npm - ecr-scan-verifier - Versions diffs - 0.0.0 - Mend

ecr-scan-verifier 0.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (23) hide show

package/.jsii +5154 -0
package/.projenrc.d.ts +1 -0
package/API.md +1184 -0
package/CONTRIBUTION.md +17 -0
package/LICENSE +202 -0
package/README.md +231 -0
package/assets/lambda/dist/index.js +61 -0
package/assets/lambda/index.ts +1 -0
package/lib/custom-resource-props.d.ts +20 -0
package/lib/custom-resource-props.js +3 -0
package/lib/ecr-scan-verifier.d.ts +116 -0
package/lib/ecr-scan-verifier.js +126 -0
package/lib/index.d.ts +5 -0
package/lib/index.js +22 -0
package/lib/sbom-output.d.ts +75 -0
package/lib/sbom-output.js +78 -0
package/lib/scan-config.d.ts +72 -0
package/lib/scan-config.js +58 -0
package/lib/scan-logs-output.d.ts +93 -0
package/lib/scan-logs-output.js +76 -0
package/lib/types.d.ts +29 -0
package/lib/types.js +35 -0
package/package.json +106 -0

package/lib/ecr-scan-verifier.js ADDED Viewed

@@ -0,0 +1,126 @@
+"use strict";
+var _a;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.EcrScanVerifier = void 0;
+const JSII_RTTI_SYMBOL_1 = Symbol.for("jsii.rtti");
+const path_1 = require("path");
+const aws_cdk_lib_1 = require("aws-cdk-lib");
+const aws_iam_1 = require("aws-cdk-lib/aws-iam");
+const aws_lambda_1 = require("aws-cdk-lib/aws-lambda");
+const custom_resources_1 = require("aws-cdk-lib/custom-resources");
+const constructs_1 = require("constructs");
+const types_1 = require("./types");
+/**
+ * A Construct that verifies container image scan findings with ECR image scanning.
+ * It uses a Lambda function as a Custom Resource provider to call ECR scan APIs
+ * and evaluate scan findings.
+ */
+class EcrScanVerifier extends constructs_1.Construct {
+    constructor(scope, id, props) {
+        super(scope, id);
+        this.defaultLogGroup = props.defaultLogGroup;
+        const lambdaPurpose = 'Custom::EcrScanVerifierCustomResourceLambda';
+        const customResourceLambda = new aws_lambda_1.SingletonFunction(this, 'CustomResourceLambda', {
+            uuid: 'c56cee6b-6775-541b-d179-c1535d88a0c8',
+            lambdaPurpose,
+            runtime: aws_lambda_1.Runtime.NODEJS_22_X,
+            handler: 'index.handler',
+            code: aws_lambda_1.Code.fromAsset((0, path_1.join)(__dirname, '../assets/lambda/dist'), {
+                // exclude node_modules
+                // because the native binary of the installed esbuild changes depending on the cpu architecture
+                // and the hash value of the image asset changes depending on the execution environment.
+                exclude: ['node_modules'],
+            }),
+            architecture: aws_lambda_1.Architecture.ARM_64,
+            timeout: aws_cdk_lib_1.Duration.seconds(900),
+            retryAttempts: 0,
+            logGroup: this.defaultLogGroup,
+        });
+        const imageTag = props.imageTag ?? 'latest';
+        const scanConfigOutput = props.scanConfig.bind();
+        // Validate: SBOM output requires Enhanced scanning
+        if (props.sbomOutput && scanConfigOutput.scanType === 'BASIC') {
+            throw new Error('SBOM output is only available with Enhanced scanning (ScanConfig.enhanced()). Basic scanning does not support SBOM generation.');
+        }
+        const outputOptions = props.scanLogsOutput?.bind(customResourceLambda);
+        // SBOM output (independent from scan logs)
+        const sbomConfig = props.sbomOutput?.bind(customResourceLambda);
+        // ECR scan permissions
+        customResourceLambda.addToRolePolicy(new aws_iam_1.PolicyStatement({
+            actions: ['ecr:DescribeImageScanFindings', 'ecr:DescribeImages'],
+            resources: [props.repository.repositoryArn],
+        }));
+        if (scanConfigOutput.scanType === 'ENHANCED') {
+            customResourceLambda.addToRolePolicy(new aws_iam_1.PolicyStatement({
+                actions: ['inspector2:ListCoverage', 'inspector2:ListFindings'],
+                resources: ['*'],
+            }));
+        }
+        if (scanConfigOutput.startScan) {
+            customResourceLambda.addToRolePolicy(new aws_iam_1.PolicyStatement({
+                actions: ['ecr:StartImageScan'],
+                resources: [props.repository.repositoryArn],
+            }));
+        }
+        // SBOM export permissions (Inspector CreateSbomExport)
+        if (sbomConfig) {
+            customResourceLambda.addToRolePolicy(new aws_iam_1.PolicyStatement({
+                actions: ['inspector2:CreateSbomExport', 'inspector2:GetSbomExport'],
+                resources: ['*'],
+            }));
+        }
+        if (props.vulnsNotificationTopic) {
+            props.vulnsNotificationTopic.grantPublish(customResourceLambda);
+        }
+        const suppressErrorOnRollback = props.suppressErrorOnRollback ?? true;
+        if (suppressErrorOnRollback) {
+            customResourceLambda.addToRolePolicy(new aws_iam_1.PolicyStatement({
+                actions: ['cloudformation:DescribeStacks'],
+                resources: [aws_cdk_lib_1.Stack.of(this).stackId],
+            }));
+        }
+        // Check for defaultLogGroup consistency across multiple instances in the same stack
+        aws_cdk_lib_1.Aspects.of(aws_cdk_lib_1.Stack.of(this)).add({
+            visit: (node) => {
+                if (node instanceof EcrScanVerifier &&
+                    node._defaultLogGroup?.node.path !== this.defaultLogGroup?.node.path) {
+                    aws_cdk_lib_1.Annotations.of(this).addWarningV2('@ecr-scan-verifier:duplicateLambdaDefaultLogGroup', "You have to set the same log group for 'defaultLogGroup' for each EcrScanVerifier construct in the same stack.");
+                }
+            },
+        });
+        const verifierProvider = new custom_resources_1.Provider(this, 'Provider', {
+            onEventHandler: customResourceLambda,
+        });
+        const verifierProperties = {
+            addr: this.node.addr,
+            repositoryName: props.repository.repositoryName,
+            imageTag,
+            scanType: scanConfigOutput.scanType,
