z0-9-]+$/,/^SK[a-f0-9]{32}$/i,/^SG\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+$/],hDe=[/\{\{resolve:secretsmanager:/,/{{resolve:secretsmanager:/,/\{\{resolve:ssm:/,/{{resolve:ssm:/,/\{\{resolve:ssm-secure:/,/{{resolve:ssm-secure:/,/!Ref\s+\w+/,/!GetAtt\s+[\w.]+/,/!Sub\s+/,/\$\{[\w:.]+\}/,/\$\{Token\[/,/\[\[token:/i,/\${Token\[TOKEN\.\d+\]\}/,/^arn:aws[a-z-]*:[a-z0-9-]+:[a-z0-9-]*:\d*:/],yDe=[/^<[^>]+>$/,/^CHANGE[_-]?ME$/i,/^REPLACE[_-]?ME$/i,/^TODO$/i,/^TODO:/i,/^FIXME$/i,/^XXX$/i,/^YOUR[_-]/i,/^INSERT[_-]/i,/^ENTER[_-]/i,/^\*+$/,/^x+$/i,/^\s*$/,/^default$/i,/^example$/i,/^sample$/i,/^test$/i,/^demo$/i,/^dummy$/i,/^fake$/i,/^mock$/i,/^placeholder$/i],C0=e=>fDe.some(t=>t.test(e)),D0=e=>gDe.some(t=>t.test(e)),E0=e=>hDe.some(t=>t.test(e)),x0=e=>yDe.some(t=>t.test(e)),xg=e=>{if(typeof e!="object"||e===null)return!1;let t=["Ref","Fn::GetAtt","Fn::Sub","Fn::Join","Fn::ImportValue","Fn::If","Fn::Select","Fn::Split","Fn::Base64","Fn::Cidr","Fn::FindInMap","Fn::GetAZs","Fn::Transform"],r=Object.keys(e);return r.length===1&&t.includes(r[0])},_0=e=>{let t=[{patterns:[/api[_-]?key/i,/access[_-]?key/i],category:"api_key"},{patterns:[/password/i,/passwd/i],category:"password"},{patterns:[/private[_-]?key/i,/ssh[_-]?key/i,/pem[_-]?key/i,/rsa[_-]?key/i],category:"private_key"},{patterns:[/aws[_-]?secret/i,/aws[_-]?access/i],category:"aws_credentials"},{patterns:[/token/i,/bearer/i],category:"token"},{patterns:[/secret/i,/credential/i],category:"secret"},{patterns:[/connection[_-]?string/i,/database/i,/db[_-]/i],category:"database"},{patterns:[/webhook/i,/signing/i,/encryption/i,/hmac/i,/jwt/i],category:"encryption_key"}];for(let{patterns:r,category:s}of t)if(r.some(n=>n.test(e)))return s;return"secret"};var Dl=e=>{let t={api_key:`Use AWS Secrets Manager to store API keys securely:
299
+ `)}catch(a){console.error("Failed to write GitHub outputs:",a)}};var zH=(e,t,r,s,n)=>{switch(ae.info(`Generating output in format: ${e}`),e){case"markdown":{let o=Ja(t,r,n,s),i=`${t}_analysis_report.md`;try{v0.writeFileSync(i,o),ae.info(`\u{1F4C4} Saved Markdown report to ${i}`)}catch(a){let c=a instanceof Error?a.message:String(a);throw ae.error(`\u274C Failed to write Markdown report to ${i}: ${c}`),new Error(`Failed to write Markdown report: ${c}`)}break}case"table":{Dg(r);break}case"json":jH(t,n,r),ae.info(`\u{1F4C4} JSON report written to: ${t}_analysis_report.json`);break;case"sarif":{let o=$H(t,r),i=`${t}_analysis_report.sarif`;try{v0.writeFileSync(i,JSON.stringify(o,null,2)),ae.info(`\u{1F4C4} SARIF report written to: ${i}`),console.log(JSON.stringify(o,null,2))}catch(a){let c=a instanceof Error?a.message:String(a);throw ae.error(`\u274C Failed to write SARIF report to ${i}: ${c}`),new Error(`Failed to write SARIF report: ${c}`)}break}case"github-actions":{HH(t,r,n.severityCounts,n.totalResources);break}default:yg(t,n);break}};var b0=(e,t,r)=>{let s=0,n=0,o={CRITICAL:0,HIGH:0,MEDIUM:0,LOW:0},i={"Operational Excellence":0,Security:0,"Cost Optimization":0,Reliability:0,"Performance Efficiency":0,Sustainability:0};for(let u in e){let l=[...e[u].sources.cdkInsights?.issues??