cdk-insights 1.27.0 → 1.28.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +50 -0
- package/dist/cli/commands/analyse.d.ts +20 -0
- package/dist/cli/commands/watch.d.ts +11 -0
- package/dist/cli/types/cli.types.d.ts +8 -0
- package/dist/entry.js +308 -258
- package/dist/fixers/registry.test.d.ts +1 -0
- package/dist/helpers/cdkWatchConfig/cdkWatchConfig.d.ts +9 -0
- package/dist/helpers/cdkWatchConfig/cdkWatchConfig.test.d.ts +1 -0
- package/dist/index.js +3 -3
- package/package.json +2 -1
package/README.md
CHANGED
|
@@ -103,6 +103,50 @@ CDK Insights scans for real problems across **35+ AWS services**:
|
|
|
103
103
|
| Markdown report | `npx cdk-insights scan --output markdown > report.md` |
|
|
104
104
|
| CI/CD with fail gate | `npx cdk-insights scan --all --output json --fail-on-critical` |
|
|
105
105
|
| Create GitHub issue | `npx cdk-insights scan --output markdown --with-issue` |
|
|
106
|
+
| Live feedback while editing | `npx cdk-insights scan --watch` |
|
|
107
|
+
|
|
108
|
+
---
|
|
109
|
+
|
|
110
|
+
<a id="watch-mode"></a>
|
|
111
|
+
|
|
112
|
+
## 👀 Watch mode
|
|
113
|
+
|
|
114
|
+
```bash
|
|
115
|
+
npx cdk-insights scan --watch
|
|
116
|
+
```
|
|
117
|
+
|
|
118
|
+
Re-runs `cdk synth` + the static rule pack on every save and reprints the findings table — terminal stays focused on the latest result, vitest-watch style. **The watch loop never deploys**: it shells out to `cdk synth` only, never `cdk deploy`. Don't reach for `cdk watch` for this purpose; that's a shortcut for `deploy --watch` and will push real infra on every save.
|
|
119
|
+
|
|
120
|
+
#### Reuses your existing `cdk.json` watch config
|
|
121
|
+
|
|
122
|
+
The watcher reads the same `watch.include` / `watch.exclude` block CDK uses for `cdk watch`, so a single config drives both:
|
|
123
|
+
|
|
124
|
+
```json
|
|
125
|
+
{
|
|
126
|
+
"app": "node bin/my-app.js",
|
|
127
|
+
"watch": {
|
|
128
|
+
"include": ["lib/**/*.ts", "bin/**/*.ts"],
|
|
129
|
+
"exclude": ["**/*.test.ts", "**/handlers/**"]
|
|
130
|
+
}
|
|
131
|
+
}
|
|
132
|
+
```
|
|
133
|
+
|
|
134
|
+
If the `watch` block is absent, defaults match aws-cdk's `CdkToolkit` exactly: include defaults to the project root (watch everything), and `**/.*`, `**/.*/**`, `**/node_modules/**`, plus the cloud-assembly output dir (`output` in cdk.json, default `cdk.out`) are always excluded — user-provided excludes are *appended to* this list, never replace it.
|
|
135
|
+
|
|
136
|
+
#### Watch-safe defaults
|
|
137
|
+
|
|
138
|
+
A few flags are forced or rejected because they don't make sense in a re-rendering live loop:
|
|
139
|
+
|
|
140
|
+
| Flag | Behaviour in `--watch` | Why |
|
|
141
|
+
|---|---|---|
|
|
142
|
+
| AI analysis | Forced off (`--local`) | Cache-miss = 1 credit per resource. Running on every save would burn credits with each edit. Run `cdk-insights scan` manually when you want AI feedback on a known-good intermediate state. |
|
|
143
|
+
| `--writeBaseline` | Rejected with error | Would silently overwrite the baseline file on every save. |
|
|
144
|
+
| `--diff` | Rejected with error | Filters findings against a moving target; meaningless when re-running continuously. |
|
|
145
|
+
| `--github`, `--withIssue`, `--prComment` | Forced off | Would otherwise create a GitHub issue / post a PR comment on every save. |
|
|
146
|
+
| `failOnCritical` | Forced off | Would kill the watcher on the first critical finding. |
|
|
147
|
+
| `--output json` / `sarif` / `markdown` / `github-actions` | Coerced to `table` (one-line warning) | Machine formats don't make sense for a re-rendering live loop. |
|
|
148
|
+
|
|
149
|
+
Loop ergonomics: 300 ms debounce on file events, queue-while-running so a save during an in-flight analysis triggers exactly one follow-up, synth failures preserve the last good results instead of crashing the watcher, `Ctrl+C` cleans up the chokidar watcher before exit.