+            startScan: String(scanConfigOutput.startScan),
+            severity: props.severity ?? [types_1.Severity.CRITICAL],
+            failOnVulnerability: String(props.failOnVulnerability ?? true),
+            ignoreFindings: props.ignoreFindings ?? [],
+            output: outputOptions,
+            sbom: sbomConfig,
+            suppressErrorOnRollback: String(suppressErrorOnRollback),
+            vulnsTopicArn: props.vulnsNotificationTopic?.topicArn,
+            defaultLogGroupName: this.defaultLogGroup?.logGroupName ?? `/aws/lambda/${customResourceLambda.functionName}`,
+        };
+        new aws_cdk_lib_1.CustomResource(this, 'Resource', {
+            resourceType: 'Custom::EcrScanVerifier',
+            properties: verifierProperties,
+            serviceToken: verifierProvider.serviceToken,
+        });
+        props.blockConstructs?.forEach((construct) => {
+            construct.node.addDependency(this);
+        });
+    }
+    /** @internal */
+    get _defaultLogGroup() {
+        return this.defaultLogGroup;
+    }
+}
+exports.EcrScanVerifier = EcrScanVerifier;
+_a = JSII_RTTI_SYMBOL_1;
+EcrScanVerifier[_a] = { fqn: "ecr-scan-verifier.EcrScanVerifier", version: "0.0.0" };
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiZWNyLXNjYW4tdmVyaWZpZXIuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi9zcmMvZWNyLXNjYW4tdmVyaWZpZXIudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7Ozs7QUFBQSwrQkFBNEI7QUFDNUIsNkNBQW9GO0FBRXBGLGlEQUFzRDtBQUN0RCx1REFBd0Y7QUFHeEYsbUVBQXdEO0FBQ3hELDJDQUFtRDtBQUtuRCxtQ0FBbUM7QUErR25DOzs7O0dBSUc7QUFDSCxNQUFhLGVBQWdCLFNBQVEsc0JBQVM7SUFHNUMsWUFBWSxLQUFnQixFQUFFLEVBQVUsRUFBRSxLQUEyQjtRQUNuRSxLQUFLLENBQUMsS0FBSyxFQUFFLEVBQUUsQ0FBQyxDQUFDO1FBRWpCLElBQUksQ0FBQyxlQUFlLEdBQUcsS0FBSyxDQUFDLGVBQWUsQ0FBQztRQUM3QyxNQUFNLGFBQWEsR0FBRyw2Q0FBNkMsQ0FBQztRQUVwRSxNQUFNLG9CQUFvQixHQUFHLElBQUksOEJBQWlCLENBQUMsSUFBSSxFQUFFLHNCQUFzQixFQUFFO1lBQy9FLElBQUksRUFBRSxzQ0FBc0M7WUFDNUMsYUFBYTtZQUNiLE9BQU8sRUFBRSxvQkFBTyxDQUFDLFdBQVc7WUFDNUIsT0FBTyxFQUFFLGVBQWU7WUFDeEIsSUFBSSxFQUFFLGlCQUFJLENBQUMsU0FBUyxDQUFDLElBQUEsV0FBSSxFQUFDLFNBQVMsRUFBRSx1QkFBdUIsQ0FBQyxFQUFFO2dCQUM3RCx1QkFBdUI7Z0JBQ3ZCLCtGQUErRjtnQkFDL0Ysd0ZBQXdGO2dCQUN4RixPQUFPLEVBQUUsQ0FBQyxjQUFjLENBQUM7YUFDMUIsQ0FBQztZQUNGLFlBQVksRUFBRSx5QkFBWSxDQUFDLE1BQU07WUFDakMsT0FBTyxFQUFFLHNCQUFRLENBQUMsT0FBTyxDQUFDLEdBQUcsQ0FBQztZQUM5QixhQUFhLEVBQUUsQ0FBQztZQUNoQixRQUFRLEVBQUUsSUFBSSxDQUFDLGVBQWU7U0FDL0IsQ0FBQyxDQUFDO1FBRUgsTUFBTSxRQUFRLEdBQUcsS0FBSyxDQUFDLFFBQVEsSUFBSSxRQUFRLENBQUM7UUFFNUMsTUFBTSxnQkFBZ0IsR0FBRyxLQUFLLENBQUMsVUFBVSxDQUFDLElBQUksRUFBRSxDQUFDO1FBQ2pELG1EQUFtRDtRQUNuRCxJQUFJLEtBQUssQ0FBQyxVQUFVLElBQUksZ0JBQWdCLENBQUMsUUFBUSxLQUFLLE9BQU8sRUFBRSxDQUFDO1lBQzlELE1BQU0sSUFBSSxLQUFLLENBQ2IsZ0lBQWdJLENBQ2pJLENBQUM7UUFDSixDQUFDO1FBRUQsTUFBTSxhQUFhLEdBQUcsS0FBSyxDQUFDLGNBQWMsRUFBRSxJQUFJLENBQUMsb0JBQW9CLENBQUMsQ0FBQztRQUV2RSwyQ0FBMkM7UUFDM0MsTUFBTSxVQUFVLEdBQUcsS0FBSyxDQUFDLFVBQVUsRUFBRSxJQUFJLENBQUMsb0JBQW9CLENBQUMsQ0FBQztRQUVoRSx1QkFBdUI7UUFDdkIsb0JBQW9CLENBQUMsZUFBZSxDQUNsQyxJQUFJLHlCQUFlLENBQUM7WUFDbEIsT0FBTyxFQUFFLENBQUMsK0JBQStCLEVBQUUsb0JBQW9CLENBQUM7WUFDaEUsU0FBUyxFQUFFLENBQUMsS0FBSyxDQUFDLFVBQVUsQ0FBQyxhQUFhLENBQUM7U0FDNUMsQ0FBQyxDQUNILENBQUM7UUFFRixJQUFJLGdCQUFnQixDQUFDLFFBQVEsS0FBSyxVQUFVLEVBQUUsQ0FBQztZQUM3QyxvQkFBb0IsQ0FBQyxlQUFlLENBQ2xDLElBQUkseUJBQWUsQ0FBQztnQkFDbEIsT0FBTyxFQUFFLENBQUMseUJBQXlCLEVBQUUseUJBQXlCLENBQUM7Z0JBQy9ELFNBQVMsRUFBRSxDQUFDLEdBQUcsQ0FBQzthQUNqQixDQUFDLENBQ0gsQ0FBQztRQUNKLENBQUM7UUFFRCxJQUFJLGdCQUFnQixDQUFDLFNBQVMsRUFBRSxDQUFDO1lBQy9CLG9CQUFvQixDQUFDLGVBQWUsQ0FDbEMsSUFBSSx5QkFBZSxDQUFDO2dCQUNsQixPQUFPLEVBQUUsQ0FBQyxvQkFBb0IsQ0FBQztnQkFDL0IsU0FBUyxFQUFFLENBQUMsS0FBSyxDQUFDLFVBQVUsQ0FBQyxhQUFhLENBQUM7YUFDNUMsQ0FBQyxDQUNILENBQUM7UUFDSixDQUFDO1FBRUQsdURBQXVEO1FBQ3ZELElBQUksVUFBVSxFQUFFLENBQUM7WUFDZixvQkFBb0IsQ0FBQyxlQUFlLENBQ2xDLElBQUkseUJBQWUsQ0FBQztnQkFDbEIsT0FBTyxFQUFFLENBQUMsNkJBQTZCLEVBQUUsMEJBQTBCLENBQUM7Z0JBQ3BFLFNBQVMsRUFBRSxDQUFDLEdBQUcsQ0FBQzthQUNqQixDQUFDLENBQ0gsQ0FBQztRQUNKLENBQUM7UUFFRCxJQUFJLEtBQUssQ0FBQyxzQkFBc0IsRUFBRSxDQUFDO1lBQ2pDLEtBQUssQ0FBQyxzQkFBc0IsQ0FBQyxZQUFZLENBQUMsb0JBQW9CLENBQUMsQ0FBQztRQUNsRSxDQUFDO1FBRUQsTUFBTSx1QkFBdUIsR0FBRyxLQUFLLENBQUMsdUJBQXVCLElBQUksSUFBSSxDQUFDO1FBQ3RFLElBQUksdUJBQXVCLEVBQUUsQ0FBQztZQUM1QixvQkFBb0IsQ0FBQyxlQUFlLENBQ2xDLElBQUkseUJBQWUsQ0FBQztnQkFDbEIsT0FBTyxFQUFFLENBQUMsK0JBQStCLENBQUM7Z0JBQzFDLFNBQVMsRUFBRSxDQUFDLG1CQUFLLENBQUMsRUFBRSxDQUFDLElBQUksQ0FBQyxDQUFDLE9BQU8sQ0FBQzthQUNwQyxDQUFDLENBQ0gsQ0FBQztRQUNKLENBQUM7UUFFRCxvRkFBb0Y7UUFDcEYscUJBQU8sQ0FBQyxFQUFFLENBQUMsbUJBQUssQ0FBQyxFQUFFLENBQUMsSUFBSSxDQUFDLENBQUMsQ0FBQyxHQUFHLENBQUM7WUFDN0IsS0FBSyxFQUFFLENBQUMsSUFBSSxFQUFFLEVBQUU7Z0JBQ2QsSUFDRSxJQUFJLFlBQVksZUFBZTtvQkFDL0IsSUFBSSxDQUFDLGdCQUFnQixFQUFFLElBQUksQ0FBQyxJQUFJLEtBQUssSUFBSSxDQUFDLGVBQWUsRUFBRSxJQUFJLENBQUMsSUFBSSxFQUNwRSxDQUFDO29CQUNELHlCQUFXLENBQUMsRUFBRSxDQUFDLElBQUksQ0FBQyxDQUFDLFlBQVksQ0FDL0IsbURBQW1ELEVBQ25ELGdIQUFnSCxDQUNqSCxDQUFDO2dCQUNKLENBQUM7WUFDSCxDQUFDO1NBQ0YsQ0FBQyxDQUFDO1FBRUgsTUFBTSxnQkFBZ0IsR0FBRyxJQUFJLDJCQUFRLENBQUMsSUFBSSxFQUFFLFVBQVUsRUFBRTtZQUN0RCxjQUFjLEVBQUUsb0JBQW9CO1NBQ3JDLENBQUMsQ0FBQztRQUVILE1BQU0sa0JBQWtCLEdBQStCO1lBQ3JELElBQUksRUFBRSxJQUFJLENBQUMsSUFBSSxDQUFDLElBQUk7WUFDcEIsY0FBYyxFQUFFLEtBQUssQ0FBQyxVQUFVLENBQUMsY0FBYztZQUMvQyxRQUFRO1lBQ1IsUUFBUSxFQUFFLGdCQUFnQixDQUFDLFFBQVE7WUFDbkMsU0FBUyxFQUFFLE1BQU0sQ0FBQyxnQkFBZ0IsQ0FBQyxTQUFTLENBQUM7WUFDN0MsUUFBUSxFQUFFLEtBQUssQ0FBQyxRQUFRLElBQUksQ0FBQyxnQkFBUSxDQUFDLFFBQVEsQ0FBQztZQUMvQyxtQkFBbUIsRUFBRSxNQUFNLENBQUMsS0FBSyxDQUFDLG1CQUFtQixJQUFJLElBQUksQ0FBQztZQUM5RCxjQUFjLEVBQUUsS0FBSyxDQUFDLGNBQWMsSUFBSSxFQUFFO1lBQzFDLE1BQU0sRUFBRSxhQUFhO1lBQ3JCLElBQUksRUFBRSxVQUFVO1lBQ2hCLHVCQUF1QixFQUFFLE1BQU0sQ0FBQyx1QkFBdUIsQ0FBQztZQUN4RCxhQUFhLEVBQUUsS0FBSyxDQUFDLHNCQUFzQixFQUFFLFFBQVE7WUFDckQsbUJBQW1CLEVBQ2pCLElBQUksQ0FBQyxlQUFlLEVBQUUsWUFBWSxJQUFJLGVBQWUsb0JBQW9CLENBQUMsWUFBWSxFQUFFO1NBQzNGLENBQUM7UUFFRixJQUFJLDRCQUFjLENBQUMsSUFBSSxFQUFFLFVBQVUsRUFBRTtZQUNuQyxZQUFZLEVBQUUseUJBQXlCO1lBQ3ZDLFVBQVUsRUFBRSxrQkFBa0I7WUFDOUIsWUFBWSxFQUFFLGdCQUFnQixDQUFDLFlBQVk7U0FDNUMsQ0FBQyxDQUFDO1FBRUgsS0FBSyxDQUFDLGVBQWUsRUFBRSxPQUFPLENBQUMsQ0FBQyxTQUFTLEVBQUUsRUFBRTtZQUMzQyxTQUFTLENBQUMsSUFBSSxDQUFDLGFBQWEsQ0FBQyxJQUFJLENBQUMsQ0FBQztRQUNyQyxDQUFDLENBQUMsQ0FBQztJQUNMLENBQUM7SUFFRCxnQkFBZ0I7SUFDaEIsSUFBSSxnQkFBZ0I7UUFDbEIsT0FBTyxJQUFJLENBQUMsZUFBZSxDQUFDO0lBQzlCLENBQUM7O0FBN0lILDBDQThJQyIsInNvdXJjZXNDb250ZW50IjpbImltcG9ydCB7IGpvaW4gfSBmcm9tICdwYXRoJztcbmltcG9ydCB7IEFubm90YXRpb25zLCBBc3BlY3RzLCBDdXN0b21SZXNvdXJjZSwgRHVyYXRpb24sIFN0YWNrIH0gZnJvbSAnYXdzLWNkay1saWInO1xuaW1wb3J0IHsgSVJlcG9zaXRvcnkgfSBmcm9tICdhd3MtY2RrLWxpYi9hd3MtZWNyJztcbmltcG9ydCB7IFBvbGljeVN0YXRlbWVudCB9IGZyb20gJ2F3cy1jZGstbGliL2F3cy1pYW0nO1xuaW1wb3J0IHsgQXJjaGl0ZWN0dXJlLCBDb2RlLCBSdW50aW1lLCBTaW5nbGV0b25GdW5jdGlvbiB9IGZyb20gJ2F3cy1jZGstbGliL2F3cy1sYW1iZGEnO1xuaW1wb3J0IHsgSUxvZ0dyb3VwIH0gZnJvbSAnYXdzLWNkay1saWIvYXdzLWxvZ3MnO1xuaW1wb3J0IHsgSVRvcGljIH0gZnJvbSAnYXdzLWNkay1saWIvYXdzLXNucyc7XG5pbXBvcnQgeyBQcm92aWRlciB9IGZyb20gJ2F3cy1jZGstbGliL2N1c3RvbS1yZXNvdXJjZXMnO1xuaW1wb3J0IHsgQ29uc3RydWN0LCBJQ29uc3RydWN0IH0gZnJvbSAnY29uc3RydWN0cyc7XG5pbXBvcnQgeyBTY2FubmVyQ3VzdG9tUmVzb3VyY2VQcm9wcyB9IGZyb20gJy4vY3VzdG9tLXJlc291cmNlLXByb3BzJztcbmltcG9ydCB7IFNib21PdXRwdXQgfSBmcm9tICcuL3Nib20tb3V0cHV0JztcbmltcG9ydCB7IFNjYW5Db25maWcgfSBmcm9tICcuL3NjYW4tY29uZmlnJztcbmltcG9ydCB7IFNjYW5Mb2dzT3V0cHV0IH0gZnJvbSAnLi9zY2FuLWxvZ3Mtb3V0cHV0JztcbmltcG9ydCB7IFNldmVyaXR5IH0gZnJvbSAnLi90eXBlcyc7XG5cbi8qKlxuICogUHJvcGVydGllcyBmb3IgRWNyU2NhblZlcmlmaWVyIENvbnN0cnVjdC5cbiAqL1xuZXhwb3J0IGludGVyZmFjZSBFY3JTY2FuVmVyaWZpZXJQcm9wcyB7XG4gIC8qKlxuICAgKiBFQ1IgUmVwb3NpdG9yeSB0byBzY2FuLlxuICAgKi9cbiAgcmVhZG9ubHkgcmVwb3NpdG9yeTogSVJlcG9zaXRvcnk7XG5cbiAgLyoqXG4gICAqIEltYWdlIHRhZyBvciBkaWdlc3QgdG8gc2Nhbi5cbiAgICpcbiAgICogWW91IGNhbiBzcGVjaWZ5IGEgdGFnIChlLmcuLCAndjEuMCcsICdsYXRlc3QnKSBvciBhIGRpZ2VzdCAoZS5nLiwgJ3NoYTI1NjphYmMxMjMuLi4nKS5cbiAgICogSWYgdGhlIHZhbHVlIHN0YXJ0cyB3aXRoICdzaGEyNTY6JywgaXQgaXMgdHJlYXRlZCBhcyBhIGRpZ2VzdC5cbiAgICpcbiAgICogQGRlZmF1bHQgJ2xhdGVzdCdcbiAgICovXG4gIHJlYWRvbmx5IGltYWdlVGFnPzogc3RyaW5nO1xuXG4gIC8qKlxuICAgKiBTY2FuIGNvbmZpZ3VyYXRpb246IGJhc2ljIChFQ1IgbmF0aXZlKSBvciBlbmhhbmNlZCAoQW1hem9uIEluc3BlY3RvcikuXG4gICAqXG4gICAqIFVzZSBgU2NhbkNvbmZpZy5iYXNpYygpYCBmb3IgRUNSIG5hdGl2ZSBiYXNpYyBzY2FubmluZyxcbiAgICogb3IgYFNjYW5Db25maWcuZW5oYW5jZWQoKWAgZm9yIEFtYXpvbiBJbnNwZWN0b3IgZW5oYW5jZWQgc2Nhbm5pbmcuXG4gICAqL1xuICByZWFkb25seSBzY2FuQ29uZmlnOiBTY2FuQ29uZmlnO1xuXG4gIC8qKlxuICAgKiBTZXZlcml0eSB0aHJlc2hvbGQgZm9yIHZ1bG5lcmFiaWxpdHkgZGV0ZWN0aW9uLlxuICAgKlxuICAgKiBJZiB2dWxuZXJhYmlsaXRpZXMgYXQgb3IgYWJvdmUgYW55IG9mIHRoZSBzcGVjaWZpZWQgc2V2ZXJpdHkgbGV2ZWxzIGFyZSBmb3VuZCxcbiAgICogdGhlIHNjYW4gd2lsbCBiZSBjb25zaWRlcmVkIGFzIGhhdmluZyBmb3VuZCB2dWxuZXJhYmlsaXRpZXMuXG4gICAqXG4gICAqIEBkZWZhdWx0IFtTZXZlcml0eS5DUklUSUNBTF1cbiAgICovXG4gIHJlYWRvbmx5IHNldmVyaXR5PzogU2V2ZXJpdHlbXTtcblxuICAvKipcbiAgICogV2hldGhlciB0byBmYWlsIHRoZSBDbG91ZEZvcm1hdGlvbiBkZXBsb3ltZW50IGlmIHZ1bG5lcmFiaWxpdGllcyBhcmUgZGV0ZWN0ZWRcbiAgICogYWJvdmUgdGhlIHNldmVyaXR5IHRocmVzaG9sZC5cbiAgICpcbiAgICogQGRlZmF1bHQgdHJ1ZVxuICAgKi9cbiAgcmVhZG9ubHkgZmFpbE9uVnVsbmVyYWJpbGl0eT86IGJvb2xlYW47XG5cbiAgLyoqXG4gICAqIEZpbmRpbmcgSURzIHRvIGlnbm9yZSBkdXJpbmcgdnVsbmVyYWJpbGl0eSBldmFsdWF0aW9uLlxuICAgKlxuICAgKiBGb3IgYmFzaWMgc2Nhbm5pbmc6IENWRSBJRHMgKGUuZy4sICdDVkUtMjAyMy0zNzkyMCcpXG4gICAqIEZvciBlbmhhbmNlZCBzY2FubmluZzogZmluZGluZyBBUk5zIG9yIENWRSBJRHNcbiAgICpcbiAgICogQGRlZmF1bHQgLSBubyBmaW5kaW5ncyBpZ25vcmVkXG4gICAqL1xuICByZWFkb25seSBpZ25vcmVGaW5kaW5ncz86IHN0cmluZ1tdO1xuXG4gIC8qKlxuICAgKiBDb25maWd1cmF0aW9uIGZvciBzY2FuIGxvZ3Mgb3V0cHV0LlxuICAgKlxuICAgKiBAZGVmYXVsdCAtIHNjYW4gbG9ncyBvdXRwdXQgdG8gZGVmYXVsdCBsb2cgZ3JvdXAgY3JlYXRlZCBieSBTY2FubmVyIExhbWJkYS5cbiAgICovXG4gIHJlYWRvbmx5IHNjYW5Mb2dzT3V0cHV0PzogU2NhbkxvZ3NPdXRwdXQ7XG5cbiAgLyoqXG4gICAqIFNCT00gKFNvZnR3YXJlIEJpbGwgb2YgTWF0ZXJpYWxzKSBvdXRwdXQgY29uZmlndXJhdGlvbi5cbiAgICpcbiAgICogU0JPTSBleHBvcnQgdXNlcyBBbWF6b24gSW5zcGVjdG9yJ3MgQ3JlYXRlU2JvbUV4cG9ydCBBUEkgdG8gZ2VuZXJhdGUgU0JPTVxuICAgKiBhbmQgdXBsb2FkcyBpdCB0byBTMy5cbiAgICpcbiAgICogKipOb3RlKio6IFNCT00gZXhwb3J0IGlzIG9ubHkgYXZhaWxhYmxlIHdpdGggRW5oYW5jZWQgc2Nhbm5pbmcgKEFtYXpvbiBJbnNwZWN0b3IpLlxuICAgKiBVc2luZyB3aXRoIEJhc2ljIHNjYW5uaW5nIHdpbGwgdGhyb3cgYW4gZXJyb3IuXG4gICAqXG4gICAqIEBkZWZhdWx0IC0gbm8gU0JPTSBvdXRwdXRcbiAgICovXG4gIHJlYWRvbmx5IHNib21PdXRwdXQ/OiBTYm9tT3V0cHV0O1xuXG4gIC8qKlxuICAgKiBUaGUgU2Nhbm5lciBMYW1iZGEgZnVuY3Rpb24ncyBkZWZhdWx0IGxvZyBncm91cC5cbiAgICpcbiAgICogSWYgeW91IHVzZSBFY3JTY2FuVmVyaWZpZXIgY29uc3RydWN0IG11bHRpcGxlIHRpbWVzIGluIHRoZSBzYW1lIHN0YWNrLFxuICAgKiB5b3UgbXVzdCBzcGVjaWZ5IHRoZSBzYW1lIGxvZyBncm91cCBmb3IgZWFjaCBjb25zdHJ1Y3QuXG4gICAqXG4gICAqIEBkZWZhdWx0IC0gU2Nhbm5lciBMYW1iZGEgY3JlYXRlcyB0aGUgZGVmYXVsdCBsb2cgZ3JvdXAuXG4gICAqL1xuICByZWFkb25seSBkZWZhdWx0TG9nR3JvdXA/OiBJTG9nR3JvdXA7XG5cbiAgLyoqXG4gICAqIFN1cHByZXNzIGVycm9ycyBkdXJpbmcgcm9sbGJhY2sgc2Nhbm5lciBMYW1iZGEgZXhlY3V0aW9uLlxuICAgKlxuICAgKiBAZGVmYXVsdCB0cnVlXG4gICAqL1xuICByZWFkb25seSBzdXBwcmVzc0Vycm9yT25Sb2xsYmFjaz86IGJvb2xlYW47XG5cbiAgLyoqXG4gICAqIFNOUyB0b3BpYyBmb3IgdnVsbmVyYWJpbGl0eSBub3RpZmljYXRpb24uXG4gICAqXG4gICAqIFN1cHBvcnRzIEFXUyBDaGF0Ym90IG1lc3NhZ2UgZm9ybWF0LlxuICAgKlxuICAgKiBAZGVmYXVsdCAtIG5vIG5vdGlmaWNhdGlvblxuICAgKi9cbiAgcmVhZG9ubHkgdnVsbnNOb3RpZmljYXRpb25Ub3BpYz86IElUb3BpYztcblxuICAvKipcbiAgICogQ29uc3RydWN0cyB0byBibG9jayBpZiB2dWxuZXJhYmlsaXRpZXMgYXJlIGRldGVjdGVkLlxuICAgKlxuICAgKiBAZGVmYXVsdCAtIG5vIGNvbnN0cnVjdHMgdG8gYmxvY2tcbiAgICovXG4gIHJlYWRvbmx5IGJsb2NrQ29uc3RydWN0cz86IElDb25zdHJ1Y3RbXTtcbn1cblxuLyoqXG4gKiBBIENvbnN0cnVjdCB0aGF0IHZlcmlmaWVzIGNvbnRhaW5lciBpbWFnZSBzY2FuIGZpbmRpbmdzIHdpdGggRUNSIGltYWdlIHNjYW5uaW5nLlxuICogSXQgdXNlcyBhIExhbWJkYSBmdW5jdGlvbiBhcyBhIEN1c3RvbSBSZXNvdXJjZSBwcm92aWRlciB0byBjYWxsIEVDUiBzY2FuIEFQSXNcbiAqIGFuZCBldmFsdWF0ZSBzY2FuIGZpbmRpbmdzLlxuICovXG5leHBvcnQgY2xhc3MgRWNyU2NhblZlcmlmaWVyIGV4dGVuZHMgQ29uc3RydWN0IHtcbiAgcHJpdmF0ZSByZWFkb25seSBkZWZhdWx0TG9nR3JvdXA/OiBJTG9nR3JvdXA7XG5cbiAgY29uc3RydWN0b3Ioc2NvcGU6IENvbnN0cnVjdCwgaWQ6IHN0cmluZywgcHJvcHM6IEVjclNjYW5WZXJpZmllclByb3BzKSB7XG4gICAgc3VwZXIoc2NvcGUsIGlkKTtcblxuICAgIHRoaXMuZGVmYXVsdExvZ0dyb3VwID0gcHJvcHMuZGVmYXVsdExvZ0dyb3VwO1xuICAgIGNvbnN0IGxhbWJkYVB1cnBvc2UgPSAnQ3VzdG9tOjpFY3JTY2FuVmVyaWZpZXJDdXN0b21SZXNvdXJjZUxhbWJkYSc7XG5cbiAgICBjb25zdCBjdXN0b21SZXNvdXJjZUxhbWJkYSA9IG5ldyBTaW5nbGV0b25GdW5jdGlvbih0aGlzLCAnQ3VzdG9tUmVzb3VyY2VMYW1iZGEnLCB7XG4gICAgICB1dWlkOiAnYzU2Y2VlNmItNjc3NS01NDFiLWQxNzktYzE1MzVkODhhMGM4JyxcbiAgICAgIGxhbWJkYVB1cnBvc2UsXG4gICAgICBydW50aW1lOiBSdW50aW1lLk5PREVKU18yMl9YLFxuICAgICAgaGFuZGxlcjogJ2luZGV4LmhhbmRsZXInLFxuICAgICAgY29kZTogQ29kZS5mcm9tQXNzZXQoam9pbihfX2Rpcm5hbWUsICcuLi9hc3NldHMvbGFtYmRhL2Rpc3QnKSwge1xuICAgICAgICAvLyBleGNsdWRlIG5vZGVfbW9kdWxlc1xuICAgICAgICAvLyBiZWNhdXNlIHRoZSBuYXRpdmUgYmluYXJ5IG9mIHRoZSBpbnN0YWxsZWQgZXNidWlsZCBjaGFuZ2VzIGRlcGVuZGluZyBvbiB0aGUgY3B1IGFyY2hpdGVjdHVyZVxuICAgICAgICAvLyBhbmQgdGhlIGhhc2ggdmFsdWUgb2YgdGhlIGltYWdlIGFzc2V0IGNoYW5nZXMgZGVwZW5kaW5nIG9uIHRoZSBleGVjdXRpb24gZW52aXJvbm1lbnQuXG4gICAgICAgIGV4Y2x1ZGU6IFsnbm9kZV9tb2R1bGVzJ10sXG4gICAgICB9KSxcbiAgICAgIGFyY2hpdGVjdHVyZTogQXJjaGl0ZWN0dXJlLkFSTV82NCxcbiAgICAgIHRpbWVvdXQ6IER1cmF0aW9uLnNlY29uZHMoOTAwKSxcbiAgICAgIHJldHJ5QXR0ZW1wdHM6IDAsXG4gICAgICBsb2dHcm91cDogdGhpcy5kZWZhdWx0TG9nR3JvdXAsXG4gICAgfSk7XG5cbiAgICBjb25zdCBpbWFnZVRhZyA9IHByb3BzLmltYWdlVGFnID8/ICdsYXRlc3QnO1xuXG4gICAgY29uc3Qgc2NhbkNvbmZpZ091dHB1dCA9IHByb3BzLnNjYW5Db25maWcuYmluZCgpO1xuICAgIC8vIFZhbGlkYXRlOiBTQk9NIG91dHB1dCByZXF1aXJlcyBFbmhhbmNlZCBzY2FubmluZ1xuICAgIGlmIChwcm9wcy5zYm9tT3V0cHV0ICYmIHNjYW5Db25maWdPdXRwdXQuc2NhblR5cGUgPT09ICdCQVNJQycpIHtcbiAgICAgIHRocm93IG5ldyBFcnJvcihcbiAgICAgICAgJ1NCT00gb3V0cHV0IGlzIG9ubHkgYXZhaWxhYmxlIHdpdGggRW5oYW5jZWQgc2Nhbm5pbmcgKFNjYW5Db25maWcuZW5oYW5jZWQoKSkuIEJhc2ljIHNjYW5uaW5nIGRvZXMgbm90IHN1cHBvcnQgU0JPTSBnZW5lcmF0aW9uLicsXG4gICAgICApO1xuICAgIH1cblxuICAgIGNvbnN0IG91dHB1dE9wdGlvbnMgPSBwcm9wcy5zY2FuTG9nc091dHB1dD8uYmluZChjdXN0b21SZXNvdXJjZUxhbWJkYSk7XG5cbiAgICAvLyBTQk9NIG91dHB1dCAoaW5kZXBlbmRlbnQgZnJvbSBzY2FuIGxvZ3MpXG4gICAgY29uc3Qgc2JvbUNvbmZpZyA9IHByb3BzLnNib21PdXRwdXQ/LmJpbmQoY3VzdG9tUmVzb3VyY2VMYW1iZGEpO1xuXG4gICAgLy8gRUNSIHNjYW4gcGVybWlzc2lvbnNcbiAgICBjdXN0b21SZXNvdXJjZUxhbWJkYS5hZGRUb1JvbGVQb2xpY3koXG4gICAgICBuZXcgUG9saWN5U3RhdGVtZW50KHtcbiAgICAgICAgYWN0aW9uczogWydlY3I6RGVzY3JpYmVJbWFnZVNjYW5GaW5kaW5ncycsICdlY3I6RGVzY3JpYmVJbWFnZXMnXSxcbiAgICAgICAgcmVzb3VyY2VzOiBbcHJvcHMucmVwb3NpdG9yeS5yZXBvc2l0b3J5QXJuXSxcbiAgICAgIH0pLFxuICAgICk7XG5cbiAgICBpZiAoc2NhbkNvbmZpZ091dHB1dC5zY2FuVHlwZSA9PT0gJ0VOSEFOQ0VEJykge1xuICAgICAgY3VzdG9tUmVzb3VyY2VMYW1iZGEuYWRkVG9Sb2xlUG9saWN5KFxuICAgICAgICBuZXcgUG9saWN5U3RhdGVtZW50KHtcbiAgICAgICAgICBhY3Rpb25zOiBbJ2luc3BlY3RvcjI6TGlzdENvdmVyYWdlJywgJ2luc3BlY3RvcjI6TGlzdEZpbmRpbmdzJ10sXG4gICAgICAgICAgcmVzb3VyY2VzOiBbJyonXSxcbiAgICAgICAgfSksXG4gICAgICApO1xuICAgIH1cblxuICAgIGlmIChzY2FuQ29uZmlnT3V0cHV0LnN0YXJ0U2Nhbikge1xuICAgICAgY3VzdG9tUmVzb3VyY2VMYW1iZGEuYWRkVG9Sb2xlUG9saWN5KFxuICAgICAgICBuZXcgUG9saWN5U3RhdGVtZW50KHtcbiAgICAgICAgICBhY3Rpb25zOiBbJ2VjcjpTdGFydEltYWdlU2NhbiddLFxuICAgICAgICAgIHJlc291cmNlczogW3Byb3BzLnJlcG9zaXRvcnkucmVwb3NpdG9yeUFybl0sXG4gICAgICAgIH0pLFxuICAgICAgKTtcbiAgICB9XG5cbiAgICAvLyBTQk9NIGV4cG9ydCBwZXJtaXNzaW9ucyAoSW5zcGVjdG9yIENyZWF0ZVNib21FeHBvcnQpXG4gICAgaWYgKHNib21Db25maWcpIHtcbiAgICAgIGN1c3RvbVJlc291cmNlTGFtYmRhLmFkZFRvUm9sZVBvbGljeShcbiAgICAgICAgbmV3IFBvbGljeVN0YXRlbWVudCh7XG4gICAgICAgICAgYWN0aW9uczogWydpbnNwZWN0b3IyOkNyZWF0ZVNib21FeHBvcnQnLCAnaW5zcGVjdG9yMjpHZXRTYm9tRXhwb3J0J10sXG4gICAgICAgICAgcmVzb3VyY2VzOiBbJyonXSxcbiAgICAgICAgfSksXG4gICAgICApO1xuICAgIH1cblxuICAgIGlmIChwcm9wcy52dWxuc05vdGlmaWNhdGlvblRvcGljKSB7XG4gICAgICBwcm9wcy52dWxuc05vdGlmaWNhdGlvblRvcGljLmdyYW50UHVibGlzaChjdXN0b21SZXNvdXJjZUxhbWJkYSk7XG4gICAgfVxuXG4gICAgY29uc3Qgc3VwcHJlc3NFcnJvck9uUm9sbGJhY2sgPSBwcm9wcy5zdXBwcmVzc0Vycm9yT25Sb2xsYmFjayA/PyB0cnVlO1xuICAgIGlmIChzdXBwcmVzc0Vycm9yT25Sb2xsYmFjaykge1xuICAgICAgY3VzdG9tUmVzb3VyY2VMYW1iZGEuYWRkVG9Sb2xlUG9saWN5KFxuICAgICAgICBuZXcgUG9saWN5U3RhdGVtZW50KHtcbiAgICAgICAgICBhY3Rpb25zOiBbJ2Nsb3VkZm9ybWF0aW9uOkRlc2NyaWJlU3RhY2tzJ10sXG4gICAgICAgICAgcmVzb3VyY2VzOiBbU3RhY2sub2YodGhpcykuc3RhY2tJZF0sXG4gICAgICAgIH0pLFxuICAgICAgKTtcbiAgICB9XG5cbiAgICAvLyBDaGVjayBmb3IgZGVmYXVsdExvZ0dyb3VwIGNvbnNpc3RlbmN5IGFjcm9zcyBtdWx0aXBsZSBpbnN0YW5jZXMgaW4gdGhlIHNhbWUgc3RhY2tcbiAgICBBc3BlY3RzLm9mKFN0YWNrLm9mKHRoaXMpKS5hZGQoe1xuICAgICAgdmlzaXQ6IChub2RlKSA9PiB7XG4gICAgICAgIGlmIChcbiAgICAgICAgICBub2RlIGluc3RhbmNlb2YgRWNyU2NhblZlcmlmaWVyICYmXG4gICAgICAgICAgbm9kZS5fZGVmYXVsdExvZ0dyb3VwPy5ub2RlLnBhdGggIT09IHRoaXMuZGVmYXVsdExvZ0dyb3VwPy5ub2RlLnBhdGhcbiAgICAgICAgKSB7XG4gICAgICAgICAgQW5ub3RhdGlvbnMub2YodGhpcykuYWRkV2FybmluZ1YyKFxuICAgICAgICAgICAgJ0BlY3Itc2Nhbi12ZXJpZmllcjpkdXBsaWNhdGVMYW1iZGFEZWZhdWx0TG9nR3JvdXAnLFxuICAgICAgICAgICAgXCJZb3UgaGF2ZSB0byBzZXQgdGhlIHNhbWUgbG9nIGdyb3VwIGZvciAnZGVmYXVsdExvZ0dyb3VwJyBmb3IgZWFjaCBFY3JTY2FuVmVyaWZpZXIgY29uc3RydWN0IGluIHRoZSBzYW1lIHN0YWNrLlwiLFxuICAgICAgICAgICk7XG4gICAgICAgIH1cbiAgICAgIH0sXG4gICAgfSk7XG5cbiAgICBjb25zdCB2ZXJpZmllclByb3ZpZGVyID0gbmV3IFByb3ZpZGVyKHRoaXMsICdQcm92aWRlcicsIHtcbiAgICAgIG9uRXZlbnRIYW5kbGVyOiBjdXN0b21SZXNvdXJjZUxhbWJkYSxcbiAgICB9KTtcblxuICAgIGNvbnN0IHZlcmlmaWVyUHJvcGVydGllczogU2Nhbm5lckN1c3RvbVJlc291cmNlUHJvcHMgPSB7XG4gICAgICBhZGRyOiB0aGlzLm5vZGUuYWRkcixcbiAgICAgIHJlcG9zaXRvcnlOYW1lOiBwcm9wcy5yZXBvc2l0b3J5LnJlcG9zaXRvcnlOYW1lLFxuICAgICAgaW1hZ2VUYWcsXG4gICAgICBzY2FuVHlwZTogc2NhbkNvbmZpZ091dHB1dC5zY2FuVHlwZSxcbiAgICAgIHN0YXJ0U2NhbjogU3RyaW5nKHNjYW5Db25maWdPdXRwdXQuc3RhcnRTY2FuKSxcbiAgICAgIHNldmVyaXR5OiBwcm9wcy5zZXZlcml0eSA/PyBbU2V2ZXJpdHkuQ1JJVElDQUxdLFxuICAgICAgZmFpbE9uVnVsbmVyYWJpbGl0eTogU3RyaW5nKHByb3BzLmZhaWxPblZ1bG5lcmFiaWxpdHkgPz8gdHJ1ZSksXG4gICAgICBpZ25vcmVGaW5kaW5nczogcHJvcHMuaWdub3JlRmluZGluZ3MgPz8gW10sXG4gICAgICBvdXRwdXQ6IG91dHB1dE9wdGlvbnMsXG4gICAgICBzYm9tOiBzYm9tQ29uZmlnLFxuICAgICAgc3VwcHJlc3NFcnJvck9uUm9sbGJhY2s6IFN0cmluZyhzdXBwcmVzc0Vycm9yT25Sb2xsYmFjayksXG4gICAgICB2dWxuc1RvcGljQXJuOiBwcm9wcy52dWxuc05vdGlmaWNhdGlvblRvcGljPy50b3BpY0FybixcbiAgICAgIGRlZmF1bHRMb2dHcm91cE5hbWU6XG4gICAgICAgIHRoaXMuZGVmYXVsdExvZ0dyb3VwPy5sb2dHcm91cE5hbWUgPz8gYC9hd3MvbGFtYmRhLyR7Y3VzdG9tUmVzb3VyY2VMYW1iZGEuZnVuY3Rpb25OYW1lfWAsXG4gICAgfTtcblxuICAgIG5ldyBDdXN0b21SZXNvdXJjZSh0aGlzLCAnUmVzb3VyY2UnLCB7XG4gICAgICByZXNvdXJjZVR5cGU6ICdDdXN0b206OkVjclNjYW5WZXJpZmllcicsXG4gICAgICBwcm9wZXJ0aWVzOiB2ZXJpZmllclByb3BlcnRpZXMsXG4gICAgICBzZXJ2aWNlVG9rZW46IHZlcmlmaWVyUHJvdmlkZXIuc2VydmljZVRva2VuLFxuICAgIH0pO1xuXG4gICAgcHJvcHMuYmxvY2tDb25zdHJ1Y3RzPy5mb3JFYWNoKChjb25zdHJ1Y3QpID0+IHtcbiAgICAgIGNvbnN0cnVjdC5ub2RlLmFkZERlcGVuZGVuY3kodGhpcyk7XG4gICAgfSk7XG4gIH1cblxuICAvKiogQGludGVybmFsICovXG4gIGdldCBfZGVmYXVsdExvZ0dyb3VwKCk6IElMb2dHcm91cCB8IHVuZGVmaW5lZCB7XG4gICAgcmV0dXJuIHRoaXMuZGVmYXVsdExvZ0dyb3VwO1xuICB9XG59XG4iXX0=