[],...e[u].sources.cdkNag?.issues??[]],d=!r||r.has(u);l.length>0&&d&&n++,s+=l.length;for(let m of l)o[m.severity]+=1,i[m.wafPillar]+=1}let a=t,c=Number.parseFloat((n/a*100).toFixed(1));return{totalResources:a,resourcesWithIssues:n,percentWithIssues:c,totalIssues:s,severityCounts:o,wafIssues:i,generatedBy:"cdk-insights",generatedAt:new Date().toISOString()}};var GH=_(require("node:crypto")),qH=e=>GH.createHash("sha256").update(JSON.stringify(e)).digest("hex");var Eg=_(require("node:fs")),VH=_(require("node:path")),KH=e=>{let t=VH.join(e,"manifest.json");if(!Eg.existsSync(t))return{};try{return JSON.parse(Eg.readFileSync(t,"utf-8"))}catch{return{}}};var cDe=[/depends\s*on.*(?:not\s*(?:be\s*)?available|may\s*not\s*exist|circular)/i,/dependson.*relationship/i,/resource.*depends.*another.*resource/i,/dependency.*(?:not\s*)?(?:be\s*)?ready/i,/lacks?\s*(?:meaningful\s*)?tags?(?:\s*for)?/i,/missing.*tags?.*(?:metadata|identification)/i,/no\s*tags?\s*(?:defined|configured|specified)/i,/\[redacted\].*(?:incomplete|invalid|malformed|missing)/i,/incomplete.*\[redacted\]/i,/placeholder.*value/i,/missing.*closing.*brace/i,/replac(?:e|ing).*\[redacted\]/i,/\[redacted\].*(?:should|could|must)\s*be/i,/trust.*policy.*any.*service.*\[redacted\]/i,/any.*service.*within.*account.*\[redacted\]/i,/cdk.*metadata.*exposed/i,/metadata.*cdk.*path/i],uDe=[/tags?/i,/naming\s*convention/i,/resource\s*name.*not.*descriptive/i,/lacks?\s*description/i,/missing\s*description/i],lDe=e=>cDe.some(t=>t.test(e)),dDe=e=>uDe.some(t=>t.test(e)),JH=(e,t=!1)=>e.filter(r=>{let s=r.issue||"";return!(lDe(s)||t&&dDe(s))});var ZH=({staticRecommendations:e,aiRecommendations:t,recommendationMap:r,ruleFilter:s,filterIssuesByRule:n,_displayNameMap:o={}})=>{let i={...r};for(let[d,{issues:m}]of Object.entries(e))i[d]&&i[d].sources.cdkInsights.issues.push(...m);let a=0,c=0,u=0,l=0;for(let[d,m]of Object.entries(t)){if(!m||!Array.isArray(m.issues)){ae.warn(`\u26A0\uFE0F No AI issues for resource '${d}', skipping.`);continue}let p=d;if(!i[p]){ae.warn(`\u26A0\uFE0F AI recommendations for unknown resource '${p}', skipping enrichment.