UNPKG

cdk-nag

Version:

Check CDK v2 applications for best practices using a combination on available rule packs.

github.com/cdklabs/cdk-nag

cdklabs/cdk-nag

101 lines (100 loc) 3.58 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
import { CfnResource, IAspect } from 'aws-cdk-lib'; import { IConstruct } from 'constructs'; import { INagSuppressionIgnore } from './ignore-suppression-conditions'; import { NagPackSuppression } from './models/nag-suppression'; import { INagLogger, NagReportFormat } from './nag-logger'; import { NagMessageLevel, NagRuleResult } from './nag-rules'; /** * Interface for creating a NagPack. */ export interface NagPackProps { /** * Whether or not to enable extended explanatory descriptions on warning, error, and logged ignore messages (default: false). */ readonly verbose?: boolean; /** * Whether or not to log suppressed rule violations as informational messages (default: false). */ readonly logIgnores?: boolean; /** * Whether or not to generate compliance reports for applied Stacks in the App's output directory (default: true). */ readonly reports?: boolean; /** * If reports are enabled, the output formats of compliance reports in the App's output directory (default: only CSV). */ readonly reportFormats?: NagReportFormat[]; /** * Conditionally prevent rules from being suppressed (default: no user provided condition). */ readonly suppressionIgnoreCondition?: INagSuppressionIgnore; /** * Additional NagLoggers for logging rule validation outputs. */ readonly additionalLoggers?: INagLogger[]; } /** * Interface for JSII interoperability for passing parameters and the Rule Callback to @applyRule method. */ export interface IApplyRule { /** * Override for the suffix of the Rule ID for this rule */ ruleSuffixOverride?: string; /** * Why the rule was triggered. */ info: string; /** * Why the rule exists. */ explanation: string; /** * The annotations message level to apply to the rule if triggered. */ level: NagMessageLevel; /** * A condition in which a suppression should be ignored. */ ignoreSuppressionCondition?: INagSuppressionIgnore; /** * The CfnResource to check */ node: CfnResource; /** * The callback to the rule. * @param node The CfnResource to check. */ rule(node: CfnResource): NagRuleResult; } /** * Base class for all rule packs. */ export declare abstract class NagPack implements IAspect { protected loggers: INagLogger[]; protected packName: string; protected userGlobalSuppressionIgnore?: INagSuppressionIgnore; protected packGlobalSuppressionIgnore?: INagSuppressionIgnore; constructor(props?: NagPackProps); get readPackName(): string; /** * All aspects can visit an IConstruct. */ abstract visit(node: IConstruct): void; /** * Create a rule to be used in the NagPack. * @param params The @IApplyRule interface with rule details. */ protected applyRule(params: IApplyRule): void; /** * Check whether a specific rule should be ignored. * @param suppressions The suppressions listed in the cdk-nag metadata. * @param ruleId The id of the rule to ignore. * @param resource The resource being evaluated. * @param findingId The id of the finding that is being checked. * @returns The reason the rule was ignored, or an empty string. */ protected ignoreRule(suppressions: NagPackSuppression[], ruleId: string, findingId: string, resource: CfnResource, level: NagMessageLevel, ignoreSuppressionCondition?: INagSuppressionIgnore): string; private isNonCompliant; private asFindings; }