cdk-insights 1.2.5 → 1.2.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/entry.js +163 -161
- package/dist/helpers/sensitiveDataDetection/patterns.d.ts +55 -0
- package/dist/index.js +71 -71
- package/package.json +1 -1
|
@@ -26,6 +26,61 @@ export declare const SAFE_REFERENCE_PATTERNS: RegExp[];
|
|
|
26
26
|
* These are common patterns developers use as placeholders.
|
|
27
27
|
*/
|
|
28
28
|
export declare const PLACEHOLDER_PATTERNS: RegExp[];
|
|
29
|
+
/**
|
|
30
|
+
* Property names whose values are categorically non-sensitive regardless
|
|
31
|
+
* of their shape. These are CloudFormation resource identifiers (names,
|
|
32
|
+
* IDs) and human-readable metadata (descriptions, labels) — the values
|
|
33
|
+
* may look entropy-ish (auto-generated hashes in CDK resource names,
|
|
34
|
+
* long English alarm descriptions) but never contain secret material.
|
|
35
|
+
*
|
|
36
|
+
* If the scanner is tempted to flag one of these by its value alone,
|
|
37
|
+
* short-circuit: the property name is load-bearing and tells us the
|
|
38
|
+
* answer already.
|
|
39
|
+
*
|
|
40
|
+
* Case-insensitive exact-match only — if you want substring behaviour
|
|
41
|
+
* use SENSITIVE_PROPERTY_NAME_PATTERNS.
|
|
42
|
+
*/
|
|
43
|
+
export declare const NEVER_SENSITIVE_PROPERTY_NAMES: RegExp[];
|
|
44
|
+
/**
|
|
45
|
+
* CDK auto-generates resource names by concatenating the stack name,
|
|
46
|
+
* construct path, and an eight-hex-char deterministic hash. The result
|
|
47
|
+
* looks like `CognitoAuthRoledevDefaultPolicy48B1EEFF` — mixed case,
|
|
48
|
+
* alphanumeric, >16 chars, satisfies the entropy heuristic, but is not
|
|
49
|
+
* a secret. Every CDK stack produces these for every IAM DefaultPolicy,
|
|
50
|
+
* Lambda ServiceRole, etc., so this is a universal false-positive
|
|
51
|
+
* shape worth calling out explicitly.
|
|
52
|
+
*
|
|
53
|
+
* Matches: any string ending with a recognised CDK naming suffix
|
|
54
|
+
* followed by an 8+ hex character hash.
|
|
55
|
+
*/
|
|
56
|
+
export declare const CDK_GENERATED_NAME_PATTERN: RegExp;
|
|
57
|
+
/**
|
|
58
|
+
* Property paths (relative to a CloudFormation resource's Properties
|
|
59
|
+
* block) whose values are structured payloads — JSON blobs, state
|
|
60
|
+
* machine definitions, custom-resource handler config. Scanning these
|
|
61
|
+
* as raw strings trips the entropy heuristic because well-formed JSON
|
|
62
|
+
* is lexically dense. These are known-safe by construction.
|
|
63
|
+
*/
|
|
64
|
+
export declare const NON_SENSITIVE_STRUCTURED_PATH_SUFFIXES: RegExp[];
|
|
65
|
+
/**
|
|
66
|
+
* Check if a property name is categorically non-sensitive regardless
|
|
67
|
+
* of its value. Used to short-circuit the scanner on well-known
|
|
68
|
+
* CloudFormation name/description properties.
|
|
69
|
+
*/
|
|
70
|
+
export declare const isAlwaysNonSensitiveProperty: (propertyName: string) => boolean;
|
|
71
|
+
/**
|
|
72
|
+
* Check if a value looks like a CDK-auto-generated resource name.
|
|
73
|
+
* Relies on CDK's naming convention (construct path + 8+ char hash
|
|
74
|
+
* suffix) to identify synth-time identifiers that would otherwise
|
|
75
|
+
* trip the entropy check.
|
|
76
|
+
*/
|
|
77
|
+
export declare const isCdkGeneratedName: (value: string) => boolean;
|
|
78
|
+
/**
|
|
79
|
+
* Check if a property path references a known structured payload
|
|
80
|
+
* (JSON blob, state machine definition, custom resource config) whose
|
|
81
|
+
* value is non-sensitive by construction.
|
|
82
|
+
*/
|
|
83
|
+
export declare const isNonSensitiveStructuredPath: (propertyPath: string) => boolean;
|
|
29
84
|
/**
|
|
30
85
|
* Check if a property name suggests sensitive data
|
|
31
86
|
*/
|