ecr-scan-verifier 0.0.7 → 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (17) hide show
  1. package/.jsii +521 -48
  2. package/API.md +495 -23
  3. package/README.md +71 -11
  4. package/assets/lambda/dist/index.js +44 -38
  5. package/lib/custom-resource-props.d.ts +11 -0
  6. package/lib/custom-resource-props.js +1 -1
  7. package/lib/ecr-scan-verifier.d.ts +5 -9
  8. package/lib/ecr-scan-verifier.js +50 -16
  9. package/lib/index.d.ts +1 -0
  10. package/lib/index.js +2 -1
  11. package/lib/sbom-output.js +1 -1
  12. package/lib/scan-config.d.ts +32 -2
  13. package/lib/scan-config.js +30 -4
  14. package/lib/scan-logs-output.js +1 -1
  15. package/lib/signature-verification.d.ts +125 -0
  16. package/lib/signature-verification.js +97 -0
  17. package/package.json +4 -2
package/.jsii CHANGED
@@ -3961,7 +3961,7 @@
3961
3961
  },
3962
3962
  "name": "ecr-scan-verifier",
3963
3963
  "readme": {
3964
- "markdown": "# ecr-scan-verifier\n\nAn AWS CDK Construct that **blocks deployments** to ECS, Lambda, and other services when **ECR Image Scanning detects vulnerabilities**.\n\nIt scans a specified container image during CDK deployment using Basic or Enhanced (Amazon Inspector) scanning.\n\n- **Block any construct's deployment** — block ECS, Lambda, or any CDK construct on vulnerability detection via `blockConstructs`\n- **Notify without failing** — get alerts via SNS without blocking deployment. Great for gradual adoption\n- **Scan logs output** — results go to S3 or CloudWatch Logs\n- **SBOM generation** — output Software Bill of Materials in CycloneDX or SPDX format to S3 via Amazon Inspector\n\n## Scanning Modes\n\nThis construct supports two scanning modes. With Basic scanning, the construct starts a scan via API during deployment, or checks existing scan-on-push results. Enhanced scanning (Amazon Inspector) only supports scan-on-push, but additionally enables SBOM generation.\n\n| Feature | Basic Scanning | Enhanced Scanning |\n|---|---|---|\n| Start scan via API | ✅ (`startScan: true`) | — |\n| Check scan-on-push results | ✅ (`startScan: false`) | ✅ |\n| SBOM generation | — | ✅ |\n\n### Prerequisites\n\nWhen using `ScanConfig.basic({ startScan: true })` (the default), the construct starts a scan via the ECR `StartImageScan` API during deployment — no additional ECR configuration is required.\n\nFor all other modes, **scan-on-push must be enabled** on your ECR repository or account before deployment:\n\n- **`ScanConfig.basic({ startScan: false })`** — requires Basic scan-on-push to be enabled on the repository\n- **`ScanConfig.enhanced()`** — requires Enhanced scanning (Amazon Inspector) to be enabled on the account, with the repository included in Inspector's coverage\n\nIf scan-on-push is not configured and no prior scan results exist, the deployment will fail with an error.\n\n> **Tip**: `startScan: true` works even when scan-on-push is already enabled. If a scan has already been triggered, the construct simply uses the existing scan results.\n\n## Usage\n\n### Install\n\n```sh\nnpm install ecr-scan-verifier\n```\n\n### CDK Code\n\nThe following code is a minimal example that scans the image and blocks the ECS deployment if vulnerabilities are detected.\n\n```ts\nimport { EcrScanVerifier, ScanConfig } from 'ecr-scan-verifier';\n\n// Target image to scan\nconst image = new DockerImageAsset(this, 'DockerImage', {\n directory: resolve(__dirname, './'),\n});\n\n// Example of an ECS construct that uses the image\nconst ecs = new YourECSConstruct(this, 'YourECSConstruct', {\n dockerImage: image,\n});\n\n// Scan the image before deploying to ECS\nnew EcrScanVerifier(this, 'ImageScanner', {\n repository: image.repository,\n imageTag: image.assetHash,\n scanConfig: ScanConfig.basic(),\n // If vulnerabilities are detected, the ECS deployment will be blocked\n blockConstructs: [ecs],\n});\n```\n\n### Image Tag\n\nYou can specify which image to scan by tag or digest:\n\n```ts\n// Scan by tag (default: 'latest')\nnew EcrScanVerifier(this, 'Scanner', {\n repository,\n scanConfig: ScanConfig.basic(),\n imageTag: 'v1.0',\n});\n\n// Scan by digest (if the value starts with 'sha256:', it is treated as a digest)\nnew EcrScanVerifier(this, 'Scanner', {\n repository,\n scanConfig: ScanConfig.basic(),\n imageTag: 'sha256:abc123...',\n});\n```\n\n### Scan Configuration\n\nUse `ScanConfig` to choose between Basic and Enhanced scanning:\n\n```ts\nimport { ScanConfig } from 'ecr-scan-verifier';\n\n// Basic scanning (default) — starts a scan via StartImageScan API\nnew EcrScanVerifier(this, 'Scanner', {\n repository,\n scanConfig: ScanConfig.basic({ startScan: true }),\n});\n\n// Basic scanning — polls for existing scan results (useful when scan-on-push is configured)\nnew EcrScanVerifier(this, 'Scanner', {\n repository,\n scanConfig: ScanConfig.basic({ startScan: false }),\n});\n\n// Enhanced scanning — uses Amazon Inspector (scan-on-push only)\nnew EcrScanVerifier(this, 'Scanner', {\n repository,\n scanConfig: ScanConfig.enhanced(),\n});\n```\n\nSee [Prerequisites](#prerequisites) for the scan-on-push requirements of each mode.\n\n> **Important**: If Enhanced scanning (Amazon Inspector) is enabled on your account, you must use `ScanConfig.enhanced()`. Using `ScanConfig.basic()` with an Enhanced scanning account will result in a deployment error.\n\n### Severity\n\nYou can specify which severity levels trigger a failure:\n\n```ts\nimport { Severity } from 'ecr-scan-verifier';\n\nnew EcrScanVerifier(this, 'Scanner', {\n repository,\n scanConfig: ScanConfig.basic(),\n severity: [Severity.CRITICAL, Severity.HIGH],\n});\n```\n\nAvailable severity levels: `CRITICAL`, `HIGH`, `MEDIUM`, `LOW`, `INFORMATIONAL`, `UNDEFINED`.