cdk-insights 0.15.13 → 0.16.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +3 -3
- package/dist/analysis/templateLevel/__test__/integration.test.d.ts +1 -0
- package/dist/analysis/templateLevel/checks/crossResourceAntiPatterns/duplicateIamStatementsCheck.d.ts +2 -0
- package/dist/analysis/templateLevel/checks/crossResourceAntiPatterns/dynamodbMissingPitrCheck.d.ts +2 -0
- package/dist/analysis/templateLevel/checks/crossResourceAntiPatterns/eventBridgeTargetsNoDlqCheck.d.ts +2 -0
- package/dist/analysis/templateLevel/checks/crossResourceAntiPatterns/lambdaMissingLogGroupCheck.d.ts +2 -0
- package/dist/analysis/templateLevel/checks/crossResourceAntiPatterns/sharedDlqEventBridgeCheck.d.ts +2 -0
- package/dist/analysis/templateLevel/checks/policyAnalysis/broadPrincipalPoliciesCheck.d.ts +2 -0
- package/dist/analysis/templateLevel/checks/policyAnalysis/iamOverlappingPoliciesCheck.d.ts +2 -0
- package/dist/analysis/templateLevel/checks/policyAnalysis/sqsSnsPolicyRedundancyCheck.d.ts +2 -0
- package/dist/analysis/templateLevel/checks/serviceLimits/cfnResourceCountCheck.d.ts +2 -0
- package/dist/analysis/templateLevel/checks/serviceLimits/cfnTemplateSizeCheck.d.ts +2 -0
- package/dist/analysis/templateLevel/checks/serviceLimits/eventBridgeRulesPerBusCheck.d.ts +2 -0
- package/dist/analysis/templateLevel/checks/serviceLimits/iamInlinePolicySizeCheck.d.ts +2 -0
- package/dist/analysis/templateLevel/checks/serviceLimits/iamManagedPolicySizeCheck.d.ts +2 -0
- package/dist/analysis/templateLevel/checks/serviceLimits/iamRoleAggregatePolicySizeCheck.d.ts +2 -0
- package/dist/analysis/templateLevel/checks/serviceLimits/lambdaEnvSizeCheck.d.ts +2 -0
- package/dist/analysis/templateLevel/checks/serviceLimits/lambdaLayersLimitCheck.d.ts +2 -0
- package/dist/analysis/templateLevel/checks/serviceLimits/s3BucketPolicySizeCheck.d.ts +2 -0
- package/dist/analysis/templateLevel/checks/serviceLimits/securityGroupRulesLimitCheck.d.ts +2 -0
- package/dist/analysis/templateLevel/checks/serviceLimits/snsTopicPolicySizeCheck.d.ts +2 -0
- package/dist/analysis/templateLevel/checks/serviceLimits/sqsPolicySizeCheck.d.ts +2 -0
- package/dist/analysis/templateLevel/helpers/policyHelpers.d.ts +42 -0
- package/dist/analysis/templateLevel/helpers/resourceCollectors.d.ts +31 -0
- package/dist/analysis/templateLevel/index.d.ts +13 -0
- package/dist/analysis/templateLevel/registry.d.ts +17 -0
- package/dist/analysis/templateLevel/types.d.ts +69 -0
- package/dist/entry.js +180 -180
- package/dist/index.js +126 -126
- package/package.json +4 -4
package/README.md
CHANGED
|
@@ -95,7 +95,7 @@ In CI mode, CDK Insights will:
|
|
|
95
95
|
- Skip interactive prompts
|
|
96
96
|
- Exit with code 1 on critical issues (with `--fail-on-critical`)
|
|
97
97
|
|
|
98
|
-
👉 [Full CI/CD Setup Guide →](https://github.com/
|
|
98
|
+
👉 [Full CI/CD Setup Guide →](https://github.com/instancelabs/cdk-insights/blob/main/docs/ci-setup.md)
|
|
99
99
|
|
|
100
100
|
---
|
|
101
101
|
|
|
@@ -196,8 +196,8 @@ Configure detection in `.cdk-insights.json`:
|
|
|
196
196
|
|
|
197
197
|
## 📚 Links & Resources
|
|
198
198
|
|
|
199
|
-
- [GitHub Repository & Issues](https://github.com/
|
|
200
|
-
- [Documentation](https://github.com/
|
|
199
|
+
- [GitHub Repository & Issues](https://github.com/instancelabs/cdk-insights)
|
|
200
|
+
- [Documentation](https://github.com/instancelabs/cdk-insights/tree/main/docs)
|
|
201
201
|
- [Pricing & Tiers](https://cdkinsights.dev/#pricing)
|
|
202
202
|
- License: MIT
|
|
203
203
|
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
export {};
|
|
@@ -0,0 +1,42 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Shared helpers for measuring policy sizes and resolving CloudFormation references.