package/lib/index.d.ts ADDED Viewed

@@ -0,0 +1,5 @@
+export * from './ecr-scan-verifier';
+export * from './scan-config';
+export * from './scan-logs-output';
+export * from './sbom-output';
+export * from './types';

package/lib/index.js ADDED Viewed

@@ -0,0 +1,22 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./ecr-scan-verifier"), exports);
+__exportStar(require("./scan-config"), exports);
+__exportStar(require("./scan-logs-output"), exports);
+__exportStar(require("./sbom-output"), exports);
+__exportStar(require("./types"), exports);
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi9zcmMvaW5kZXgudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7Ozs7Ozs7Ozs7Ozs7OztBQUFBLHNEQUFvQztBQUNwQyxnREFBOEI7QUFDOUIscURBQW1DO0FBQ25DLGdEQUE4QjtBQUM5QiwwQ0FBd0IiLCJzb3VyY2VzQ29udGVudCI6WyJleHBvcnQgKiBmcm9tICcuL2Vjci1zY2FuLXZlcmlmaWVyJztcbmV4cG9ydCAqIGZyb20gJy4vc2Nhbi1jb25maWcnO1xuZXhwb3J0ICogZnJvbSAnLi9zY2FuLWxvZ3Mtb3V0cHV0JztcbmV4cG9ydCAqIGZyb20gJy4vc2JvbS1vdXRwdXQnO1xuZXhwb3J0ICogZnJvbSAnLi90eXBlcyc7XG4iXX0=

package/lib/sbom-output.d.ts ADDED Viewed

@@ -0,0 +1,75 @@
+import { IGrantable } from 'aws-cdk-lib/aws-iam';
+import { IKey } from 'aws-cdk-lib/aws-kms';
+import { IBucket } from 'aws-cdk-lib/aws-s3';
+import { SbomFormat } from './types';
+/**
+ * Output of SbomOutput.bind().
+ */
+export interface SbomOutputConfig {
+    /**
+     * The SBOM format.
+     */
+    readonly format: SbomFormat;
+    /**
+     * The S3 bucket name for SBOM output.
+     */
+    readonly bucketName: string;
+    /**
+     * Optional prefix for S3 objects.
+     */
+    readonly prefix?: string;
+    /**
+     * The KMS key ARN for encrypting SBOM output in S3.
+     */
+    readonly kmsKeyArn: string;
+}
+/**
+ * Properties for SBOM output.
+ */
+export interface SbomOutputProps {
+    /**
+     * The S3 bucket to output SBOM.
+     *
+     * The bucket is used as the destination for Amazon Inspector's
+     * CreateSbomExport API and for storing the final SBOM file.
+     */
+    readonly bucket: IBucket;
+    /**
+     * Optional prefix for S3 objects.
+     *
+     * @default - no prefix
+     */
+    readonly prefix?: string;
+    /**
+     * The KMS key used to encrypt the SBOM report in S3.
+     *
+     * Amazon Inspector's CreateSbomExport API requires a customer managed
+     * symmetric encryption KMS key. AWS managed keys are not supported.
+     *
+     * The construct automatically adds the required key policy for
+     * the `inspector2.amazonaws.com` service principal.
+     */
+    readonly encryptionKey: IKey;
+}
+/**
+ * Configuration for SBOM (Software Bill of Materials) output.
+ *
+ * SBOM export is only available with Enhanced scanning (Amazon Inspector).
+ * Uses the Inspector CreateSbomExport API to generate SBOM and uploads it to S3.
+ *
+ * **Note**: Using with Basic scanning will throw an error.
+ */
+export declare abstract class SbomOutput {
+    /**
+     * Output SBOM in CycloneDX 1.4 JSON format.
+     */
+    static cycloneDx14(props: SbomOutputProps): SbomOutput;
+    /**
+     * Output SBOM in SPDX 2.3 JSON format.
+     */
+    static spdx23(props: SbomOutputProps): SbomOutput;
+    /**
+     * Returns the SBOM output configuration.
+     */
+    abstract bind(grantee: IGrantable): SbomOutputConfig;
+}