\n\n### Ignore Findings\n\nYou can ignore specific CVEs:\n\n```ts\nnew EcrScanVerifier(this, 'Scanner', {\n repository,\n scanConfig: ScanConfig.basic(),\n ignoreFindings: ['CVE-2023-37920', 'CVE-2024-12345'],\n});\n```\n\n### Scan Logs Output\n\nYou can choose where to output the scan logs using `ScanLogsOutput`: S3 or CloudWatch Logs. If not specified, scan logs are written to the Scanner Lambda function's default log group.\n\n#### S3\n\n```ts\nimport { ScanLogsOutput } from 'ecr-scan-verifier';\n\nconst scanLogsBucket = new Bucket(this, 'ScanLogsBucket');\n\nnew EcrScanVerifier(this, 'Scanner', {\n repository,\n scanConfig: ScanConfig.basic(),\n scanLogsOutput: ScanLogsOutput.s3({\n bucket: scanLogsBucket,\n prefix: 'scan-logs/', // Optional\n }),\n});\n```\n\n#### CloudWatch Logs\n\n```ts\nimport { ScanLogsOutput } from 'ecr-scan-verifier';\n\nconst scanLogsLogGroup = new LogGroup(this, 'ScanLogsLogGroup');\n\nnew EcrScanVerifier(this, 'Scanner', {\n repository,\n scanConfig: ScanConfig.basic(),\n scanLogsOutput: ScanLogsOutput.cloudWatchLogs({ logGroup: scanLogsLogGroup }),\n});\n```\n\n#### Default Log Group\n\nYou can customize the Scanner Lambda function's log group with `defaultLogGroup`.\n\nIf you use `EcrScanVerifier` construct multiple times in the same stack, you have to set the same log group for `defaultLogGroup` for each construct. When you set different log groups for each construct, a warning message will be displayed.\n\n```ts\nconst logGroup = new LogGroup(this, 'LogGroup');\n\nnew EcrScanVerifier(this, 'Scanner1', {\n repository,\n scanConfig: ScanConfig.basic(),\n defaultLogGroup: logGroup,\n});\n\nnew EcrScanVerifier(this, 'Scanner2', {\n repository,\n scanConfig: ScanConfig.basic(),\n defaultLogGroup: new LogGroup(this, 'AnotherLogGroup'), // NG: different log group from Scanner1\n defaultLogGroup: logGroup, // OK: Use the same log group as Scanner1 to avoid warning\n});\n```\n\n### SBOM Output\n\nYou can generate SBOM (Software Bill of Materials) using Amazon Inspector's CreateSbomExport API. This is independent from scan logs output.\n\n**Note**: SBOM export is only available with Enhanced scanning. Using with Basic scanning will throw an error.\n\n```ts\nimport { SbomOutput, ScanConfig } from 'ecr-scan-verifier';\n\nconst sbomBucket = new Bucket(this, 'SbomBucket');\nconst sbomEncryptionKey = new Key(this, 'SbomEncryptionKey');\n\nnew EcrScanVerifier(this, 'Scanner', {\n repository,\n scanConfig: ScanConfig.enhanced(),\n sbomOutput: SbomOutput.cycloneDx14({\n bucket: sbomBucket,\n prefix: 'sbom/', // Optional\n encryptionKey: sbomEncryptionKey,\n }),\n});\n```\n\nAvailable SBOM formats:\n\n- `SbomOutput.cycloneDx14()` — CycloneDX 1.4 JSON format\n- `SbomOutput.spdx23()` — SPDX 2.3 JSON format\n\n### SNS Notification for Vulnerabilities\n\nYou can configure an SNS topic via `vulnsNotificationTopic` to receive notifications when vulnerabilities are detected.\n\nBy default, the construct fails the deployment when vulnerabilities are found.\nYou can set `failOnVulnerability: false` to receive SNS notifications without blocking the deployment.\n\n```ts\nconst notificationTopic = new Topic(this, 'VulnerabilityNotificationTopic');\n\nnew EcrScanVerifier(this, 'Scanner', {\n repository,\n scanConfig: ScanConfig.basic(),\n vulnsNotificationTopic: notificationTopic,\n failOnVulnerability: false, // Notify but don't fail deployment\n});\n```\n"
3964
+ "markdown": "# ecr-scan-verifier\n\nAn AWS CDK Construct that **blocks deployments to ECS, Lambda, and other services when ECR Image Scanning detects vulnerabilities**, and optionally **verifies container image signatures**.\n\nIt scans specified container images during CDK deployment using Basic or Enhanced (Amazon Inspector) scanning, and can verify image signatures with Notation (AWS Signer) or Cosign (Sigstore).\n\n- **Block any construct's deployment** — block ECS, Lambda, or any CDK construct on vulnerability detection via `blockConstructs`\n- **Signature verification** — verify image signatures with Notation (AWS Signer) or Cosign (Sigstore) before scanning\n- **Notify without failing** — get alerts via SNS without blocking deployment. Great for gradual adoption\n- **Scan logs output** — results go to S3 or CloudWatch Logs\n- **SBOM generation** — output Software Bill of Materials in CycloneDX or SPDX format to S3 via Amazon Inspector\n\n## Scanning Modes\n\nThis construct supports three scanning modes.\n\nWith **Basic scanning**, the construct starts a scan via API during deployment, or checks existing scan-on-push results.\n\n**Enhanced scanning** (Amazon Inspector) only supports scan-on-push, but additionally enables SBOM generation.\n\n**Signature Only mode** skips vulnerability scanning entirely and only verifies image signatures.\n\n| Feature | Basic Scanning | Enhanced Scanning | Signature Only |\n| --- | --- | --- | --- |\n| Start scan via API | ✅ (`startScan: true`) | — | — |\n| Check scan-on-push results | ✅ (`startScan: false`) | ✅ | — |\n| SBOM generation | — | ✅ | — |\n| Signature verification | ✅ (optional) | ✅ (optional) | ✅ (required) |\n\n### Prerequisites\n\nWhen using `ScanConfig.basic({ startScan: true })` (the default), the construct starts a scan via the ECR `StartImageScan` API during deployment — no additional ECR configuration is required.\n\nFor the following modes, **scan-on-push must be enabled** on your ECR repository or account before deployment:\n\n- **`ScanConfig.basic({ startScan: false })`** — requires Basic scan-on-push to be enabled on the repository\n- **`ScanConfig.enhanced()`** — requires Enhanced scanning (Amazon Inspector) to be enabled on the account, with the repository included in Inspector's coverage\n\n`ScanConfig.signatureOnly()` does not require scan-on-push, as it only verifies image signatures without scanning.