cdk-insights 1.2.6 → 1.2.9
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -26,6 +26,61 @@ export declare const SAFE_REFERENCE_PATTERNS: RegExp[];
|
|
|
26
26
|
* These are common patterns developers use as placeholders.
|
|
27
27
|
*/
|
|
28
28
|
export declare const PLACEHOLDER_PATTERNS: RegExp[];
|
|
29
|
+
/**
|
|
30
|
+
* Property names whose values are categorically non-sensitive regardless
|
|
31
|
+
* of their shape. These are CloudFormation resource identifiers (names,
|
|
32
|
+
* IDs) and human-readable metadata (descriptions, labels) — the values
|
|
33
|
+
* may look entropy-ish (auto-generated hashes in CDK resource names,
|
|
34
|
+
* long English alarm descriptions) but never contain secret material.
|
|
35
|
+
*
|
|
36
|
+
* If the scanner is tempted to flag one of these by its value alone,
|
|
37
|
+
* short-circuit: the property name is load-bearing and tells us the
|
|
38
|
+
* answer already.
|
|
39
|
+
*
|
|
40
|
+
* Case-insensitive exact-match only — if you want substring behaviour
|
|
41
|
+
* use SENSITIVE_PROPERTY_NAME_PATTERNS.
|
|
42
|
+
*/
|
|
43
|
+
export declare const NEVER_SENSITIVE_PROPERTY_NAMES: RegExp[];
|
|
44
|
+
/**
|
|
45
|
+
* CDK auto-generates resource names by concatenating the stack name,
|
|
46
|
+
* construct path, and an eight-hex-char deterministic hash. The result
|
|
47
|
+
* looks like `CognitoAuthRoledevDefaultPolicy48B1EEFF` — mixed case,
|
|
48
|
+
* alphanumeric, >16 chars, satisfies the entropy heuristic, but is not
|
|
49
|
+
* a secret. Every CDK stack produces these for every IAM DefaultPolicy,
|
|
50
|
+
* Lambda ServiceRole, etc., so this is a universal false-positive
|
|
51
|
+
* shape worth calling out explicitly.
|
|
52
|
+
*
|
|
53
|
+
* Matches: any string ending with a recognised CDK naming suffix
|
|
54
|
+
* followed by an 8+ hex character hash.
|
|
55
|
+
*/
|
|
56
|
+
export declare const CDK_GENERATED_NAME_PATTERN: RegExp;
|
|
57
|
+
/**
|
|
58
|
+
* Property paths (relative to a CloudFormation resource's Properties
|
|
59
|
+
* block) whose values are structured payloads — JSON blobs, state
|
|
60
|
+
* machine definitions, custom-resource handler config. Scanning these
|
|
61
|
+
* as raw strings trips the entropy heuristic because well-formed JSON
|
|
62
|
+
* is lexically dense. These are known-safe by construction.
|
|
63
|
+
*/
|
|
64
|
+
export declare const NON_SENSITIVE_STRUCTURED_PATH_SUFFIXES: RegExp[];
|
|
65
|
+
/**
|
|
66
|
+
* Check if a property name is categorically non-sensitive regardless
|
|
67
|
+
* of its value. Used to short-circuit the scanner on well-known
|
|
68
|
+
* CloudFormation name/description properties.
|
|
69
|
+
*/
|
|
70
|
+
export declare const isAlwaysNonSensitiveProperty: (propertyName: string) => boolean;
|
|
71
|
+
/**
|
|
72
|
+
* Check if a value looks like a CDK-auto-generated resource name.
|
|
73
|
+
* Relies on CDK's naming convention (construct path + 8+ char hash
|
|
74
|
+
* suffix) to identify synth-time identifiers that would otherwise
|
|
75
|
+
* trip the entropy check.
|
|
76
|
+
*/
|
|
77
|
+
export declare const isCdkGeneratedName: (value: string) => boolean;
|
|
78
|
+
/**
|
|
79
|
+
* Check if a property path references a known structured payload
|
|
80
|
+
* (JSON blob, state machine definition, custom resource config) whose
|
|
81
|
+
* value is non-sensitive by construction.
|
|
82
|
+
*/
|
|
83
|
+
export declare const isNonSensitiveStructuredPath: (propertyPath: string) => boolean;
|
|
29
84
|
/**
|
|
30
85
|
* Check if a property name suggests sensitive data
|
|
31
86
|
*/
|
|
@@ -22,6 +22,39 @@ export interface SensitiveDataFinding {
|
|
|
22
22
|
detectionReasonMessage: string;
|
|
23
23
|
/** Recommended secure alternative */
|
|
24
24
|
recommendation: string;
|
|
25
|
+
/**
|
|
26
|
+
* Diagnostic metadata about the flagged value. Populated so users can
|
|
27
|
+
* triage findings without the scanner revealing the full value.
|
|
28
|
+
*/
|
|
29
|
+
diagnostics?: SensitiveDataDiagnostics;
|
|
30
|
+
}
|
|
31
|
+
/**
|
|
32
|
+
* Privacy-preserving diagnostic metadata attached to each finding.
|
|
33
|
+
*
|
|
34
|
+
* The scanner must never emit the full flagged value (it's potentially
|
|
35
|
+
* a real secret). But users triaging false positives need enough signal
|
|
36
|
+
* to recognise what was flagged — especially important for CDK-generated
|
|
37
|
+
* names and other structural false positives where the length + shape
|
|
38
|
+
* immediately identifies the value. The fields here walk that line.
|
|
39
|
+
*/
|
|
40
|
+
export interface SensitiveDataDiagnostics {
|
|
41
|
+
/** Length of the flagged value in characters */
|
|
42
|
+
valueLength: number;
|
|
43
|
+
/**
|
|
44
|
+
* Partial preview: first 4 and last 4 chars joined by an ellipsis
|
|
45
|
+
* (e.g. `Cogn…EEFF`) when the value is long enough for this to be
|
|
46
|
+
* safe. Returns null for values under 20 chars — too short to reveal
|
|
47
|
+
* any portion safely.
|
|
48
|
+
*/
|
|
49
|
+
valueShape: string | null;
|
|
50
|
+
/** Shannon entropy in bits/char (only set for high_entropy detections) */
|
|
51
|
+
entropy?: number;
|
|
52
|
+
/** The threshold the entropy exceeded */
|
|
53
|
+
entropyThreshold?: number;
|
|
54
|
+
/** Which sensitive-property-name pattern matched (property_name detections) */
|
|
55
|
+
matchedPropertyPattern?: string;
|
|
56
|
+
/** Which secret-value pattern matched (value_pattern detections) */
|
|
57
|
+
matchedValuePattern?: string;
|
|
25
58
|
}
|
|
26
59
|
/**
|
|
27
60
|
* Result of scanning a single resource for sensitive data
|