|
|
3
|
+
*/
|
|
4
|
+
import type { CloudFormationResource } from '../../../types/analysis.types';
|
|
5
|
+
/**
|
|
6
|
+
* Measure the byte size of a policy document when serialized to JSON.
|
|
7
|
+
* CloudFormation serializes policies as JSON, so this matches the deployed size.
|
|
8
|
+
*/
|
|
9
|
+
export declare const measurePolicyBytes: (policyDocument: unknown) => number;
|
|
10
|
+
/**
|
|
11
|
+
* Count the number of statements in a policy document.
|
|
12
|
+
*/
|
|
13
|
+
export declare const countPolicyStatements: (policyDocument: unknown) => number;
|
|
14
|
+
/**
|
|
15
|
+
* Resolve a CloudFormation value to a logical resource ID.
|
|
16
|
+
* Handles Ref, Fn::GetAtt, and literal strings.
|
|
17
|
+
* Returns the logical resource ID or null if unresolvable.
|
|
18
|
+
*/
|
|
19
|
+
export declare const resolveCfnRef: (value: unknown, allResourceIds: Set<string>) => string | null;
|
|
20
|
+
/**
|
|
21
|
+
* Recursively find all logical resource IDs referenced in a value.
|
|
22
|
+
*/
|
|
23
|
+
export declare const findAllReferencedResources: (value: unknown, allResourceIds: Set<string>) => string[];
|
|
24
|
+
/**
|
|
25
|
+
* Get policy statements from a policy document as an array.
|
|
26
|
+
*/
|
|
27
|
+
export declare const getPolicyStatements: (policyDocument: unknown) => Array<Record<string, unknown>>;
|
|
28
|
+
/**
|
|
29
|
+
* Calculate the percentage of a limit that's been used.
|
|
30
|
+
*/
|
|
31
|
+
export declare const percentOfLimit: (current: number, limit: number) => number;
|
|
32
|
+
/**
|
|
33
|
+
* Format byte size as human-readable string.
|
|
34
|
+
*/
|
|
35
|
+
export declare const formatBytes: (bytes: number) => string;
|
|
36
|
+
/**
|
|
37
|
+
* Collect all inline policies from an IAM Role resource.
|
|
38
|
+
*/
|
|
39
|
+
export declare const getInlinePolicies: (resource: CloudFormationResource) => Array<{
|
|
40
|
+
name: string;
|
|
41
|
+
document: unknown;
|
|
42
|
+
}>;
|
|
@@ -0,0 +1,31 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Shared helpers for collecting and grouping resources from CloudFormation templates.
|
|
3
|
+
*/
|
|
4
|
+
import type { CloudFormationResource } from '../../../types/analysis.types';
|
|
5
|
+
/**
|
|
6
|
+
* Collect all resources of a given type from the template.
|
|
7
|
+
*/
|
|
8
|
+
export declare const collectByType: (resources: Record<string, CloudFormationResource>, type: string) => Array<[string, CloudFormationResource]>;
|
|
9
|
+
/**
|
|
10
|
+
* Group EventBridge rules by their DLQ target ARN (resolves Ref/GetAtt).
|
|
11
|
+
* Returns a map of DLQ logical resource ID → array of rule logical resource IDs.
|
|
12
|
+
*/
|
|
13
|
+
export declare const groupEventBridgeRulesByDlqTarget: (resources: Record<string, CloudFormationResource>) => Map<string, string[]>;
|
|
14
|
+
/**
|
|
15
|
+
* Group EventBridge rules by their event bus name.