\n\nIf scan-on-push is not configured and no prior scan results exist, the deployment will fail with an error.\n\n> **Tip**: `startScan: true` works even when scan-on-push is already enabled. If a scan has already been triggered, the construct simply uses the existing scan results.\n\n## Usage\n\n### Install\n\n```sh\nnpm install ecr-scan-verifier\n```\n\n### CDK Code\n\nThe following code is a minimal example that scans the image and blocks the ECS deployment if vulnerabilities are detected.\n\n```ts\nimport { EcrScanVerifier, ScanConfig } from 'ecr-scan-verifier';\n\n// Target image to scan\nconst image = new DockerImageAsset(this, 'DockerImage', {\n directory: resolve(__dirname, './'),\n});\n\n// Example of an ECS construct that uses the image\nconst ecs = new YourECSConstruct(this, 'YourECSConstruct', {\n dockerImage: image,\n});\n\n// Scan the image before deploying to ECS\nnew EcrScanVerifier(this, 'ImageScanner', {\n repository: image.repository,\n imageTag: image.assetHash,\n scanConfig: ScanConfig.basic(),\n // If vulnerabilities are detected, the ECS deployment will be blocked\n blockConstructs: [ecs],\n});\n```\n\n### Image Tag\n\nYou can specify which image to scan by tag or digest:\n\n```ts\n// Scan by tag (default: 'latest')\nnew EcrScanVerifier(this, 'Scanner', {\n repository,\n scanConfig: ScanConfig.basic(),\n imageTag: 'v1.0',\n});\n\n// Scan by digest (if the value starts with 'sha256:', it is treated as a digest)\nnew EcrScanVerifier(this, 'Scanner', {\n repository,\n scanConfig: ScanConfig.basic(),\n imageTag: 'sha256:abc123...',\n});\n```\n\n### Scan Configuration\n\nUse `ScanConfig` to choose between Basic and Enhanced scanning:\n\n```ts\nimport { ScanConfig } from 'ecr-scan-verifier';\n\n// Basic scanning (default) — starts a scan via StartImageScan API\nnew EcrScanVerifier(this, 'Scanner', {\n repository,\n scanConfig: ScanConfig.basic({ startScan: true }),\n});\n\n// Basic scanning — polls for existing scan results (useful when scan-on-push is configured)\nnew EcrScanVerifier(this, 'Scanner', {\n repository,\n scanConfig: ScanConfig.basic({ startScan: false }),\n});\n\n// Enhanced scanning — uses Amazon Inspector (scan-on-push only)\nnew EcrScanVerifier(this, 'Scanner', {\n repository,\n scanConfig: ScanConfig.enhanced(),\n});\n```\n\nSee [Prerequisites](#prerequisites) for the scan-on-push requirements of each mode.\n\n> **Important**: If Enhanced scanning (Amazon Inspector) is enabled on your account, you must use `ScanConfig.enhanced()`. Using `ScanConfig.basic()` with an Enhanced scanning account will result in a deployment error.\n\n### Severity\n\nYou can specify which severity levels trigger a failure:\n\n```ts\nimport { Severity } from 'ecr-scan-verifier';\n\nnew EcrScanVerifier(this, 'Scanner', {\n repository,\n scanConfig: ScanConfig.basic(),\n severity: [Severity.CRITICAL, Severity.HIGH],\n});\n```\n\nAvailable severity levels: `CRITICAL`, `HIGH`, `MEDIUM`, `LOW`, `INFORMATIONAL`, `UNDEFINED`.\n\n### Ignore Findings\n\nYou can ignore specific CVEs:\n\n```ts\nnew EcrScanVerifier(this, 'Scanner', {\n repository,\n scanConfig: ScanConfig.basic(),\n ignoreFindings: ['CVE-2023-37920', 'CVE-2024-12345'],\n});\n```\n\n### Scan Logs Output\n\nYou can choose where to output the scan logs using `ScanLogsOutput`: S3 or CloudWatch Logs. If not specified, scan logs are written to the Scanner Lambda function's default log group.\n\n#### S3\n\n```ts\nimport { ScanLogsOutput } from 'ecr-scan-verifier';\n\nconst scanLogsBucket = new Bucket(this, 'ScanLogsBucket');\n\nnew EcrScanVerifier(this, 'Scanner', {\n repository,\n scanConfig: ScanConfig.basic(),\n scanLogsOutput: ScanLogsOutput.s3({\n bucket: scanLogsBucket,\n prefix: 'scan-logs/', // Optional\n }),\n});\n```\n\n#### CloudWatch Logs\n\n```ts\nimport { ScanLogsOutput } from 'ecr-scan-verifier';\n\nconst scanLogsLogGroup = new LogGroup(this, 'ScanLogsLogGroup');\n\nnew EcrScanVerifier(this, 'Scanner', {\n repository,\n scanConfig: ScanConfig.basic(),\n scanLogsOutput: ScanLogsOutput.cloudWatchLogs({ logGroup: scanLogsLogGroup }),\n});\n```\n\n#### Default Log Group\n\nYou can customize the Scanner Lambda function's log group with `defaultLogGroup`.\n\nIf you use `EcrScanVerifier` construct multiple times in the same stack, you have to set the same log group for `defaultLogGroup` for each construct. When you set different log groups for each construct, a warning message will be displayed.\n\n```ts\nconst logGroup = new LogGroup(this, 'LogGroup');\n\nnew EcrScanVerifier(this, 'Scanner1', {\n repository,\n scanConfig: ScanConfig.basic(),\n defaultLogGroup: logGroup,\n});\n\nnew EcrScanVerifier(this, 'Scanner2', {\n repository,\n scanConfig: ScanConfig.basic(),\n defaultLogGroup: new LogGroup(this, 'AnotherLogGroup'), // NG: different log group from Scanner1\n defaultLogGroup: logGroup, // OK: Use the same log group as Scanner1 to avoid warning\n});\n```\n\n### SBOM Output\n\nYou can generate SBOM (Software Bill of Materials) using Amazon Inspector's CreateSbomExport API.\n\n**Note**: SBOM export is only available with Enhanced scanning.