package/lib/sbom-output.js ADDED Viewed

@@ -0,0 +1,78 @@
+"use strict";
+var _a;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SbomOutput = void 0;
+const JSII_RTTI_SYMBOL_1 = Symbol.for("jsii.rtti");
+const aws_cdk_lib_1 = require("aws-cdk-lib");
+const aws_iam_1 = require("aws-cdk-lib/aws-iam");
+const types_1 = require("./types");
+/**
+ * Configuration for SBOM (Software Bill of Materials) output.
+ *
+ * SBOM export is only available with Enhanced scanning (Amazon Inspector).
+ * Uses the Inspector CreateSbomExport API to generate SBOM and uploads it to S3.
+ *
+ * **Note**: Using with Basic scanning will throw an error.
+ */
+class SbomOutput {
+    /**
+     * Output SBOM in CycloneDX 1.4 JSON format.
+     */
+    static cycloneDx14(props) {
+        return new SbomOutputImpl(props, types_1.SbomFormat.CYCLONEDX_1_4);
+    }
+    /**
+     * Output SBOM in SPDX 2.3 JSON format.
+     */
+    static spdx23(props) {
+        return new SbomOutputImpl(props, types_1.SbomFormat.SPDX_2_3);
+    }
+}
+exports.SbomOutput = SbomOutput;
+_a = JSII_RTTI_SYMBOL_1;
+SbomOutput[_a] = { fqn: "ecr-scan-verifier.SbomOutput", version: "0.0.0" };
+class SbomOutputImpl extends SbomOutput {
+    constructor(props, format) {
+        super();
+        this.bucket = props.bucket;
+        this.prefix = props.prefix;
+        this.encryptionKey = props.encryptionKey;
+        this.format = format;
+    }
+    bind(grantee) {
+        this.bucket.grantReadWrite(grantee);
+        const account = aws_cdk_lib_1.Stack.of(this.bucket).account;
+        // Inspector2 CreateSbomExport writes SBOM directly to the S3 bucket.
+        // The service needs a bucket policy to allow PutObject.
+        this.bucket.addToResourcePolicy(new aws_iam_1.PolicyStatement({
+            actions: ['s3:PutObject', 's3:AbortMultipartUpload'],
+            principals: [new aws_iam_1.ServicePrincipal('inspector2.amazonaws.com')],
+            resources: [this.bucket.arnForObjects('*')],
+            conditions: {
+                StringEquals: {
+                    'aws:SourceAccount': account,
+                },
+            },
+        }));
+        // Inspector2 needs kms:Decrypt and kms:GenerateDataKey* to encrypt the SBOM report.
+        this.encryptionKey.addToResourcePolicy(new aws_iam_1.PolicyStatement({
+            actions: ['kms:Decrypt', 'kms:GenerateDataKey*'],
+            principals: [new aws_iam_1.ServicePrincipal('inspector2.amazonaws.com')],
+            resources: ['*'],
+            conditions: {
+                StringEquals: {
+                    'aws:SourceAccount': account,
+                },
+            },
+        }));
+        // Lambda needs to decrypt the SBOM to download it from S3.
+        this.encryptionKey.grantDecrypt(grantee);
+        return {
+            format: this.format,
+            bucketName: this.bucket.bucketName,
+            prefix: this.prefix,
+            kmsKeyArn: this.encryptionKey.keyArn,
+        };
+    }
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoic2JvbS1vdXRwdXQuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi9zcmMvc2JvbS1vdXRwdXQudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7Ozs7QUFBQSw2Q0FBb0M7QUFDcEMsaURBQW9GO0FBR3BGLG1DQUFxQztBQTBEckM7Ozs7Ozs7R0FPRztBQUNILE1BQXNCLFVBQVU7SUFDOUI7O09BRUc7SUFDSSxNQUFNLENBQUMsV0FBVyxDQUFDLEtBQXNCO1FBQzlDLE9BQU8sSUFBSSxjQUFjLENBQUMsS0FBSyxFQUFFLGtCQUFVLENBQUMsYUFBYSxDQUFDLENBQUM7SUFDN0QsQ0FBQztJQUVEOztPQUVHO0lBQ0ksTUFBTSxDQUFDLE1BQU0sQ0FBQyxLQUFzQjtRQUN6QyxPQUFPLElBQUksY0FBYyxDQUFDLEtBQUssRUFBRSxrQkFBVSxDQUFDLFFBQVEsQ0FBQyxDQUFDO0lBQ3hELENBQUM7O0FBYkgsZ0NBbUJDOzs7QUFFRCxNQUFNLGNBQWUsU0FBUSxVQUFVO0lBTXJDLFlBQVksS0FBc0IsRUFBRSxNQUFrQjtRQUNwRCxLQUFLLEVBQUUsQ0FBQztRQUNSLElBQUksQ0FBQyxNQUFNLEdBQUcsS0FBSyxDQUFDLE1BQU0sQ0FBQztRQUMzQixJQUFJLENBQUMsTUFBTSxHQUFHLEtBQUssQ0FBQyxNQUFNLENBQUM7UUFDM0IsSUFBSSxDQUFDLGFBQWEsR0FBRyxLQUFLLENBQUMsYUFBYSxDQUFDO1FBQ3pDLElBQUksQ0FBQyxNQUFNLEdBQUcsTUFBTSxDQUFDO0lBQ3ZCLENBQUM7SUFFTSxJQUFJLENBQUMsT0FBbUI7UUFDN0IsSUFBSSxDQUFDLE1BQU0sQ0FBQyxjQUFjLENBQUMsT0FBTyxDQUFDLENBQUM7UUFFcEMsTUFBTSxPQUFPLEdBQUcsbUJBQUssQ0FBQyxFQUFFLENBQUMsSUFBSSxDQUFDLE1BQU0sQ0FBQyxDQUFDLE9BQU8sQ0FBQztRQUU5QyxxRUFBcUU7UUFDckUsd0RBQXdEO1FBQ3hELElBQUksQ0FBQyxNQUFNLENBQUMsbUJBQW1CLENBQzdCLElBQUkseUJBQWUsQ0FBQztZQUNsQixPQUFPLEVBQUUsQ0FBQyxjQUFjLEVBQUUseUJBQXlCLENBQUM7WUFDcEQsVUFBVSxFQUFFLENBQUMsSUFBSSwwQkFBZ0IsQ0FBQywwQkFBMEIsQ0FBQyxDQUFDO1lBQzlELFNBQVMsRUFBRSxDQUFDLElBQUksQ0FBQyxNQUFNLENBQUMsYUFBYSxDQUFDLEdBQUcsQ0FBQyxDQUFDO1lBQzNDLFVBQVUsRUFBRTtnQkFDVixZQUFZLEVBQUU7b0JBQ1osbUJBQW1CLEVBQUUsT0FBTztpQkFDN0I7YUFDRjtTQUNGLENBQUMsQ0FDSCxDQUFDO1FBRUYsb0ZBQW9GO1FBQ3BGLElBQUksQ0FBQyxhQUFhLENBQUMsbUJBQW1CLENBQ3BDLElBQUkseUJBQWUsQ0FBQztZQUNsQixPQUFPLEVBQUUsQ0FBQyxhQUFhLEVBQUUsc0JBQXNCLENBQUM7WUFDaEQsVUFBVSxFQUFFLENBQUMsSUFBSSwwQkFBZ0IsQ0FBQywwQkFBMEIsQ0FBQyxDQUFDO1lBQzlELFNBQVMsRUFBRSxDQUFDLEdBQUcsQ0FBQztZQUNoQixVQUFVLEVBQUU7Z0JBQ1YsWUFBWSxFQUFFO29CQUNaLG1CQUFtQixFQUFFLE9BQU87aUJBQzdCO2FBQ0Y7U0FDRixDQUFDLENBQ0gsQ0FBQztRQUVGLDJEQUEyRDtRQUMzRCxJQUFJLENBQUMsYUFBYSxDQUFDLFlBQVksQ0FBQyxPQUFPLENBQUMsQ0FBQztRQUV6QyxPQUFPO1lBQ0wsTUFBTSxFQUFFLElBQUksQ0FBQyxNQUFNO1lBQ25CLFVBQVUsRUFBRSxJQUFJLENBQUMsTUFBTSxDQUFDLFVBQVU7WUFDbEMsTUFBTSxFQUFFLElBQUksQ0FBQyxNQUFNO1lBQ25CLFNBQVMsRUFBRSxJQUFJLENBQUMsYUFBYSxDQUFDLE1BQU07U0FDckMsQ0FBQztJQUNKLENBQUM7Q0FDRiIsInNvdXJjZXNDb250ZW50IjpbImltcG9ydCB7IFN0YWNrIH0gZnJvbSAnYXdzLWNkay1saWInO1xuaW1wb3J0IHsgSUdyYW50YWJsZSwgUG9saWN5U3RhdGVtZW50LCBTZXJ2aWNlUHJpbmNpcGFsIH0gZnJvbSAnYXdzLWNkay1saWIvYXdzLWlhbSc7XG5pbXBvcnQgeyBJS2V5IH0gZnJvbSAnYXdzLWNkay1saWIvYXdzLWttcyc7XG5pbXBvcnQgeyBJQnVja2V0IH0gZnJvbSAnYXdzLWNkay1saWIvYXdzLXMzJztcbmltcG9ydCB7IFNib21Gb3JtYXQgfSBmcm9tICcuL3R5cGVzJztcblxuLyoqXG4gKiBPdXRwdXQgb2YgU2JvbU91dHB1dC5iaW5kKCkuXG4gKi9cbmV4cG9ydCBpbnRlcmZhY2UgU2JvbU91dHB1dENvbmZpZyB7XG4gIC8qKlxuICAgKiBUaGUgU0JPTSBmb3JtYXQuXG4gICAqL1xuICByZWFkb25seSBmb3JtYXQ6IFNib21Gb3JtYXQ7XG5cbiAgLyoqXG4gICAqIFRoZSBTMyBidWNrZXQgbmFtZSBmb3IgU0JPTSBvdXRwdXQuXG4gICAqL1xuICByZWFkb25seSBidWNrZXROYW1lOiBzdHJpbmc7XG5cbiAgLyoqXG4gICAqIE9wdGlvbmFsIHByZWZpeCBmb3IgUzMgb2JqZWN0cy5cbiAgICovXG4gIHJlYWRvbmx5IHByZWZpeD86IHN0cmluZztcblxuICAvKipcbiAgICogVGhlIEtNUyBrZXkgQVJOIGZvciBlbmNyeXB0aW5nIFNCT00gb3V0cHV0IGluIFMzLlxuICAgKi9cbiAgcmVhZG9ubHkga21zS2V5QXJuOiBzdHJpbmc7XG59XG5cbi8qKlxuICogUHJvcGVydGllcyBmb3IgU0JPTSBvdXRwdXQuXG4gKi9cbmV4cG9ydCBpbnRlcmZhY2UgU2JvbU91dHB1dFByb3BzIHtcbiAgLyoqXG4gICAqIFRoZSBTMyBidWNrZXQgdG8gb3V0cHV0IFNCT00uXG4gICAqXG4gICAqIFRoZSBidWNrZXQgaXMgdXNlZCBhcyB0aGUgZGVzdGluYXRpb24gZm9yIEFtYXpvbiBJbnNwZWN0b3Inc1xuICAgKiBDcmVhdGVTYm9tRXhwb3J0IEFQSSBhbmQgZm9yIHN0b3JpbmcgdGhlIGZpbmFsIFNCT00gZmlsZS5cbiAgICovXG4gIHJlYWRvbmx5IGJ1Y2tldDogSUJ1Y2tldDtcblxuICAvKipcbiAgICogT3B0aW9uYWwgcHJlZml4IGZvciBTMyBvYmplY3RzLlxuICAgKlxuICAgKiBAZGVmYXVsdCAtIG5vIHByZWZpeFxuICAgKi9cbiAgcmVhZG9ubHkgcHJlZml4Pzogc3RyaW5nO1xuXG4gIC8qKlxuICAgKiBUaGUgS01TIGtleSB1c2VkIHRvIGVuY3J5cHQgdGhlIFNCT00gcmVwb3J0IGluIFMzLlxuICAgKlxuICAgKiBBbWF6b24gSW5zcGVjdG9yJ3MgQ3JlYXRlU2JvbUV4cG9ydCBBUEkgcmVxdWlyZXMgYSBjdXN0b21lciBtYW5hZ2VkXG4gICAqIHN5bW1ldHJpYyBlbmNyeXB0aW9uIEtNUyBrZXkuIEFXUyBtYW5hZ2VkIGtleXMgYXJlIG5vdCBzdXBwb3J0ZWQuXG4gICAqXG4gICAqIFRoZSBjb25zdHJ1Y3QgYXV0b21hdGljYWxseSBhZGRzIHRoZSByZXF1aXJlZCBrZXkgcG9saWN5IGZvclxuICAgKiB0aGUgYGluc3BlY3RvcjIuYW1hem9uYXdzLmNvbWAgc2VydmljZSBwcmluY2lwYWwuXG4gICAqL1xuICByZWFkb25seSBlbmNyeXB0aW9uS2V5OiBJS2V5O1xufVxuXG4vKipcbiAqIENvbmZpZ3VyYXRpb24gZm9yIFNCT00gKFNvZnR3YXJlIEJpbGwgb2YgTWF0ZXJpYWxzKSBvdXRwdXQuXG4gKlxuICogU0JPTSBleHBvcnQgaXMgb25seSBhdmFpbGFibGUgd2l0aCBFbmhhbmNlZCBzY2FubmluZyAoQW1hem9uIEluc3BlY3RvcikuXG4gKiBVc2VzIHRoZSBJbnNwZWN0b3IgQ3JlYXRlU2JvbUV4cG9ydCBBUEkgdG8gZ2VuZXJhdGUgU0JPTSBhbmQgdXBsb2FkcyBpdCB0byBTMy5cbiAqXG4gKiAqKk5vdGUqKjogVXNpbmcgd2l0aCBCYXNpYyBzY2FubmluZyB3aWxsIHRocm93IGFuIGVycm9yLlxuICovXG5leHBvcnQgYWJzdHJhY3QgY2xhc3MgU2JvbU91dHB1dCB7XG4gIC8qKlxuICAgKiBPdXRwdXQgU0JPTSBpbiBDeWNsb25lRFggMS40IEpTT04gZm9ybWF0LlxuICAgKi9cbiAgcHVibGljIHN0YXRpYyBjeWNsb25lRHgxNChwcm9wczogU2JvbU91dHB1dFByb3BzKTogU2JvbU91dHB1dCB7XG4gICAgcmV0dXJuIG5ldyBTYm9tT3V0cHV0SW1wbChwcm9wcywgU2JvbUZvcm1hdC5DWUNMT05FRFhfMV80KTtcbiAgfVxuXG4gIC8qKlxuICAgKiBPdXRwdXQgU0JPTSBpbiBTUERYIDIuMyBKU09OIGZvcm1hdC5cbiAgICovXG4gIHB1YmxpYyBzdGF0aWMgc3BkeDIzKHByb3BzOiBTYm9tT3V0cHV0UHJvcHMpOiBTYm9tT3V0cHV0IHtcbiAgICByZXR1cm4gbmV3IFNib21PdXRwdXRJbXBsKHByb3BzLCBTYm9tRm9ybWF0LlNQRFhfMl8zKTtcbiAgfVxuXG4gIC8qKlxuICAgKiBSZXR1cm5zIHRoZSBTQk9NIG91dHB1dCBjb25maWd1cmF0aW9uLlxuICAgKi9cbiAgcHVibGljIGFic3RyYWN0IGJpbmQoZ3JhbnRlZTogSUdyYW50YWJsZSk6IFNib21PdXRwdXRDb25maWc7XG59XG5cbmNsYXNzIFNib21PdXRwdXRJbXBsIGV4dGVuZHMgU2JvbU91dHB1dCB7XG4gIHByaXZhdGUgcmVhZG9ubHkgYnVja2V0OiBJQnVja2V0O1xuICBwcml2YXRlIHJlYWRvbmx5IHByZWZpeD86IHN0cmluZztcbiAgcHJpdmF0ZSByZWFkb25seSBlbmNyeXB0aW9uS2V5OiBJS2V5O1xuICBwcml2YXRlIHJlYWRvbmx5IGZvcm1hdDogU2JvbUZvcm1hdDtcblxuICBjb25zdHJ1Y3Rvcihwcm9wczogU2JvbU91dHB1dFByb3BzLCBmb3JtYXQ6IFNib21Gb3JtYXQpIHtcbiAgICBzdXBlcigpO1xuICAgIHRoaXMuYnVja2V0ID0gcHJvcHMuYnVja2V0O1xuICAgIHRoaXMucHJlZml4ID0gcHJvcHMucHJlZml4O1xuICAgIHRoaXMuZW5jcnlwdGlvbktleSA9IHByb3BzLmVuY3J5cHRpb25LZXk7XG4gICAgdGhpcy5mb3JtYXQgPSBmb3JtYXQ7XG4gIH1cblxuICBwdWJsaWMgYmluZChncmFudGVlOiBJR3JhbnRhYmxlKTogU2JvbU91dHB1dENvbmZpZyB7XG4gICAgdGhpcy5idWNrZXQuZ3JhbnRSZWFkV3JpdGUoZ3JhbnRlZSk7XG5cbiAgICBjb25zdCBhY2NvdW50ID0gU3RhY2sub2YodGhpcy5idWNrZXQpLmFjY291bnQ7XG5cbiAgICAvLyBJbnNwZWN0b3IyIENyZWF0ZVNib21FeHBvcnQgd3JpdGVzIFNCT00gZGlyZWN0bHkgdG8gdGhlIFMzIGJ1Y2tldC5cbiAgICAvLyBUaGUgc2VydmljZSBuZWVkcyBhIGJ1Y2tldCBwb2xpY3kgdG8gYWxsb3cgUHV0T2JqZWN0LlxuICAgIHRoaXMuYnVja2V0LmFkZFRvUmVzb3VyY2VQb2xpY3koXG4gICAgICBuZXcgUG9saWN5U3RhdGVtZW50KHtcbiAgICAgICAgYWN0aW9uczogWydzMzpQdXRPYmplY3QnLCAnczM6QWJvcnRNdWx0aXBhcnRVcGxvYWQnXSxcbiAgICAgICAgcHJpbmNpcGFsczogW25ldyBTZXJ2aWNlUHJpbmNpcGFsKCdpbnNwZWN0b3IyLmFtYXpvbmF3cy5jb20nKV0sXG4gICAgICAgIHJlc291cmNlczogW3RoaXMuYnVja2V0LmFybkZvck9iamVjdHMoJyonKV0sXG4gICAgICAgIGNvbmRpdGlvbnM6IHtcbiAgICAgICAgICBTdHJpbmdFcXVhbHM6IHtcbiAgICAgICAgICAgICdhd3M6U291cmNlQWNjb3VudCc6IGFjY291bnQsXG4gICAgICAgICAgfSxcbiAgICAgICAgfSxcbiAgICAgIH0pLFxuICAgICk7XG5cbiAgICAvLyBJbnNwZWN0b3IyIG5lZWRzIGttczpEZWNyeXB0IGFuZCBrbXM6R2VuZXJhdGVEYXRhS2V5KiB0byBlbmNyeXB0IHRoZSBTQk9NIHJlcG9ydC5cbiAgICB0aGlzLmVuY3J5cHRpb25LZXkuYWRkVG9SZXNvdXJjZVBvbGljeShcbiAgICAgIG5ldyBQb2xpY3lTdGF0ZW1lbnQoe1xuICAgICAgICBhY3Rpb25zOiBbJ2ttczpEZWNyeXB0JywgJ2ttczpHZW5lcmF0ZURhdGFLZXkqJ10sXG4gICAgICAgIHByaW5jaXBhbHM6IFtuZXcgU2VydmljZVByaW5jaXBhbCgnaW5zcGVjdG9yMi5hbWF6b25hd3MuY29tJyldLFxuICAgICAgICByZXNvdXJjZXM6IFsnKiddLFxuICAgICAgICBjb25kaXRpb25zOiB7XG4gICAgICAgICAgU3RyaW5nRXF1YWxzOiB7XG4gICAgICAgICAgICAnYXdzOlNvdXJjZUFjY291bnQnOiBhY2NvdW50LFxuICAgICAgICAgIH0sXG4gICAgICAgIH0sXG4gICAgICB9KSxcbiAgICApO1xuXG4gICAgLy8gTGFtYmRhIG5lZWRzIHRvIGRlY3J5cHQgdGhlIFNCT00gdG8gZG93bmxvYWQgaXQgZnJvbSBTMy5cbiAgICB0aGlzLmVuY3J5cHRpb25LZXkuZ3JhbnREZWNyeXB0KGdyYW50ZWUpO1xuXG4gICAgcmV0dXJuIHtcbiAgICAgIGZvcm1hdDogdGhpcy5mb3JtYXQsXG4gICAgICBidWNrZXROYW1lOiB0aGlzLmJ1Y2tldC5idWNrZXROYW1lLFxuICAgICAgcHJlZml4OiB0aGlzLnByZWZpeCxcbiAgICAgIGttc0tleUFybjogdGhpcy5lbmNyeXB0aW9uS2V5LmtleUFybixcbiAgICB9O1xuICB9XG59XG4iXX0=

