cdk-insights 1.2.7 → 1.2.9

package/dist/helpers/sensitiveDataDetection/types.d.ts

@@ -22,6 +22,39 @@ export interface SensitiveDataFinding {
     detectionReasonMessage: string;
     /** Recommended secure alternative */
     recommendation: string;
+    /**
+     * Diagnostic metadata about the flagged value. Populated so users can
+     * triage findings without the scanner revealing the full value.
+     */
+    diagnostics?: SensitiveDataDiagnostics;
+}
+/**
+ * Privacy-preserving diagnostic metadata attached to each finding.
+ *
+ * The scanner must never emit the full flagged value (it's potentially
+ * a real secret). But users triaging false positives need enough signal
+ * to recognise what was flagged — especially important for CDK-generated
+ * names and other structural false positives where the length + shape
+ * immediately identifies the value. The fields here walk that line.
+ */
+export interface SensitiveDataDiagnostics {
+    /** Length of the flagged value in characters */
+    valueLength: number;
+    /**
+     * Partial preview: first 4 and last 4 chars joined by an ellipsis
+     * (e.g. `Cogn…EEFF`) when the value is long enough for this to be
+     * safe. Returns null for values under 20 chars — too short to reveal
+     * any portion safely.
+     */
+    valueShape: string | null;
+    /** Shannon entropy in bits/char (only set for high_entropy detections) */
+    entropy?: number;
+    /** The threshold the entropy exceeded */
+    entropyThreshold?: number;
+    /** Which sensitive-property-name pattern matched (property_name detections) */
+    matchedPropertyPattern?: string;
+    /** Which secret-value pattern matched (value_pattern detections) */
+    matchedValuePattern?: string;
 }
 /**
  * Result of scanning a single resource for sensitive data