|
|
16
|
+
* Rules without an explicit EventBusName are grouped under "default".
|
|
17
|
+
*/
|
|
18
|
+
export declare const groupEventBridgeRulesByBus: (resources: Record<string, CloudFormationResource>) => Map<string, string[]>;
|
|
19
|
+
/**
|
|
20
|
+
* Find the SQS queue resource that an SQS::QueuePolicy applies to.
|
|
21
|
+
* Returns the first resolvable queue logical ID.
|
|
22
|
+
*/
|
|
23
|
+
export declare const findQueueForPolicy: (policyResource: CloudFormationResource, allResourceIds: Set<string>) => string | null;
|
|
24
|
+
/**
|
|
25
|
+
* Count inbound and outbound rules for a security group, including
|
|
26
|
+
* both inline rules and separate SecurityGroupIngress/Egress resources.
|
|
27
|
+
*/
|
|
28
|
+
export declare const countSecurityGroupRules: (sgResourceId: string, sgResource: CloudFormationResource, resources: Record<string, CloudFormationResource>) => {
|
|
29
|
+
inbound: number;
|
|
30
|
+
outbound: number;
|
|
31
|
+
};
|
|
@@ -0,0 +1,13 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Template-Level Analysis
|
|
3
|
+
*
|
|
4
|
+
* Analyzes the full CloudFormation template for cross-resource patterns,
|
|
5
|
+
* AWS service limit violations, and policy issues that cannot be detected
|
|
6
|
+
* by analyzing resources individually.
|
|
7
|
+
*
|
|
8
|
+
* Runs client-side only — templates never leave the user's machine.
|
|
9
|
+
* Free for all users — no backend cost or tier gating.
|
|
10
|
+
*/
|
|
11
|
+
export { runAllTemplateLevelChecks, getRegisteredChecks } from './registry';
|
|
12
|
+
export type { TemplateLevelCheckFunction, TemplateLevelCheckDefinition, TemplateLevelCategory, } from './types';
|
|
13
|
+
export { AWS_SERVICE_LIMITS, WARNING_THRESHOLD } from './types';
|
|
@@ -0,0 +1,17 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Template-Level Check Registry
|
|
3
|
+
*
|
|
4
|
+
* Registers all template-level checks and provides the runner that
|
|
5
|
+
* executes them against a CloudFormation template.
|
|
6
|
+
*/
|
|
7
|
+
import type { CloudFormationStack, CreateFindingFunction, AnalysisResults } from '../../types/analysis.types';
|
|
8
|
+
import type { TemplateLevelCheckDefinition } from './types';
|
|
9
|
+
/**
|
|
10
|
+
* Run all template-level checks against a CloudFormation stack.
|
|
11
|
+
* Merges results from all checks, tagging each issue with its ruleId.
|
|
12
|
+
*/
|
|
13
|
+
export declare const runAllTemplateLevelChecks: (template: CloudFormationStack, createFinding: CreateFindingFunction, ruleFilter?: string[]) => AnalysisResults;
|
|
14
|
+
/**
|
|
15
|
+
* Get all registered template-level check definitions (for documentation/listing).
|
|
16
|
+
*/
|
|
17
|
+
export declare const getRegisteredChecks: () => readonly TemplateLevelCheckDefinition[];
|
|
@@ -0,0 +1,69 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Template-Level Analysis Types and Constants
|
|
3
|
+
*
|
|
4
|
+
* Template-level checks analyze the full CloudFormation template to detect
|
|
5
|
+
* cross-resource patterns, AWS service limit violations, and policy issues
|
|
6
|
+
* that cannot be found by analyzing resources individually.
|
|
7
|
+
*/
|
|
8
|
+
import type { CloudFormationStack, CreateFindingFunction, AnalysisResults, Severity, WAFPillars } from '../../types/analysis.types';
|
|
9
|
+
/**
|
|
10
|
+
* Category for template-level check rule IDs.