\n\n```ts\nimport { SbomOutput, ScanConfig } from 'ecr-scan-verifier';\n\nconst sbomBucket = new Bucket(this, 'SbomBucket');\nconst sbomEncryptionKey = new Key(this, 'SbomEncryptionKey');\n\nnew EcrScanVerifier(this, 'Scanner', {\n repository,\n scanConfig: ScanConfig.enhanced(),\n sbomOutput: SbomOutput.cycloneDx14({\n bucket: sbomBucket,\n prefix: 'sbom/', // Optional\n encryptionKey: sbomEncryptionKey,\n }),\n});\n```\n\nAvailable SBOM formats:\n\n- `SbomOutput.cycloneDx14()` — CycloneDX 1.4 JSON format\n- `SbomOutput.spdx23()` — SPDX 2.3 JSON format\n\n### Signature Verification\n\nYou can verify container image signatures before scanning using Notation (AWS Signer) or Cosign (Sigstore).\n\nSignature verification is performed before the vulnerability scan during deployment. If verification fails and `failOnUnsigned` is `true` (the default), the deployment will fail.\n\n#### Notation (AWS Signer)\n\n```ts\nimport { SignatureVerification, ScanConfig } from 'ecr-scan-verifier';\n\nnew EcrScanVerifier(this, 'Scanner', {\n repository,\n scanConfig: ScanConfig.basic(),\n signatureVerification: SignatureVerification.notation({\n trustedIdentities: ['arn:aws:signer:us-east-1:123456789012:/signing-profiles/MyProfile'],\n }),\n});\n```\n\n#### Cosign with Public Key\n\n```ts\nimport { readFileSync } from 'fs';\n\nnew EcrScanVerifier(this, 'Scanner', {\n repository,\n scanConfig: ScanConfig.basic(),\n signatureVerification: SignatureVerification.cosignPublicKey({\n publicKey: readFileSync('path/to/cosign.pub', 'utf-8'),\n }),\n});\n```\n\n#### Cosign with KMS\n\n```ts\nimport { Key } from 'aws-cdk-lib/aws-kms';\n\nconst cosignKey = Key.fromKeyArn(this, 'CosignKey', 'arn:aws:kms:...');\n\nnew EcrScanVerifier(this, 'Scanner', {\n repository,\n scanConfig: ScanConfig.basic(),\n signatureVerification: SignatureVerification.cosignKms({\n key: cosignKey,\n }),\n});\n```\n\n### SNS Notification for Vulnerabilities\n\nYou can configure an SNS topic via `vulnsNotificationTopic` to receive notifications when vulnerabilities are detected.\n\nBy default, the construct fails the deployment when vulnerabilities are found.\nYou can set `failOnVulnerability: false` to receive SNS notifications without blocking the deployment.\n\n```ts\nconst notificationTopic = new Topic(this, 'VulnerabilityNotificationTopic');\n\nnew EcrScanVerifier(this, 'Scanner', {\n repository,\n scanConfig: ScanConfig.basic(),\n vulnsNotificationTopic: notificationTopic,\n failOnVulnerability: false, // Notify but don't fail deployment\n});\n```\n"
3965
3965
  },
3966
3966
  "repository": {
3967
3967
  "type": "git",
@@ -3985,7 +3985,7 @@
3985
3985
  "kind": "interface",
3986
3986
  "locationInModule": {
3987
3987
  "filename": "src/scan-config.ts",
3988
- "line": 4
3988
+ "line": 6
3989
3989
  },
3990
3990
  "name": "BasicScanConfigOptions",
3991
3991
  "properties": [
@@ -4000,7 +4000,7 @@
4000
4000
  "immutable": true,
4001
4001
  "locationInModule": {
4002
4002
  "filename": "src/scan-config.ts",
4003
- "line": 27
4003
+ "line": 29
4004
4004
  },
4005
4005
  "name": "startScan",
4006
4006
  "optional": true,
@@ -4082,6 +4082,85 @@
4082
4082
  ],
4083
4083
  "symbolId": "src/scan-logs-output:CloudWatchLogsOutputProps"
4084
4084
  },
4085
+ "ecr-scan-verifier.CosignKmsVerificationOptions": {
4086
+ "assembly": "ecr-scan-verifier",
4087
+ "datatype": true,
4088
+ "docs": {
4089
+ "remarks": "**Note on Rekor Transparency Log:**\nThis implementation skips Rekor transparency log verification and verifies only\nthe cryptographic signature using the KMS key.\nThe Lambda function always uses the `--insecure-ignore-tlog` flag when running cosign verify.",
4090
+ "see": "https://docs.sigstore.dev/cosign/key_management/overview/",
4091
+ "stability": "stable",
4092
+ "summary": "Options for Cosign signature verification using an AWS KMS key."
4093
+ },
4094
+ "fqn": "ecr-scan-verifier.CosignKmsVerificationOptions",
4095
+ "interfaces": [
4096
+ "ecr-scan-verifier.VerificationOptions"
4097
+ ],
4098
+ "kind": "interface",
4099
+ "locationInModule": {
4100
+ "filename": "src/signature-verification.ts",
4101
+ "line": 59
4102
+ },
4103
+ "name": "CosignKmsVerificationOptions",
4104
+ "properties": [
4105
+ {
4106
+ "abstract": true,
4107
+ "docs": {
4108
+ "stability": "stable",
4109
+ "summary": "AWS KMS key used to verify the image signature."
4110
+ },
4111
+ "immutable": true,
4112
+ "locationInModule": {
4113
+ "filename": "src/signature-verification.ts",
4114
+ "line": 63
4115
+ },
4116
+ "name": "key",
4117
+ "type": {
4118
+ "fqn": "aws-cdk-lib.aws_kms.IKey"
4119
+ }
4120
+ }
4121
+ ],
4122
+ "symbolId": "src/signature-verification:CosignKmsVerificationOptions"
4123
+ },
4124
+ "ecr-scan-verifier.CosignPublicKeyVerificationOptions": {
4125
+ "assembly": "ecr-scan-verifier",
4126
+ "datatype": true,
4127
+ "docs": {
4128
+ "remarks": "**Note on Rekor Transparency Log:**\nThis implementation skips Rekor transparency log verification and verifies only\nthe cryptographic signature using the public key.\nThe Lambda function always uses the `--insecure-ignore-tlog` flag when running cosign verify.",
4129
+ "see": "https://docs.sigstore.dev/cosign/key_management/overview/",
4130
+ "stability": "stable",
4131
+ "summary": "Options for Cosign signature verification using a public key."
4132
+ },
4133
+ "fqn": "ecr-scan-verifier.CosignPublicKeyVerificationOptions",
4134
+ "interfaces": [
4135
+ "ecr-scan-verifier.VerificationOptions"
4136
+ ],
4137
+ "kind": "interface",
4138
+ "locationInModule": {
4139
+ "filename": "src/signature-verification.ts",
4140
+ "line": 40
4141
+ },
4142
+ "name": "CosignPublicKeyVerificationOptions",
4143
+ "properties": [
4144
+ {
4145
+ "abstract": true,
4146
+ "docs": {
4147
+ "example": "'-----BEGIN PUBLIC KEY-----\\nMIIBI...\\n-----END PUBLIC KEY-----'",
4148
+ "stability": "stable",
4149
+ "summary": "The PEM-encoded public key content used to verify the image signature."