`);continue}let f=i[p],g=s.length>0?n(m.issues,s):m.issues,S=JH(g,f.isGenerated).map(w=>{switch(w.severity||(ae.debug(`AI recommendation missing severity for resource '${p}', defaulting to MEDIUM`),w.severity="MEDIUM"),w.severity.toUpperCase()){case"CRITICAL":a++;break;case"HIGH":c++;break;case"MEDIUM":u++;break;case"LOW":l++;break;default:ae.warn(`\u26A0\uFE0F Unknown severity '${w.severity}' for resource '${p}', defaulting to MEDIUM`),w.severity="MEDIUM",u++;break}return{resourceName:w.resourceName||f.resourceName,resourceId:p,friendlyName:f.friendlyName,displayName:f.displayName,locationHint:w.locationHint||f.locationHint,constructPath:f.cdkPath,githubUrl:f.githubUrl,docUrl:f.docUrl,issue:w.issue||"AI analysis issue",recommendation:w.recommendation||"No specific recommendation provided",severity:w.severity,wafPillar:(()=>{if(w.wafPillar)switch(w.wafPillar.toLowerCase().trim()){case"security":return"Security";case"operational excellence":return"Operational Excellence";case"cost optimization":return"Cost Optimization";case"reliability":return"Reliability";case"performance efficiency":return"Performance Efficiency";case"sustainability":return"Sustainability";default:return"Security"}return"Security"})(),codeSnippet:w.codeSnippet||"",foundBy:w.foundBy??"cdkInsights"}}),b=tg(S,f.cdkPath);f.sources.cdkInsights.issues.push(...b)}return{updatedMap:i,criticalCount:a,highCount:c,mediumCount:u,lowCount:l}};var YH=e=>{if(!e||e.length===0)return 0;let t=e.length,r=new Map;for(let n of e)r.set(n,(r.get(n)||0)+1);let s=0;for(let n of r.values()){let o=n/t;s-=o*Math.log2(o)}return s},S0=(e,t=!1)=>{if(e.length<16||pDe(e)||YH(e)<(t?4:4.5))return!1;let n=/[A-Z]/.test(e),o=/[a-z]/.test(e),i=/[0-9]/.test(e),a=/[^A-Za-z0-9]/.test(e),c=[n,o,i,a].filter(Boolean).length;return t?c>=1:c>=2},pDe=e=>{if(/^https?:\/\//i.test(e)||/^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$/.test(e)||/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i.test(e)||/^arn:aws[a-z-]*:[a-z0-9-]+:[a-z0-9-]*:\d*:/.test(e)||/^(\/|\.\/|\.\.\/|[A-Za-z]:\\)/.test(e)||/^s3:\/\/[a-z0-9.-]+\//.test(e))return!0;if(/^[A-Za-z0-9+/]{4,}={0,2}$/.test(e)){let t=new Set(e).size;if(e.length>50&&t<10)return!0}return!!mDe(e)},mDe=e=>{let t=e.length;for(let r=1;r<=t/2;r++)if(e.slice(0,r).repeat(Math.ceil(t/r)).slice(0,t)===e)return!0;return!1};var fDe=[/api[_-]?key/i,/secret[_-]?key/i,/^password$/i,/^passwd$/i,/credential/i,/private[_-]?key/i,/access[_-]?key/i,/auth[_-]?token/i,/bearer[_-]?token/i,/refresh[_-]?token/i,/client[_-]?secret/i,/app[_-]?secret/i,/secret[_-]?value/i,/aws[_-]?secret/i,/aws[_-]?access[_-]?key/i,/aws[_-]?session[_-]?token/i,/db[_-]?password/i,/database[_-]?password/i,/master[_-]?password/i,/master[_-]?user[_-]?password/i,/admin[_-]?password/i,/root[_-]?password/i,/connection[_-]?string/i,/stripe[_-]?key/i,/stripe[_-]?secret/i,/github[_-]?token/i,/gitlab[_-]?token/i,/slack[_-]?token/i,/slack[_-]?webhook/i,/discord[_-]?token/i,/twilio[_-]?token/i,/sendgrid[_-]?key/i,/mailgun[_-]?key/i,/datadog[_-]?key/i,/new[_-]?relic[_-]?key/i,/sentry[_-]?dsn/i,/webhook[_-]?secret/i,/signing[_-]?key/i,/signing[_-]?secret/i,/encryption[_-]?key/i,/jwt[_-]?secret/i,/hmac[_-]?key/i,/ssh[_-]?key/i,/ssh[_-]?private/i,/pem[_-]?key/i,/rsa[_-]?key/i],gDe=[/^A[BGIK-Z][A-Z]{2}[0-9A-Z]{16}$/,/^[A-Za-z0-9/+=]{40}$/,/-----BEGIN (RSA |EC |DSA |OPENSSH |ENCRYPTED )?PRIVATE KEY-----/,/-----BEGIN PGP PRIVATE KEY BLOCK-----/,/^eyJ[A-Za-z0-9_-]+\.eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+$/,/^gh[pousr]_[A-Za-z0-9]{36,}$/,/^[srp]k_(live|test)_[A-Za-z0-9]{24,}$/,/^xox[bpas]-[A-Za-z0-9-]+$/,/^SK[a-f0-9]{32}$/i,/^SG\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+$/],hDe=[/\{\{resolve:secretsmanager:/,/{{resolve:secretsmanager:/,/\{\{resolve:ssm:/,/{{resolve:ssm:/,/\{\{resolve:ssm-secure:/,/{{resolve:ssm-secure:/,/!Ref\s+\w+/,/!GetAtt\s+[\w.]+/,/!Sub\s+/,/\$\{[\w:.]+\}/,/\$\{Token\[/,/\[\[token:/i,/\${Token\[TOKEN\.\d+\]\}/,/^arn:aws[a-z-]*:[a-z0-9-]+:[a-z0-9-]*:\d*:/],yDe=[/^<[^>]+>$/,/^CHANGE[_-]?ME$/i,/^REPLACE[_-]?ME$/i,/^TODO$/i,/^TODO:/i,/^FIXME$/i,/^XXX$/i,/^YOUR[_-]/i,/^INSERT[_-]/i,/^ENTER[_-]/i,/^\*+$/,/^x+$/i,/^\s*$/,/^default$/i,/^example$/i,/^sample$/i,/^test$/i,/^demo$/i,/^dummy$/i,/^fake$/i,/^mock$/i,/^placeholder$/i],C0=e=>fDe.some(t=>t.test(e)),D0=e=>gDe.some(t=>t.test(e)),E0=e=>hDe.some(t=>t.test(e)),x0=e=>yDe.some(t=>t.test(e)),xg=e=>{if(typeof e!="object"||e===null)return!1;let t=["Ref","Fn::GetAtt","Fn::Sub","Fn::Join","Fn::ImportValue","Fn::If","Fn::Select","Fn::Split","Fn::Base64","Fn::Cidr","Fn::FindInMap","Fn::GetAZs","Fn::Transform"],r=Object.keys(e);return r.length===1&&t.includes(r[0])},_0=e=>{let t=[{patterns:[/api[_-]?key/i,/access[_-]?key/i],category:"api_key"},{patterns:[/password/i,/passwd/i],category:"password"},{patterns:[/private[_-]?key/i,/ssh[_-]?key/i,/pem[_-]?key/i,/rsa[_-]?key/i],category:"private_key"},{patterns:[/aws[_-]?secret/i,/aws[_-]?access/i],category:"aws_credentials"},{patterns:[/token/i,/bearer/i],category:"token"},{patterns:[/secret/i,/credential/i],category:"secret"},{patterns:[/connection[_-]?string/i,/database/i,/db[_-]/i],category:"database"},{patterns:[/webhook/i,/signing/i,/encryption/i,/hmac/i,/jwt/i],category:"encryption_key"}];for(let{patterns:r,category:s}of t)if(r.some(n=>n.test(e)))return s;return"secret"};var Dl=e=>{let t={api_key:`Use AWS Secrets Manager to store API keys securely:
300
300
 
301
301
  // CDK TypeScript example:
302
302
  import { Secret } from 'aws-cdk-lib/aws-secretsmanager';
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "cdk-insights",
3
- "version": "0.11.1",
3
+ "version": "0.11.2",
4
4
  "description": "AWS CDK security and cost analysis tool with AI-powered insights",
5
5
  "main": "dist/index.js",
6
6
  "types": "dist/index.d.ts",