/** * Pattern definitions for detecting sensitive data in CloudFormation resources. * * IMPORTANT: These patterns are designed to catch hardcoded secrets while * allowing secure references (Secrets Manager, SSM Parameter Store, etc.) */ /** * Property name patterns that suggest sensitive data (case-insensitive). * If a property name matches these patterns AND the value is a hardcoded string * (not a dynamic reference), it will be flagged. */ export declare const SENSITIVE_PROPERTY_NAME_PATTERNS: RegExp[]; /** * Value patterns that indicate a secret (even if the property name doesn't suggest it). * These are patterns for known secret formats. */ export declare const SENSITIVE_VALUE_PATTERNS: RegExp[]; /** * Safe patterns that indicate secure secret handling. * If a value matches any of these patterns, it will NOT be flagged even if * the property name suggests sensitive data. */ export declare const SAFE_REFERENCE_PATTERNS: RegExp[]; /** * Placeholder values that should not be flagged. * These are common patterns developers use as placeholders. */ export declare const PLACEHOLDER_PATTERNS: RegExp[]; /** * Property names whose values are categorically non-sensitive regardless * of their shape. These are CloudFormation resource identifiers (names, * IDs) and human-readable metadata (descriptions, labels) — the values * may look entropy-ish (auto-generated hashes in CDK resource names, * long English alarm descriptions) but never contain secret material. * * If the scanner is tempted to flag one of these by its value alone, * short-circuit: the property name is load-bearing and tells us the * answer already. * * Case-insensitive exact-match only — if you want substring behaviour * use SENSITIVE_PROPERTY_NAME_PATTERNS. */ export declare const NEVER_SENSITIVE_PROPERTY_NAMES: RegExp[]; /** * CDK auto-generates resource names by concatenating the stack name, * construct path, and an eight-hex-char deterministic hash. The result * looks like `CognitoAuthRoledevDefaultPolicy48B1EEFF` — mixed case, * alphanumeric, >16 chars, satisfies the entropy heuristic, but is not * a secret. Every CDK stack produces these for every IAM DefaultPolicy, * Lambda ServiceRole, etc., so this is a universal false-positive * shape worth calling out explicitly. * * Matches: any string ending with a recognised CDK naming suffix * followed by an 8+ hex character hash. */ export declare const CDK_GENERATED_NAME_PATTERN: RegExp; /** * Property paths (relative to a CloudFormation resource's Properties * block) whose values are structured payloads — JSON blobs, state * machine definitions, custom-resource handler config. Scanning these * as raw strings trips the entropy heuristic because well-formed JSON * is lexically dense. These are known-safe by construction. */ export declare const NON_SENSITIVE_STRUCTURED_PATH_SUFFIXES: RegExp[]; /** * Check if a property name is categorically non-sensitive regardless * of its value. Used to short-circuit the scanner on well-known * CloudFormation name/description properties. */ export declare const isAlwaysNonSensitiveProperty: (propertyName: string) => boolean; /** * Check if a value looks like a CDK-auto-generated resource name. * Relies on CDK's naming convention (construct path + 8+ char hash * suffix) to identify synth-time identifiers that would otherwise * trip the entropy check. */ export declare const isCdkGeneratedName: (value: string) => boolean; /** * Check if a property path references a known structured payload * (JSON blob, state machine definition, custom resource config) whose * value is non-sensitive by construction. */ export declare const isNonSensitiveStructuredPath: (propertyPath: string) => boolean; /** * Check if a property name suggests sensitive data */ export declare const isSensitivePropertyName: (propertyName: string) => boolean; /** * Check if a value matches a known secret pattern */ export declare const matchesSecretValuePattern: (value: string) => boolean; /** * Check if a value is a safe reference (Secrets Manager, SSM, CDK token, etc.) */ export declare const isSafeReference: (value: string) => boolean; /** * Check if a value is a placeholder */ export declare const isPlaceholderValue: (value: string) => boolean; /** * Check if a value is an object with CloudFormation intrinsic functions * These are safe because they're resolved at deploy time */ export declare const isCloudFormationIntrinsic: (value: unknown) => boolean; /** * Get the pattern category that matched a property name */ export declare const getPropertyNameCategory: (propertyName: string) => string | null;