4150
+ },
4151
+ "immutable": true,
4152
+ "locationInModule": {
4153
+ "filename": "src/signature-verification.ts",
4154
+ "line": 46
4155
+ },
4156
+ "name": "publicKey",
4157
+ "type": {
4158
+ "primitive": "string"
4159
+ }
4160
+ }
4161
+ ],
4162
+ "symbolId": "src/signature-verification:CosignPublicKeyVerificationOptions"
4163
+ },
4085
4164
  "ecr-scan-verifier.EcrScanVerifier": {
4086
4165
  "assembly": "ecr-scan-verifier",
4087
4166
  "base": "constructs.Construct",
@@ -4097,7 +4176,7 @@
4097
4176
  },
4098
4177
  "locationInModule": {
4099
4178
  "filename": "src/ecr-scan-verifier.ts",
4100
- "line": 140
4179
+ "line": 143
4101
4180
  },
4102
4181
  "parameters": [
4103
4182
  {
@@ -4123,7 +4202,7 @@
4123
4202
  "kind": "class",
4124
4203
  "locationInModule": {
4125
4204
  "filename": "src/ecr-scan-verifier.ts",
4126
- "line": 137
4205
+ "line": 140
4127
4206
  },
4128
4207
  "name": "EcrScanVerifier",
4129
4208
  "symbolId": "src/ecr-scan-verifier:EcrScanVerifier"
@@ -4139,7 +4218,7 @@
4139
4218
  "kind": "interface",
4140
4219
  "locationInModule": {
4141
4220
  "filename": "src/ecr-scan-verifier.ts",
4142
- "line": 19
4221
+ "line": 26
4143
4222
  },
4144
4223
  "name": "EcrScanVerifierProps",
4145
4224
  "properties": [
@@ -4152,7 +4231,7 @@
4152
4231
  "immutable": true,
4153
4232
  "locationInModule": {
4154
4233
  "filename": "src/ecr-scan-verifier.ts",
4155
- "line": 23
4234
+ "line": 30
4156
4235
  },
4157
4236
  "name": "repository",
4158
4237
  "type": {
@@ -4169,7 +4248,7 @@
4169
4248
  "immutable": true,
4170
4249
  "locationInModule": {
4171
4250
  "filename": "src/ecr-scan-verifier.ts",
4172
- "line": 48
4251
+ "line": 55
4173
4252
  },
4174
4253
  "name": "scanConfig",
4175
4254
  "type": {
@@ -4186,7 +4265,7 @@
4186
4265
  "immutable": true,
4187
4266
  "locationInModule": {
4188
4267
  "filename": "src/ecr-scan-verifier.ts",
4189
- "line": 129
4268
+ "line": 132
4190
4269
  },
4191
4270
  "name": "blockConstructs",
4192
4271
  "optional": true,
@@ -4210,7 +4289,7 @@
4210
4289
  "immutable": true,
4211
4290
  "locationInModule": {
4212
4291
  "filename": "src/ecr-scan-verifier.ts",
4213
- "line": 106
4292
+ "line": 109
4214
4293
  },
4215
4294
  "name": "defaultLogGroup",
4216
4295
  "optional": true,
@@ -4228,7 +4307,7 @@
4228
4307
  "immutable": true,
4229
4308
  "locationInModule": {
4230
4309
  "filename": "src/ecr-scan-verifier.ts",
4231
- "line": 66
4310
+ "line": 73
4232
4311
  },
4233
4312
  "name": "failOnVulnerability",
4234
4313
  "optional": true,
@@ -4247,7 +4326,7 @@
4247
4326
  "immutable": true,
4248
4327
  "locationInModule": {
4249
4328
  "filename": "src/ecr-scan-verifier.ts",
4250
- "line": 76
4329
+ "line": 83
4251
4330
  },
4252
4331
  "name": "ignoreFindings",
4253
4332
  "optional": true,
@@ -4271,7 +4350,7 @@
4271
4350
  "immutable": true,
4272
4351
  "locationInModule": {
4273
4352
  "filename": "src/ecr-scan-verifier.ts",
4274
- "line": 33
4353
+ "line": 40
4275
4354
  },
4276
4355
  "name": "imageTag",
4277
4356
  "optional": true,
@@ -4279,25 +4358,6 @@
4279
4358
  "primitive": "string"
4280
4359
  }
4281
4360
  },
4282
- {
4283
- "abstract": true,
4284
- "docs": {
4285
- "default": "- no SBOM output",
4286
- "remarks": "SBOM export uses Amazon Inspector's CreateSbomExport API to generate SBOM\nand uploads it to S3.\n\n**Note**: SBOM export is only available with Enhanced scanning (Amazon Inspector).\nUsing with Basic scanning will throw an error.",
4287
- "stability": "stable",
4288
- "summary": "SBOM (Software Bill of Materials) output configuration."
4289
- },
4290
- "immutable": true,
4291
- "locationInModule": {
4292
- "filename": "src/ecr-scan-verifier.ts",
4293
- "line": 96
4294
- },
4295
- "name": "sbomOutput",
4296
- "optional": true,
4297
- "type": {
4298
- "fqn": "ecr-scan-verifier.SbomOutput"
4299
- }
4300
- },
4301
4361
  {
4302
4362
  "abstract": true,
4303
4363
  "docs": {
@@ -4308,7 +4368,7 @@
4308
4368
  "immutable": true,
4309
4369
  "locationInModule": {
4310
4370
  "filename": "src/ecr-scan-verifier.ts",
4311
- "line": 83
4371
+ "line": 90
4312
4372
  },
4313
4373
  "name": "scanLogsOutput",
4314
4374
  "optional": true,
@@ -4327,7 +4387,7 @@
4327
4387
  "immutable": true,
4328
4388
  "locationInModule": {
4329
4389
  "filename": "src/ecr-scan-verifier.ts",
4330
- "line": 58
4390
+ "line": 65
4331
4391
  },
4332
4392
  "name": "severity",
4333
4393
  "optional": true,
@@ -4340,6 +4400,25 @@
4340
4400
  }
4341
4401
  }
4342
4402
  },
4403
+ {
4404
+ "abstract": true,
4405
+ "docs": {
4406
+ "default": "- no signature verification",
4407
+ "remarks": "Verifies the image signature before scanning using Notation (AWS Signer) or Cosign (Sigstore).",
4408
+ "stability": "stable",
4409
+ "summary": "Signature verification configuration for the container image."
