cdk-insights 1.2.10 → 1.4.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +26 -0
- package/dist/cli/types/cli.types.d.ts +18 -0
- package/dist/entry.js +198 -198
- package/dist/helpers/parseManifestMetadata/parseManifestMetadata.d.ts +2 -1
- package/dist/helpers/sensitiveDataDetection/types.d.ts +25 -2
- package/dist/helpers/synthesizeCdkStacks/synthesizeCdkStacks.d.ts +7 -1
- package/dist/index.d.ts +5 -2
- package/dist/index.js +128 -128
- package/dist/types/analysis.types.d.ts +17 -1
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -160,6 +160,32 @@ Aspects.of(app).add(new CdkInsightsAspect());
|
|
|
160
160
|
app.synth();
|
|
161
161
|
```
|
|
162
162
|
|
|
163
|
+
### Suppressing Findings
|
|
164
|
+
|
|
165
|
+
Two channels, both feed into the same scan output, SARIF, severity counts, and PR comments:
|
|
166
|
+
|
|
167
|
+
**Project-wide** — add `ignoreRules` and `ignorePaths` to `.cdk-insights.json`. Trailing `*` wildcards supported.
|
|
168
|
+
|
|
169
|
+
```json
|
|
170
|
+
{
|
|
171
|
+
"ignoreRules": ["CDK-INSIGHTS-SENSITIVE-*"],
|
|
172
|
+
"ignorePaths": ["MyStack/MarketingSite/*"]
|
|
173
|
+
}
|
|
174
|
+
```
|
|
175
|
+
|
|
176
|
+
**Inline** (CDK ≥ 2.252.0) — acknowledge a finding next to the construct that triggered it, with a reason captured for audit:
|
|
177
|
+
|
|
178
|
+
```ts
|
|
179
|
+
import { Validations } from 'aws-cdk-lib';
|
|
180
|
+
|
|
181
|
+
Validations.of(myBucket).acknowledge({
|
|
182
|
+
id: 'cdk-insights::s3-bucket-public-access',
|
|
183
|
+
reason: 'Public-by-design marketing site',
|
|
184
|
+
});
|
|
185
|
+
```
|
|
186
|
+
|
|
187
|
+
Acknowledgements cascade to descendant constructs, so scope them as narrowly as the situation allows. See [Suppressing Findings](https://github.com/instancelabs/cdk-insights/blob/main/docs/configuration.md#suppressing-findings) for details.
|
|
188
|
+
|
|
163
189
|
---
|
|
164
190
|
|
|
165
191
|
## 💰 Pricing
|
|
@@ -12,6 +12,8 @@ export interface AnalyzeCommandArgs {
|
|
|
12
12
|
reset?: boolean;
|
|
13
13
|
failOnCritical?: boolean;
|
|
14
14
|
ruleFilter?: string[];
|
|
15
|
+
ignoreRules?: string[];
|
|
16
|
+
ignorePaths?: string[];
|
|
15
17
|
github?: boolean;
|
|
16
18
|
redact?: boolean;
|
|
17
19
|
summaryOnly?: boolean;
|
|
@@ -60,6 +62,22 @@ export interface UserConfig {
|
|
|
60
62
|
feedback?: boolean;
|
|
61
63
|
/** Sensitive data detection configuration */
|
|
62
64
|
sensitiveDataDetection?: SensitiveDataDetectionConfig;
|
|
65
|
+
/**
|
|
66
|
+
* Rule IDs to suppress project-wide. Matched against `Issue.ruleId`
|
|
67
|
+
* — supports exact match or a trailing `*` wildcard (e.g.
|
|
68
|
+
* `CDK-INSIGHTS-SENSITIVE-*` suppresses every sensitive-data finding).
|
|
69
|
+
* Use this to silence rules that don't apply to your architecture
|
|
70
|
+
* instead of patching each call site.
|
|
71
|
+
*/
|
|
72
|
+
ignoreRules?: string[];
|
|
73
|
+
/**
|
|
74
|
+
* Resource paths (CDK construct paths or logical IDs) to skip entirely.
|
|
75
|
+
* Matched against the resource's `aws:cdk:path` Metadata and its
|
|
76
|
+
* logical ID — supports exact match or trailing `*` wildcard. Use
|
|
77
|
+
* this to carve out a subtree of the template (e.g. an imported
|
|
78
|
+
* third-party construct whose findings are someone else's problem).
|
|
79
|
+
*/
|
|
80
|
+
ignorePaths?: string[];
|
|
63
81
|
cache?: {
|
|
64
82
|
enabled?: boolean;
|
|
65
83
|
ttl?: number;
|