package/lib/scan-config.d.ts ADDED Viewed

@@ -0,0 +1,72 @@
+/**
+ * Options for basic ECR image scanning.
+ */
+export interface BasicScanConfigOptions {
+    /**
+     * Whether to start an image scan via StartImageScan API.
+     *
+     * If false, the construct will poll for existing scan results
+     * (useful when scan-on-push is configured).
+     *
+     * **Note**: If `startScan` is false and no scan has been performed
+     * (e.g., scan-on-push is not configured), the deployment will fail
+     * after polling times out.
+     *
+     * **Note**: If scan-on-push is configured and `startScan` is true,
+     * the `StartImageScan` API may return a `LimitExceededException`
+     * because a scan has already been performed. The construct handles
+     * this gracefully by falling back to polling for the existing results.
+     *
+     * **Note**: If Enhanced scanning (Amazon Inspector) is enabled on your account,
+     * the `StartImageScan` API is disabled. In that case, you must use
+     * `ScanConfig.enhanced()` instead. Using `ScanConfig.basic()` with an
+     * Enhanced scanning account will result in a deployment error.
+     *
+     * @default true
+     */
+    readonly startScan?: boolean;
+}
+/**
+ * Options for enhanced ECR image scanning (Amazon Inspector).
+ */
+export interface EnhancedScanConfigOptions {
+}
+/**
+ * Output of ScanConfig.bind().
+ */
+export interface ScanConfigBindOutput {
+    /**
+     * The scan type ('BASIC' or 'ENHANCED').
+     */
+    readonly scanType: string;
+    /**
+     * Whether to start an image scan via StartImageScan API.
+     */
+    readonly startScan: boolean;
+}
+/**
+ * Configuration for ECR image scan type.
+ *
+ * Use `ScanConfig.basic()` for ECR native basic scanning,
+ * or `ScanConfig.enhanced()` for Amazon Inspector enhanced scanning.
+ */
+export declare abstract class ScanConfig {
+    /**
+     * Basic scanning using Amazon ECR native scanning.
+     *
+     * Basic scanning scans for known CVEs in the OS packages of your container image.
+     */
+    static basic(options?: BasicScanConfigOptions): ScanConfig;
+    /**
+     * Enhanced scanning using Amazon Inspector.
+     *
+     * Enhanced scanning provides more detailed findings including
+     * programming language package vulnerabilities.
+     * Ensure Amazon Inspector is enabled for your registry.
+     */
+    static enhanced(options?: EnhancedScanConfigOptions): ScanConfig;
+    /**
+     * Returns the scan configuration.
+     */
+    abstract bind(): ScanConfigBindOutput;
+}