4410
+ },
4411
+ "immutable": true,
4412
+ "locationInModule": {
4413
+ "filename": "src/ecr-scan-verifier.ts",
4414
+ "line": 99
4415
+ },
4416
+ "name": "signatureVerification",
4417
+ "optional": true,
4418
+ "type": {
4419
+ "fqn": "ecr-scan-verifier.SignatureVerification"
4420
+ }
4421
+ },
4343
4422
  {
4344
4423
  "abstract": true,
4345
4424
  "docs": {
@@ -4350,7 +4429,7 @@
4350
4429
  "immutable": true,
4351
4430
  "locationInModule": {
4352
4431
  "filename": "src/ecr-scan-verifier.ts",
4353
- "line": 113
4432
+ "line": 116
4354
4433
  },
4355
4434
  "name": "suppressErrorOnRollback",
4356
4435
  "optional": true,
@@ -4369,7 +4448,7 @@
4369
4448
  "immutable": true,
4370
4449
  "locationInModule": {
4371
4450
  "filename": "src/ecr-scan-verifier.ts",
4372
- "line": 122
4451
+ "line": 125
4373
4452
  },
4374
4453
  "name": "vulnsNotificationTopic",
4375
4454
  "optional": true,
@@ -4391,11 +4470,76 @@
4391
4470
  "kind": "interface",
4392
4471
  "locationInModule": {
4393
4472
  "filename": "src/scan-config.ts",
4394
- "line": 33
4473
+ "line": 35
4395
4474
  },
4396
4475
  "name": "EnhancedScanConfigOptions",
4476
+ "properties": [
4477
+ {
4478
+ "abstract": true,
4479
+ "docs": {
4480
+ "default": "- no SBOM output",
4481
+ "remarks": "SBOM export uses Amazon Inspector's CreateSbomExport API to generate SBOM\nand uploads it to S3.",
4482
+ "stability": "stable",
4483
+ "summary": "SBOM (Software Bill of Materials) output configuration."
4484
+ },
4485
+ "immutable": true,
4486
+ "locationInModule": {
4487
+ "filename": "src/scan-config.ts",
4488
+ "line": 44
4489
+ },
4490
+ "name": "sbomOutput",
4491
+ "optional": true,
4492
+ "type": {
4493
+ "fqn": "ecr-scan-verifier.SbomOutput"
4494
+ }
4495
+ }
4496
+ ],
4397
4497
  "symbolId": "src/scan-config:EnhancedScanConfigOptions"
4398
4498
  },
4499
+ "ecr-scan-verifier.NotationVerificationOptions": {
4500
+ "assembly": "ecr-scan-verifier",
4501
+ "datatype": true,
4502
+ "docs": {
4503
+ "stability": "stable",
4504
+ "summary": "Options for Notation (AWS Signer) signature verification."
4505
+ },
4506
+ "fqn": "ecr-scan-verifier.NotationVerificationOptions",
4507
+ "interfaces": [
4508
+ "ecr-scan-verifier.VerificationOptions"
4509
+ ],
4510
+ "kind": "interface",
4511
+ "locationInModule": {
4512
+ "filename": "src/signature-verification.ts",
4513
+ "line": 19
4514
+ },
4515
+ "name": "NotationVerificationOptions",
4516
+ "properties": [
4517
+ {
4518
+ "abstract": true,
4519
+ "docs": {
4520
+ "example": "['arn:aws:signer:us-east-1:123456789012:/signing-profiles/MyProfile']",
4521
+ "remarks": "At least one signing profile ARN must be specified.",
4522
+ "stability": "stable",
4523
+ "summary": "Trusted signing profile ARNs."
4524
+ },
4525
+ "immutable": true,
4526
+ "locationInModule": {
4527
+ "filename": "src/signature-verification.ts",
4528
+ "line": 27
4529
+ },
4530
+ "name": "trustedIdentities",
4531
+ "type": {
4532
+ "collection": {
4533
+ "elementtype": {
4534
+ "primitive": "string"
4535
+ },
4536
+ "kind": "array"
4537
+ }
4538
+ }
4539
+ }
4540
+ ],
4541
+ "symbolId": "src/signature-verification:NotationVerificationOptions"
4542
+ },
4399
4543
  "ecr-scan-verifier.S3OutputOptions": {
4400
4544
  "assembly": "ecr-scan-verifier",
4401
4545
  "datatype": true,
@@ -4789,7 +4933,7 @@
4789
4933
  "abstract": true,
4790
4934
  "assembly": "ecr-scan-verifier",
4791
4935
  "docs": {
4792
- "remarks": "Use `ScanConfig.basic()` for ECR native basic scanning,\nor `ScanConfig.enhanced()` for Amazon Inspector enhanced scanning.",
4936
+ "remarks": "Use `ScanConfig.basic()` for ECR native basic scanning,\n`ScanConfig.enhanced()` for Amazon Inspector enhanced scanning,\nor `ScanConfig.signatureOnly()` for signature verification without scanning.",
4793
4937
  "stability": "stable",
4794
4938
  "summary": "Configuration for ECR image scan type."
4795
4939
  },
@@ -4802,7 +4946,7 @@
4802
4946
  "kind": "class",
4803
4947
  "locationInModule": {
4804
4948
  "filename": "src/scan-config.ts",
4805
- "line": 58
4949
+ "line": 81
4806
4950
  },
4807
4951
  "methods": [
4808
4952
  {
@@ -4813,7 +4957,7 @@
4813
4957
  },
4814
4958
  "locationInModule": {
4815
4959
  "filename": "src/scan-config.ts",
4816
- "line": 64
4960
+ "line": 87
4817
4961
  },
4818
4962
  "name": "basic",
4819
4963
  "parameters": [
@@ -4840,7 +4984,7 @@
4840
4984
  },
4841
4985
  "locationInModule": {
4842
4986
  "filename": "src/scan-config.ts",
4843
- "line": 75
4987
+ "line": 98
4844
4988
  },
4845
4989
  "name": "enhanced",
4846
4990
  "parameters": [
@@ -4859,6 +5003,33 @@
4859
5003
  },
4860
5004
  "static": true
4861
5005
  },
5006
+ {
5007
+ "docs": {
5008
+ "remarks": "Verifies the image signature without performing vulnerability scanning.\nThis mode skips ECR/Inspector scanning entirely and only validates the image signature.\n\n**Requirements**:\n- `signatureVerification` must be specified in EcrScanVerifierProps",
5009
+ "stability": "stable",
5010
+ "summary": "Signature verification only (no vulnerability scanning)."