|
|
106
150
|
|
|
107
151
|
---
|
|
108
152
|
|
|
@@ -249,6 +293,12 @@ For accurate `file:line` source attribution, CDK needs to record per-construct s
|
|
|
249
293
|
|
|
250
294
|
`cdk-insights scan` already sets `CDK_DEBUG=true` on its spawned synth process, so users on the CLI path get high-confidence attribution out of the box. The above is for users who run `cdk synth` themselves with the aspect attached. On `aws-cdk-lib` ≥ 2.252.0, findings on deferred or post-construction property assignments (lifecycle rules, env vars, role policies, `Lazy.string`/`Lazy.any` values) point at the property setter line — not the construct constructor — automatically. Older CDKs continue to work; you'll just get construct-level attribution.
|
|
251
295
|
|
|
296
|
+
##### Re-run findings on every save
|
|
297
|
+
|
|
298
|
+
If you have the aspect attached and run `cdk synth` yourself (manually, or via your own watcher), the rules re-evaluate every time synth runs — no extra wiring needed.
|
|
299
|
+
|
|
300
|
+
For an out-of-the-box live loop, use the `cdk-insights scan --watch` flag instead — it's documented in [Watch mode](#watch-mode) below and runs synth-only (no deploy). Don't reach for `cdk watch` for this purpose: it's a shortcut for `deploy --watch` and will push real infra to AWS on every save.
|
|
301
|
+
|
|
252
302
|
#### Validations plugin — for synth-time enforcement
|
|
253
303
|
|
|
254
304
|
Requires `aws-cdk-lib` ≥ 2.251.0:
|
|
@@ -1,3 +1,23 @@
|
|
|
1
1
|
import type { CommandModule } from 'yargs';
|
|
2
|
+
import type { IssueGroup } from '../../types/analysis.types';
|
|
2
3
|
import type { AnalyzeCommandArgs } from '../types/cli.types';
|
|
4
|
+
export declare function runStackAnalysis(finalConfig: AnalyzeCommandArgs, fingerprint?: string, authToken?: string, licenseInfo?: any, usageData?: any, _project?: string, licenseKey?: string, forceLocal?: boolean, sensitiveDataConfig?: {
|
|
5
|
+
enabled?: boolean;
|
|
6
|
+
warnOnly?: boolean;
|
|
7
|
+
allowPatterns?: string[];
|
|
8
|
+
ignoreProperties?: string[];
|
|
9
|
+
strictMode?: boolean;
|
|
10
|
+
}, baselineExclude?: Set<string>, collectFingerprints?: Set<string>, skipRendering?: boolean): Promise<{
|
|
11
|
+
totalResources: number;
|
|
12
|
+
recommendationMaps: {};
|
|
13
|
+
hasCriticalIssues: boolean;
|
|
14
|
+
scannedResourceIds: Set<string>;
|
|
15
|
+
hasSensitiveData?: undefined;
|
|
16
|
+
} | {
|
|
17
|
+
totalResources: number;
|
|
18
|
+
recommendationMaps: Record<string, IssueGroup>;
|
|
19
|
+
hasCriticalIssues: boolean;
|
|
20
|
+
hasSensitiveData: boolean;
|
|
21
|
+
scannedResourceIds: Set<string>;
|
|
22
|
+
}>;
|
|
3
23
|
export declare const analyzeCommand: CommandModule<Record<string, unknown>, AnalyzeCommandArgs>;
|
|
@@ -0,0 +1,11 @@
|
|
|
1
|
+
import type { AnalyzeCommandArgs } from '../types/cli.types';
|
|
2
|
+
export interface RunWatchLoopArgs {
|
|
3
|
+
config: AnalyzeCommandArgs;
|
|
4
|
+
fingerprint: string;
|
|
5
|
+
authToken: string | undefined;
|
|
6
|
+
licenseInfo: unknown;
|
|
7
|
+
usageData: unknown;
|
|
8
|
+
project: string | undefined;
|
|
9
|
+
licenseKey: string | undefined;
|
|
10
|
+
}
|
|
11
|
+
export declare const runWatchLoop: (args: RunWatchLoopArgs) => Promise<void>;
|
|
@@ -30,6 +30,14 @@ export interface AnalyzeCommandArgs {
|
|
|
30
30
|
writeBaseline?: boolean;
|
|
31
31
|
/** Override path to baseline file (default `.cdk-insights-baseline.json`). */
|
|
32
32
|
baseline?: string;
|
|
33
|
+
/**
|
|
34
|
+
* Watch CDK source files and re-run static analysis on save. Reuses
|
|
35
|
+
* cdk.json's `watch.include` / `watch.exclude` block when present
|
|
36
|
+
* (same conventions as `cdk watch`). AI analysis, baseline writes,
|
|
37
|
+
* GitHub issue creation, PR comments and scan history upload are all
|
|
38
|
+
* disabled while in watch mode.
|
|
39
|
+
*/
|
|
40
|
+
watch?: boolean;
|
|
33
41
|
cache?: {
|
|
34
42
|
enabled?: boolean;
|
|
35
43
|
ttl?: number;
|