package/lib/scan-config.js ADDED Viewed

@@ -0,0 +1,58 @@
+"use strict";
+var _a;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ScanConfig = void 0;
+const JSII_RTTI_SYMBOL_1 = Symbol.for("jsii.rtti");
+/**
+ * Configuration for ECR image scan type.
+ *
+ * Use `ScanConfig.basic()` for ECR native basic scanning,
+ * or `ScanConfig.enhanced()` for Amazon Inspector enhanced scanning.
+ */
+class ScanConfig {
+    /**
+     * Basic scanning using Amazon ECR native scanning.
+     *
+     * Basic scanning scans for known CVEs in the OS packages of your container image.
+     */
+    static basic(options) {
+        return new BasicScanConfig(options);
+    }
+    /**
+     * Enhanced scanning using Amazon Inspector.
+     *
+     * Enhanced scanning provides more detailed findings including
+     * programming language package vulnerabilities.
+     * Ensure Amazon Inspector is enabled for your registry.
+     */
+    static enhanced(options) {
+        return new EnhancedScanConfig(options);
+    }
+}
+exports.ScanConfig = ScanConfig;
+_a = JSII_RTTI_SYMBOL_1;
+ScanConfig[_a] = { fqn: "ecr-scan-verifier.ScanConfig", version: "0.0.0" };
+class BasicScanConfig extends ScanConfig {
+    constructor(options) {
+        super();
+        this.startScan = options?.startScan ?? true;
+    }
+    bind() {
+        return {
+            scanType: 'BASIC',
+            startScan: this.startScan,
+        };
+    }
+}
+class EnhancedScanConfig extends ScanConfig {
+    constructor(_options) {
+        super();
+    }
+    bind() {
+        return {
+            scanType: 'ENHANCED',
+            startScan: false,
+        };
+    }
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoic2Nhbi1jb25maWcuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi9zcmMvc2Nhbi1jb25maWcudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7Ozs7QUFtREE7Ozs7O0dBS0c7QUFDSCxNQUFzQixVQUFVO0lBQzlCOzs7O09BSUc7SUFDSSxNQUFNLENBQUMsS0FBSyxDQUFDLE9BQWdDO1FBQ2xELE9BQU8sSUFBSSxlQUFlLENBQUMsT0FBTyxDQUFDLENBQUM7SUFDdEMsQ0FBQztJQUVEOzs7Ozs7T0FNRztJQUNJLE1BQU0sQ0FBQyxRQUFRLENBQUMsT0FBbUM7UUFDeEQsT0FBTyxJQUFJLGtCQUFrQixDQUFDLE9BQU8sQ0FBQyxDQUFDO0lBQ3pDLENBQUM7O0FBbkJILGdDQXlCQzs7O0FBRUQsTUFBTSxlQUFnQixTQUFRLFVBQVU7SUFHdEMsWUFBWSxPQUFnQztRQUMxQyxLQUFLLEVBQUUsQ0FBQztRQUNSLElBQUksQ0FBQyxTQUFTLEdBQUcsT0FBTyxFQUFFLFNBQVMsSUFBSSxJQUFJLENBQUM7SUFDOUMsQ0FBQztJQUVNLElBQUk7UUFDVCxPQUFPO1lBQ0wsUUFBUSxFQUFFLE9BQU87WUFDakIsU0FBUyxFQUFFLElBQUksQ0FBQyxTQUFTO1NBQzFCLENBQUM7SUFDSixDQUFDO0NBQ0Y7QUFFRCxNQUFNLGtCQUFtQixTQUFRLFVBQVU7SUFDekMsWUFBWSxRQUFvQztRQUM5QyxLQUFLLEVBQUUsQ0FBQztJQUNWLENBQUM7SUFFTSxJQUFJO1FBQ1QsT0FBTztZQUNMLFFBQVEsRUFBRSxVQUFVO1lBQ3BCLFNBQVMsRUFBRSxLQUFLO1NBQ2pCLENBQUM7SUFDSixDQUFDO0NBQ0YiLCJzb3VyY2VzQ29udGVudCI6WyIvKipcbiAqIE9wdGlvbnMgZm9yIGJhc2ljIEVDUiBpbWFnZSBzY2FubmluZy5cbiAqL1xuZXhwb3J0IGludGVyZmFjZSBCYXNpY1NjYW5Db25maWdPcHRpb25zIHtcbiAgLyoqXG4gICAqIFdoZXRoZXIgdG8gc3RhcnQgYW4gaW1hZ2Ugc2NhbiB2aWEgU3RhcnRJbWFnZVNjYW4gQVBJLlxuICAgKlxuICAgKiBJZiBmYWxzZSwgdGhlIGNvbnN0cnVjdCB3aWxsIHBvbGwgZm9yIGV4aXN0aW5nIHNjYW4gcmVzdWx0c1xuICAgKiAodXNlZnVsIHdoZW4gc2Nhbi1vbi1wdXNoIGlzIGNvbmZpZ3VyZWQpLlxuICAgKlxuICAgKiAqKk5vdGUqKjogSWYgYHN0YXJ0U2NhbmAgaXMgZmFsc2UgYW5kIG5vIHNjYW4gaGFzIGJlZW4gcGVyZm9ybWVkXG4gICAqIChlLmcuLCBzY2FuLW9uLXB1c2ggaXMgbm90IGNvbmZpZ3VyZWQpLCB0aGUgZGVwbG95bWVudCB3aWxsIGZhaWxcbiAgICogYWZ0ZXIgcG9sbGluZyB0aW1lcyBvdXQuXG4gICAqXG4gICAqICoqTm90ZSoqOiBJZiBzY2FuLW9uLXB1c2ggaXMgY29uZmlndXJlZCBhbmQgYHN0YXJ0U2NhbmAgaXMgdHJ1ZSxcbiAgICogdGhlIGBTdGFydEltYWdlU2NhbmAgQVBJIG1heSByZXR1cm4gYSBgTGltaXRFeGNlZWRlZEV4Y2VwdGlvbmBcbiAgICogYmVjYXVzZSBhIHNjYW4gaGFzIGFscmVhZHkgYmVlbiBwZXJmb3JtZWQuIFRoZSBjb25zdHJ1Y3QgaGFuZGxlc1xuICAgKiB0aGlzIGdyYWNlZnVsbHkgYnkgZmFsbGluZyBiYWNrIHRvIHBvbGxpbmcgZm9yIHRoZSBleGlzdGluZyByZXN1bHRzLlxuICAgKlxuICAgKiAqKk5vdGUqKjogSWYgRW5oYW5jZWQgc2Nhbm5pbmcgKEFtYXpvbiBJbnNwZWN0b3IpIGlzIGVuYWJsZWQgb24geW91ciBhY2NvdW50LFxuICAgKiB0aGUgYFN0YXJ0SW1hZ2VTY2FuYCBBUEkgaXMgZGlzYWJsZWQuIEluIHRoYXQgY2FzZSwgeW91IG11c3QgdXNlXG4gICAqIGBTY2FuQ29uZmlnLmVuaGFuY2VkKClgIGluc3RlYWQuIFVzaW5nIGBTY2FuQ29uZmlnLmJhc2ljKClgIHdpdGggYW5cbiAgICogRW5oYW5jZWQgc2Nhbm5pbmcgYWNjb3VudCB3aWxsIHJlc3VsdCBpbiBhIGRlcGxveW1lbnQgZXJyb3IuXG4gICAqXG4gICAqIEBkZWZhdWx0IHRydWVcbiAgICovXG4gIHJlYWRvbmx5IHN0YXJ0U2Nhbj86IGJvb2xlYW47XG59XG5cbi8qKlxuICogT3B0aW9ucyBmb3IgZW5oYW5jZWQgRUNSIGltYWdlIHNjYW5uaW5nIChBbWF6b24gSW5zcGVjdG9yKS5cbiAqL1xuZXhwb3J0IGludGVyZmFjZSBFbmhhbmNlZFNjYW5Db25maWdPcHRpb25zIHtcbiAgLy8gUmVzZXJ2ZWQgZm9yIGZ1dHVyZSBlbmhhbmNlZCBzY2FubmluZyBvcHRpb25zLlxufVxuXG4vKipcbiAqIE91dHB1dCBvZiBTY2FuQ29uZmlnLmJpbmQoKS5cbiAqL1xuZXhwb3J0IGludGVyZmFjZSBTY2FuQ29uZmlnQmluZE91dHB1dCB7XG4gIC8qKlxuICAgKiBUaGUgc2NhbiB0eXBlICgnQkFTSUMnIG9yICdFTkhBTkNFRCcpLlxuICAgKi9cbiAgcmVhZG9ubHkgc2NhblR5cGU6IHN0cmluZztcblxuICAvKipcbiAgICogV2hldGhlciB0byBzdGFydCBhbiBpbWFnZSBzY2FuIHZpYSBTdGFydEltYWdlU2NhbiBBUEkuXG4gICAqL1xuICByZWFkb25seSBzdGFydFNjYW46IGJvb2xlYW47XG59XG5cbi8qKlxuICogQ29uZmlndXJhdGlvbiBmb3IgRUNSIGltYWdlIHNjYW4gdHlwZS5cbiAqXG4gKiBVc2UgYFNjYW5Db25maWcuYmFzaWMoKWAgZm9yIEVDUiBuYXRpdmUgYmFzaWMgc2Nhbm5pbmcsXG4gKiBvciBgU2NhbkNvbmZpZy5lbmhhbmNlZCgpYCBmb3IgQW1hem9uIEluc3BlY3RvciBlbmhhbmNlZCBzY2FubmluZy5cbiAqL1xuZXhwb3J0IGFic3RyYWN0IGNsYXNzIFNjYW5Db25maWcge1xuICAvKipcbiAgICogQmFzaWMgc2Nhbm5pbmcgdXNpbmcgQW1hem9uIEVDUiBuYXRpdmUgc2Nhbm5pbmcuXG4gICAqXG4gICAqIEJhc2ljIHNjYW5uaW5nIHNjYW5zIGZvciBrbm93biBDVkVzIGluIHRoZSBPUyBwYWNrYWdlcyBvZiB5b3VyIGNvbnRhaW5lciBpbWFnZS5cbiAgICovXG4gIHB1YmxpYyBzdGF0aWMgYmFzaWMob3B0aW9ucz86IEJhc2ljU2NhbkNvbmZpZ09wdGlvbnMpOiBTY2FuQ29uZmlnIHtcbiAgICByZXR1cm4gbmV3IEJhc2ljU2NhbkNvbmZpZyhvcHRpb25zKTtcbiAgfVxuXG4gIC8qKlxuICAgKiBFbmhhbmNlZCBzY2FubmluZyB1c2luZyBBbWF6b24gSW5zcGVjdG9yLlxuICAgKlxuICAgKiBFbmhhbmNlZCBzY2FubmluZyBwcm92aWRlcyBtb3JlIGRldGFpbGVkIGZpbmRpbmdzIGluY2x1ZGluZ1xuICAgKiBwcm9ncmFtbWluZyBsYW5ndWFnZSBwYWNrYWdlIHZ1bG5lcmFiaWxpdGllcy5cbiAgICogRW5zdXJlIEFtYXpvbiBJbnNwZWN0b3IgaXMgZW5hYmxlZCBmb3IgeW91ciByZWdpc3RyeS5cbiAgICovXG4gIHB1YmxpYyBzdGF0aWMgZW5oYW5jZWQob3B0aW9ucz86IEVuaGFuY2VkU2NhbkNvbmZpZ09wdGlvbnMpOiBTY2FuQ29uZmlnIHtcbiAgICByZXR1cm4gbmV3IEVuaGFuY2VkU2NhbkNvbmZpZyhvcHRpb25zKTtcbiAgfVxuXG4gIC8qKlxuICAgKiBSZXR1cm5zIHRoZSBzY2FuIGNvbmZpZ3VyYXRpb24uXG4gICAqL1xuICBwdWJsaWMgYWJzdHJhY3QgYmluZCgpOiBTY2FuQ29uZmlnQmluZE91dHB1dDtcbn1cblxuY2xhc3MgQmFzaWNTY2FuQ29uZmlnIGV4dGVuZHMgU2NhbkNvbmZpZyB7XG4gIHByaXZhdGUgcmVhZG9ubHkgc3RhcnRTY2FuOiBib29sZWFuO1xuXG4gIGNvbnN0cnVjdG9yKG9wdGlvbnM/OiBCYXNpY1NjYW5Db25maWdPcHRpb25zKSB7XG4gICAgc3VwZXIoKTtcbiAgICB0aGlzLnN0YXJ0U2NhbiA9IG9wdGlvbnM/LnN0YXJ0U2NhbiA/PyB0cnVlO1xuICB9XG5cbiAgcHVibGljIGJpbmQoKTogU2NhbkNvbmZpZ0JpbmRPdXRwdXQge1xuICAgIHJldHVybiB7XG4gICAgICBzY2FuVHlwZTogJ0JBU0lDJyxcbiAgICAgIHN0YXJ0U2NhbjogdGhpcy5zdGFydFNjYW4sXG4gICAgfTtcbiAgfVxufVxuXG5jbGFzcyBFbmhhbmNlZFNjYW5Db25maWcgZXh0ZW5kcyBTY2FuQ29uZmlnIHtcbiAgY29uc3RydWN0b3IoX29wdGlvbnM/OiBFbmhhbmNlZFNjYW5Db25maWdPcHRpb25zKSB7XG4gICAgc3VwZXIoKTtcbiAgfVxuXG4gIHB1YmxpYyBiaW5kKCk6IFNjYW5Db25maWdCaW5kT3V0cHV0IHtcbiAgICByZXR1cm4ge1xuICAgICAgc2NhblR5cGU6ICdFTkhBTkNFRCcsXG4gICAgICBzdGFydFNjYW46IGZhbHNlLFxuICAgIH07XG4gIH1cbn1cbiJdfQ==

package/lib/scan-logs-output.d.ts ADDED Viewed

@@ -0,0 +1,93 @@
+import { IGrantable } from 'aws-cdk-lib/aws-iam';
+import { ILogGroup } from 'aws-cdk-lib/aws-logs';
+import { IBucket } from 'aws-cdk-lib/aws-s3';
+/**
+ * Enum for ScanLogsOutputType
+ */
+export declare enum ScanLogsOutputType {
+    /**
+     * Output scan logs to CloudWatch Logs.
+     */
+    CLOUDWATCH_LOGS = "cloudWatchLogs",
+    /**
+     * Output scan logs to S3 bucket.
+     */
+    S3 = "s3"
+}
+/**
+ * Output configurations for scan logs.
+ */
+export interface ScanLogsOutputOptions {
+    /**
+     * The type of scan logs output.
+     */
+    readonly type: ScanLogsOutputType;
+}
+/**
+ * Output configuration for scan logs to CloudWatch Logs.
+ */
+export interface CloudWatchLogsOutputOptions extends ScanLogsOutputOptions {
+    /**
+     * The name of the CloudWatch Logs log group.
+     */
+    readonly logGroupName: string;
+}
+/**
+ * Configuration for scan logs output to CloudWatch Logs log group.
+ */
+export interface CloudWatchLogsOutputProps {
+    /**
+     * The log group to output scan logs.
+     */
+    readonly logGroup: ILogGroup;
+}
+/**
+ * Output configuration for scan logs to S3 bucket.
+ */
+export interface S3OutputOptions extends ScanLogsOutputOptions {
+    /**
+     * The name of the S3 bucket.
+     */
+    readonly bucketName: string;
+    /**
+     * Optional prefix for S3 objects.
+     */
+    readonly prefix?: string;
+}
+/**
+ * Configuration for scan logs output to S3 bucket.
+ */
+export interface S3OutputProps {
+    /**
+     * The S3 bucket to output scan logs.
+     */
+    readonly bucket: IBucket;
+    /**
+     * Optional prefix for S3 objects.
+     */
+    readonly prefix?: string;
+}
+/**
+ * Represents the output of the scan logs.
+ */
+export declare abstract class ScanLogsOutput {
+    /**
+     * Scan logs output to CloudWatch Logs log group.
+     *
+     * **Note on Large Scan Results**: CloudWatch Logs has a limit of 1 MB per log event.
+     * If scan results exceed this limit, they will be automatically
+     * split into multiple log events. Each chunk will be prefixed with `[part X/Y]` to
+     * indicate the sequence, ensuring no data loss while staying within CloudWatch Logs quotas.
+     * **For large scan results, we recommend using S3 output instead** to avoid fragmentation
+     * and make it easier to view complete results.
+     */
+    static cloudWatchLogs(options: CloudWatchLogsOutputProps): ScanLogsOutput;
+    /**
+     * Scan logs output to S3 bucket.
+     */
+    static s3(options: S3OutputProps): ScanLogsOutput;
+    /**
+     * Returns the output configuration for scan logs.
+     */
+    abstract bind(grantee: IGrantable): ScanLogsOutputOptions;
+}