5011
+ },
5012
+ "locationInModule": {
5013
+ "filename": "src/scan-config.ts",
5014
+ "line": 111
5015
+ },
5016
+ "name": "signatureOnly",
5017
+ "parameters": [
5018
+ {
5019
+ "name": "options",
5020
+ "optional": true,
5021
+ "type": {
5022
+ "fqn": "ecr-scan-verifier.SignatureOnlyConfigOptions"
5023
+ }
5024
+ }
5025
+ ],
5026
+ "returns": {
5027
+ "type": {
5028
+ "fqn": "ecr-scan-verifier.ScanConfig"
5029
+ }
5030
+ },
5031
+ "static": true
5032
+ },
4862
5033
  {
4863
5034
  "abstract": true,
4864
5035
  "docs": {
@@ -4867,7 +5038,7 @@
4867
5038
  },
4868
5039
  "locationInModule": {
4869
5040
  "filename": "src/scan-config.ts",
4870
- "line": 82
5041
+ "line": 118
4871
5042
  },
4872
5043
  "name": "bind",
4873
5044
  "returns": {
@@ -4891,7 +5062,7 @@
4891
5062
  "kind": "interface",
4892
5063
  "locationInModule": {
4893
5064
  "filename": "src/scan-config.ts",
4894
- "line": 40
5065
+ "line": 57
4895
5066
  },
4896
5067
  "name": "ScanConfigBindOutput",
4897
5068
  "properties": [
@@ -4899,12 +5070,12 @@
4899
5070
  "abstract": true,
4900
5071
  "docs": {
4901
5072
  "stability": "stable",
4902
- "summary": "The scan type ('BASIC' or 'ENHANCED')."
5073
+ "summary": "The scan type ('BASIC', 'ENHANCED', or 'SIGNATURE_ONLY')."
4903
5074
  },
4904
5075
  "immutable": true,
4905
5076
  "locationInModule": {
4906
5077
  "filename": "src/scan-config.ts",
4907
- "line": 44
5078
+ "line": 61
4908
5079
  },
4909
5080
  "name": "scanType",
4910
5081
  "type": {
@@ -4920,12 +5091,29 @@
4920
5091
  "immutable": true,
4921
5092
  "locationInModule": {
4922
5093
  "filename": "src/scan-config.ts",
4923
- "line": 49
5094
+ "line": 66
4924
5095
  },
4925
5096
  "name": "startScan",
4926
5097
  "type": {
4927
5098
  "primitive": "boolean"
4928
5099
  }
5100
+ },
5101
+ {
5102
+ "abstract": true,
5103
+ "docs": {
5104
+ "stability": "stable",
5105
+ "summary": "SBOM output configuration (Enhanced scanning only)."
5106
+ },
5107
+ "immutable": true,
5108
+ "locationInModule": {
5109
+ "filename": "src/scan-config.ts",
5110
+ "line": 71
5111
+ },
5112
+ "name": "sbomOutput",
5113
+ "optional": true,
5114
+ "type": {
5115
+ "fqn": "ecr-scan-verifier.SbomOutput"
5116
+ }
4929
5117
  }
4930
5118
  ],
4931
5119
  "symbolId": "src/scan-config:ScanConfigBindOutput"
@@ -5147,8 +5335,293 @@
5147
5335
  ],
5148
5336
  "name": "Severity",
5149
5337
  "symbolId": "src/types:Severity"
5338
+ },
5339
+ "ecr-scan-verifier.SignatureOnlyConfigOptions": {
5340
+ "assembly": "ecr-scan-verifier",
5341
+ "datatype": true,
5342
+ "docs": {
5343
+ "stability": "stable",
5344
+ "summary": "Options for signature-only verification (no scanning)."
5345
+ },
5346
+ "fqn": "ecr-scan-verifier.SignatureOnlyConfigOptions",
5347
+ "kind": "interface",
5348
+ "locationInModule": {
5349
+ "filename": "src/scan-config.ts",
5350
+ "line": 50
5351
+ },
5352
+ "name": "SignatureOnlyConfigOptions",
5353
+ "symbolId": "src/scan-config:SignatureOnlyConfigOptions"
5354
+ },
5355
+ "ecr-scan-verifier.SignatureVerification": {
5356
+ "abstract": true,
5357
+ "assembly": "ecr-scan-verifier",
5358
+ "docs": {
5359
+ "remarks": "Supports Notation (AWS Signer) and Cosign (Sigstore) verification methods.\nSignature verification is performed before the vulnerability scan during deployment.",
5360
+ "stability": "stable",
5361
+ "summary": "Signature verification configuration for container images."
5362
+ },
5363
+ "fqn": "ecr-scan-verifier.SignatureVerification",
5364
+ "initializer": {
5365
+ "docs": {
5366
+ "stability": "stable"
5367
+ }
5368
+ },
5369
+ "kind": "class",
5370
+ "locationInModule": {
5371
+ "filename": "src/signature-verification.ts",
5372
+ "line": 102
5373
+ },
5374
+ "methods": [
5375
+ {
5376
+ "docs": {
5377
+ "remarks": "**Important:** Cosign verification skips Rekor transparency log verification.\n\nSign your images with:\n```bash\ncosign sign --tlog-upload=false --key awskms:///KMS_KEY_ARN IMAGE\n```",
5378
+ "stability": "stable",
5379
+ "summary": "Verify image signature using Cosign with an AWS KMS key."
5380
+ },
5381
+ "locationInModule": {
5382
+ "filename": "src/signature-verification.ts",
5383
+ "line": 138
5384
+ },
5385
+ "name": "cosignKms",
5386
+ "parameters": [
5387
+ {
5388
+ "name": "options",
5389
+ "type": {
5390
+ "fqn": "ecr-scan-verifier.CosignKmsVerificationOptions"
5391
+ }
5392
+ }
5393
+ ],
5394
+ "returns": {
5395
+ "type": {
5396
+ "fqn": "ecr-scan-verifier.SignatureVerification"
5397
+ }
5398
+ },
5399
+ "static": true
5400
+ },
5401
+ {
5402
+ "docs": {
5403
+ "remarks": "**Important:** Cosign verification skips Rekor transparency log verification.\n\nSign your images with:\n```bash\ncosign sign --tlog-upload=false --key cosign.pub IMAGE\n```",
5404
+ "stability": "stable",
5405
+ "summary": "Verify image signature using Cosign with a public key."
5406
+ },
5407
+ "locationInModule": {
5408
+ "filename": "src/signature-verification.ts",
5409
+ "line": 122
5410
+ },
5411
+ "name": "cosignPublicKey",
5412
+ "parameters": [
5413
+ {
5414
+ "name": "options",
5415
+ "type": {
5416
+ "fqn": "ecr-scan-verifier.CosignPublicKeyVerificationOptions"
5417
+ }
5418
+ }
5419
+ ],
5420
+ "returns": {
5421
+ "type": {
5422
+ "fqn": "ecr-scan-verifier.SignatureVerification"
5423
+ }
5424
+ },
5425
+ "static": true
5426
+ },
5427
+ {
5428
+ "docs": {
5429
+ "remarks": "Requires the image to be signed with AWS Signer.",
5430
+ "stability": "stable",
5431
+ "summary": "Verify image signature using Notation (AWS Signer)."
