npm - cdk-insights - Versions diffs - 1.17.0 → 1.18.0 - Mend

cdk-insights 1.17.0 → 1.18.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/README.md +28 -0
package/dist/aspects/CdkInsightsAspect.d.ts +33 -0
package/dist/aspects/CdkInsightsAspect.js +26 -26
package/dist/entry.js +73 -73
package/dist/index.js +55 -55
package/package.json +1 -1

package/README.md CHANGED Viewed

@@ -172,6 +172,34 @@ Aspects.of(app).add(createCdkInsightsAspect());
 app.synth();
 ```
+The aspect runs `cdk-nag`'s `AwsSolutionsChecks` rule pack alongside cdk-insights' own rules. As of 1.17.0, those findings are emitted as **non-blocking Info annotations** (`cdk-insights::nagFinding::*`) instead of cdk-nag's default Error/Warning annotations — the Validations Plugin (below) remains the actual deploy gate, configured per severity.
+##### Auto-suppress CDK / AWS boilerplate
+cdk-nag's `AwsSolutionsChecks` rule pack flags two patterns that are universally noisy for CDK consumers — they're either AWS-recommended defaults or stale rule heuristics:
+- **`AwsSolutions-IAM4`** flags any AWS-managed policy attached to a role, including the standard Lambda execution policies CDK auto-attaches based on event sources (`AWSLambdaBasicExecutionRole`, `AWSLambdaVPCAccessExecutionRole`, `AWSLambdaSQSQueueExecutionRole`, `AWSLambdaDynamoDBExecutionRole`, `AWSLambdaKinesisExecutionRole`). Each is narrowly scoped to a single AWS service — replacing them with customer-managed copies is busywork with no security gain.
+- **`AwsSolutions-L1`** asserts that Lambda runtimes match cdk-nag's known "latest" list, which lags actual AWS LTS releases. Node 20.x / 22.x, Python 3.11–3.13, Java 17/21, .NET 8 are all current AWS LTS at time of writing but get flagged depending on how recent your `aws-cdk-lib` version is.
+Pass `cdkBoilerplateSuppressions: true` to short-circuit both:
+```ts
+Aspects.of(app).add(createCdkInsightsAspect({
+  cdkBoilerplateSuppressions: true,
+}));
+```
+This attaches `NagSuppressions` (with named justifications and `appliesTo` filters) before cdk-nag evaluates each construct, so the matching findings are never emitted. Anything outside the boilerplate set continues to surface — if a role has `AWSLambdaBasicExecutionRole` *and* a custom managed policy, only the boilerplate one is suppressed; the custom policy still produces a finding.
+| Rule | What's suppressed | What still fires |
+|---|---|---|
+| `AwsSolutions-IAM4` | The 5 AWS-managed Lambda execution policy ARNs above | Any other managed policy attached to the same role |
+| `AwsSolutions-L1` | Node 18/20/22, Python 3.11/3.12/3.13, Java 17/21, .NET 8 | Anything outside the LTS allowlist (older runtimes, unsupported ones, custom families) |
+To extend with project-specific suppressions, call `NagSuppressions.addResourceSuppressions(...)` from `cdk-nag` after constructing your stacks. Project decisions like "MFA is opt-in by product policy" belong in the consumer codebase, with a written justification.
+Default is `false` — opt-in is conservative and additive.
 For accurate `file:line` source attribution, CDK needs to record per-construct stack traces during synth. Three ways to enable this, easiest first:
 - **`npx cdk-insights setup`** writes `"@aws-cdk/core:stackTrace": true` into your `cdk.json` `context` block — durable across every `cdk synth` invocation, no env-var dance. Recommended.

package/dist/aspects/CdkInsightsAspect.d.ts CHANGED Viewed

@@ -154,6 +154,39 @@ export interface CdkInsightsAspectOptions {
      * around the construct definition for quick reference.
      */
     includeCodeSnippets?: boolean;
+    /**
+     * Auto-suppress cdk-nag findings for well-known CDK / AWS boilerplate
+     * patterns (default: false). When `true`, the aspect attaches
+     * `NagSuppressions` to matching constructs **before** cdk-nag evaluates
+     * its rules, so the suppressed findings disappear from scan output
+     * entirely. Each suppression carries a named justification.
+     *
+     * Currently covers two universally-noisy rules:
+     *
+     *   - **`AwsSolutions-IAM4`** for the AWS-managed Lambda execution
+     *     policies CDK auto-attaches based on event sources
+     *     (`AWSLambdaBasicExecutionRole`, `AWSLambdaVPCAccessExecutionRole`,
+     *     `AWSLambdaSQSQueueExecutionRole`, `AWSLambdaDynamoDBExecutionRole`,
+     *     `AWSLambdaKinesisExecutionRole`). Each is narrowly scoped to a
+     *     single AWS service; replacing them with customer-managed copies is
+     *     busywork with no security gain. The suppression uses `appliesTo`
+     *     so any *other* managed policy attached to the same role still
+     *     surfaces a finding.
+     *
+     *   - **`AwsSolutions-L1`** for current AWS Lambda LTS runtimes
+     *     (Node 18/20/22, Python 3.11/3.12/3.13, Java 17/21, .NET 8).
+     *     cdk-nag's "latest runtime" check is heuristic and lags new LTS
+     *     releases; this allowlist updates with cdk-insights releases.
+     *
+     * Anything not in the lists above continues to surface normally — opt-in
+     * is conservative and additive.
+     *
+     * Recommended for any project that uses cdk-insights' aspect. To
+     * extend with project-specific suppressions, call
+     * `NagSuppressions.addResourceSuppressions(...)` from `cdk-nag` after
+     * constructing your stacks.
+     */
+    cdkBoilerplateSuppressions?: boolean;
 }
 /**
  * Helper function to check if CDK stack traces are enabled.