|
|
11
|
+
* TL-LIMIT-xxx = Service limit checks
|
|
12
|
+
* TL-XRES-xxx = Cross-resource anti-pattern checks
|
|
13
|
+
* TL-POL-xxx = Policy analysis checks
|
|
14
|
+
*/
|
|
15
|
+
export type TemplateLevelCategory = 'serviceLimits' | 'crossResourceAntiPatterns' | 'policyAnalysis';
|
|
16
|
+
/**
|
|
17
|
+
* A template-level check function.
|
|
18
|
+
* Receives the FULL CloudFormation stack (all resources).
|
|
19
|
+
* Returns AnalysisResults keyed by affected resource logical ID.
|
|
20
|
+
*
|
|
21
|
+
* Intentionally matches the AWSServiceCheckFunction signature so it
|
|
22
|
+
* integrates seamlessly with the existing pipeline.
|
|
23
|
+
*/
|
|
24
|
+
export type TemplateLevelCheckFunction = (template: CloudFormationStack, createFinding: CreateFindingFunction) => AnalysisResults;
|
|
25
|
+
/**
|
|
26
|
+
* Metadata about a registered template-level check.
|
|
27
|
+
*/
|
|
28
|
+
export interface TemplateLevelCheckDefinition {
|
|
29
|
+
/** Unique rule ID: TL-LIMIT-001, TL-XRES-001, TL-POL-001, etc. */
|
|
30
|
+
ruleId: string;
|
|
31
|
+
/** Human-readable title */
|
|
32
|
+
title: string;
|
|
33
|
+
/** Category for grouping */
|
|
34
|
+
category: TemplateLevelCategory;
|
|
35
|
+
/** Default severity */
|
|
36
|
+
defaultSeverity: Severity;
|
|
37
|
+
/** WAF pillar */
|
|
38
|
+
wafPillar: WAFPillars;
|
|
39
|
+
/** The check function */
|
|
40
|
+
check: TemplateLevelCheckFunction;
|
|
41
|
+
/** Description for documentation */
|
|
42
|
+
description: string;
|
|
43
|
+
}
|
|
44
|
+
/**
|
|
45
|
+
* AWS service limits used by checks.
|
|
46
|
+
* All values are in bytes unless noted otherwise.
|
|
47
|
+
*/
|
|
48
|
+
export declare const AWS_SERVICE_LIMITS: {
|
|
49
|
+
readonly SQS_POLICY_MAX_BYTES: 8192;
|
|
50
|
+
readonly SQS_POLICY_MAX_STATEMENTS: 20;
|
|
51
|
+
readonly IAM_INLINE_POLICY_MAX_BYTES: 2048;
|
|
52
|
+
readonly IAM_MANAGED_POLICY_MAX_BYTES: 6144;
|
|
53
|
+
readonly IAM_ROLE_AGGREGATE_INLINE_MAX_BYTES: 10240;
|
|
54
|
+
readonly LAMBDA_ENV_MAX_BYTES: 4096;
|
|
55
|
+
readonly LAMBDA_MAX_LAYERS: 5;
|
|
56
|
+
readonly S3_BUCKET_POLICY_MAX_BYTES: 20480;
|
|
57
|
+
readonly SNS_TOPIC_POLICY_MAX_BYTES: 30720;
|
|
58
|
+
readonly EVENTBRIDGE_RULES_PER_BUS_DEFAULT: 300;
|
|
59
|
+
readonly CFN_MAX_RESOURCES: 500;
|
|
60
|
+
readonly CFN_TEMPLATE_MAX_BYTES_DIRECT: 51200;
|
|
61
|
+
readonly CFN_TEMPLATE_MAX_BYTES_S3: 460800;
|
|
62
|
+
readonly SECURITY_GROUP_MAX_INBOUND_RULES: 60;
|
|
63
|
+
readonly SECURITY_GROUP_MAX_OUTBOUND_RULES: 60;
|
|
64
|
+
};
|
|
65
|
+
/**
|
|
66
|
+
* Warning threshold ratio: flag when usage exceeds this fraction of the limit.
|
|
67
|
+
* e.g., 0.8 means warn at 80% of the limit.
|
|
68
|
+
*/
|
|
69
|
+
export declare const WARNING_THRESHOLD = 0.8;
|