5432
+ },
5433
+ "locationInModule": {
5434
+ "filename": "src/signature-verification.ts",
5435
+ "line": 108
5436
+ },
5437
+ "name": "notation",
5438
+ "parameters": [
5439
+ {
5440
+ "name": "options",
5441
+ "type": {
5442
+ "fqn": "ecr-scan-verifier.NotationVerificationOptions"
5443
+ }
5444
+ }
5445
+ ],
5446
+ "returns": {
5447
+ "type": {
5448
+ "fqn": "ecr-scan-verifier.SignatureVerification"
5449
+ }
5450
+ },
5451
+ "static": true
5452
+ },
5453
+ {
5454
+ "abstract": true,
5455
+ "docs": {
5456
+ "stability": "stable",
5457
+ "summary": "Returns the signature verification configuration."
5458
+ },
5459
+ "locationInModule": {
5460
+ "filename": "src/signature-verification.ts",
5461
+ "line": 145
5462
+ },
5463
+ "name": "bind",
5464
+ "parameters": [
5465
+ {
5466
+ "name": "grantee",
5467
+ "type": {
5468
+ "fqn": "aws-cdk-lib.aws_iam.IGrantable"
5469
+ }
5470
+ }
5471
+ ],
5472
+ "returns": {
5473
+ "type": {
5474
+ "fqn": "ecr-scan-verifier.SignatureVerificationBindOutput"
5475
+ }
5476
+ }
5477
+ }
5478
+ ],
5479
+ "name": "SignatureVerification",
5480
+ "symbolId": "src/signature-verification:SignatureVerification"
5481
+ },
5482
+ "ecr-scan-verifier.SignatureVerificationBindOutput": {
5483
+ "assembly": "ecr-scan-verifier",
5484
+ "datatype": true,
5485
+ "docs": {
5486
+ "stability": "stable",
5487
+ "summary": "Output of SignatureVerification.bind()."
5488
+ },
5489
+ "fqn": "ecr-scan-verifier.SignatureVerificationBindOutput",
5490
+ "kind": "interface",
5491
+ "locationInModule": {
5492
+ "filename": "src/signature-verification.ts",
5493
+ "line": 69
5494
+ },
5495
+ "name": "SignatureVerificationBindOutput",
5496
+ "properties": [
5497
+ {
5498
+ "abstract": true,
5499
+ "docs": {
5500
+ "stability": "stable",
5501
+ "summary": "Whether to fail the deployment on unsigned images."
5502
+ },
5503
+ "immutable": true,
5504
+ "locationInModule": {
5505
+ "filename": "src/signature-verification.ts",
5506
+ "line": 93
5507
+ },
5508
+ "name": "failOnUnsigned",
5509
+ "type": {
5510
+ "primitive": "boolean"
5511
+ }
5512
+ },
5513
+ {
5514
+ "abstract": true,
5515
+ "docs": {
5516
+ "stability": "stable",
5517
+ "summary": "The verification type."
5518
+ },
5519
+ "immutable": true,
5520
+ "locationInModule": {
5521
+ "filename": "src/signature-verification.ts",
5522
+ "line": 73
5523
+ },
5524
+ "name": "type",
5525
+ "type": {
5526
+ "primitive": "string"
5527
+ }
5528
+ },
5529
+ {
5530
+ "abstract": true,
5531
+ "docs": {
5532
+ "stability": "stable",
5533
+ "summary": "KMS key ARN (Cosign KMS only)."
5534
+ },
5535
+ "immutable": true,
5536
+ "locationInModule": {
5537
+ "filename": "src/signature-verification.ts",
5538
+ "line": 88
5539
+ },
5540
+ "name": "kmsKeyArn",
5541
+ "optional": true,
5542
+ "type": {
5543
+ "primitive": "string"
5544
+ }
5545
+ },
5546
+ {
5547
+ "abstract": true,
5548
+ "docs": {
5549
+ "stability": "stable",
5550
+ "summary": "Public key content (Cosign public key only)."
5551
+ },
5552
+ "immutable": true,
5553
+ "locationInModule": {
5554
+ "filename": "src/signature-verification.ts",
5555
+ "line": 83
5556
+ },
5557
+ "name": "publicKey",
5558
+ "optional": true,
5559
+ "type": {
5560
+ "primitive": "string"
5561
+ }
5562
+ },
5563
+ {
5564
+ "abstract": true,
5565
+ "docs": {
5566
+ "stability": "stable",
5567
+ "summary": "Trusted signing profile ARNs (Notation only)."
5568
+ },
5569
+ "immutable": true,
5570
+ "locationInModule": {
5571
+ "filename": "src/signature-verification.ts",
5572
+ "line": 78
5573
+ },
5574
+ "name": "trustedIdentities",
5575
+ "optional": true,
5576
+ "type": {
5577
+ "collection": {
5578
+ "elementtype": {
5579
+ "primitive": "string"
5580
+ },
5581
+ "kind": "array"
5582
+ }
5583
+ }
5584
+ }
5585
+ ],
5586
+ "symbolId": "src/signature-verification:SignatureVerificationBindOutput"
5587
+ },
5588
+ "ecr-scan-verifier.VerificationOptions": {
5589
+ "assembly": "ecr-scan-verifier",
5590
+ "datatype": true,
5591
+ "docs": {
5592
+ "stability": "stable",
5593
+ "summary": "Common options for signature verification."
5594
+ },
5595
+ "fqn": "ecr-scan-verifier.VerificationOptions",
5596
+ "kind": "interface",
5597
+ "locationInModule": {
5598
+ "filename": "src/signature-verification.ts",
5599
+ "line": 7
5600
+ },
5601
+ "name": "VerificationOptions",
5602
+ "properties": [
5603
+ {
5604
+ "abstract": true,
5605
+ "docs": {
5606
+ "default": "true",
5607
+ "stability": "stable",
5608
+ "summary": "Whether to fail the deployment if the image is unsigned or signature verification fails."
5609
+ },
5610
+ "immutable": true,
5611
+ "locationInModule": {
5612
+ "filename": "src/signature-verification.ts",
5613
+ "line": 13
5614
+ },
5615
+ "name": "failOnUnsigned",
5616
+ "optional": true,
5617
+ "type": {
5618
+ "primitive": "boolean"
5619
+ }
5620
+ }
5621
+ ],
5622
+ "symbolId": "src/signature-verification:VerificationOptions"
5150
5623
  }
5151
5624
  },
5152
- "version": "0.0.7",
5153
- "fingerprint": "rpRXa3wmEwqE3/fhkLgqDT2AgdB5XQvatoxtHWmJtaw="
5625
+ "version": "0.1.0",
5626
+ "fingerprint": "eE+K+wUfGqQqUmqRaujP3LCH4sXfZKAEUOqL6KzhSQw="
5154
5627
  }