/** * Types for sensitive data detection in CloudFormation resources. * This module detects potential secrets (API keys, passwords, tokens) before * they are sent to the CDK Insights backend for AI analysis. */ import type { Severity, WAFPillars } from '../../types/analysis.types'; /** * Reason why a value was flagged as potentially sensitive */ export type DetectionReason = 'property_name' | 'value_pattern' | 'high_entropy'; /** * A single sensitive data finding within a resource */ export interface SensitiveDataFinding { /** The full path to the property (e.g., "Environment.Variables.API_KEY") */ propertyPath: string; /** The property name that was flagged (e.g., "API_KEY") */ propertyName: string; /** Why this was flagged as sensitive */ detectionReason: DetectionReason; /** Human-readable explanation of why this was flagged */ detectionReasonMessage: string; /** Recommended secure alternative */ recommendation: string; /** * Diagnostic metadata about the flagged value. Populated so users can * triage findings without the scanner revealing the full value. */ diagnostics?: SensitiveDataDiagnostics; } /** * Privacy-preserving diagnostic metadata attached to each finding. * * The scanner must never emit the full flagged value (it's potentially * a real secret). But users triaging false positives need enough signal * to recognise what was flagged — especially important for CDK-generated * names and other structural false positives where the length + shape * immediately identifies the value. The fields here walk that line. */ export interface SensitiveDataDiagnostics { /** Length of the flagged value in characters */ valueLength: number; /** * Partial preview: first 4 and last 4 chars joined by an ellipsis * (e.g. `Cogn…EEFF`) when the value is long enough for this to be * safe. Returns null for values under 20 chars — too short to reveal * any portion safely. */ valueShape: string | null; /** Shannon entropy in bits/char (only set for high_entropy detections) */ entropy?: number; /** The threshold the entropy exceeded */ entropyThreshold?: number; /** Which sensitive-property-name pattern matched (property_name detections) */ matchedPropertyPattern?: string; /** Which secret-value pattern matched (value_pattern detections) */ matchedValuePattern?: string; } /** * Result of scanning a single resource for sensitive data */ export interface SensitiveDataDetectionResult { /** Whether any sensitive data was found */ hasSensitiveData: boolean; /** The resource ID */ resourceId: string; /** The CloudFormation resource type (e.g., "AWS::Lambda::Function") */ resourceType: string; /** List of sensitive data findings (multiple properties may be flagged) */ findings: SensitiveDataFinding[]; } /** * Options for sensitive data detection */ export interface SensitiveDataDetectionOptions { /** If true, detection is disabled and all resources are treated as safe */ disabled?: boolean; /** Custom property name patterns to ignore (in addition to safe patterns) */ ignoreProperties?: string[]; /** Custom value patterns to treat as safe */ allowPatterns?: string[]; /** If true, use stricter entropy thresholds (more false positives) */ strictMode?: boolean; } /** * Configuration for how to handle sensitive data findings */ export interface SensitiveDataHandlingConfig { /** If true, warn about sensitive data but don't fail (--warn-sensitive) */ warnOnly: boolean; } /** * Summary of sensitive data detection across all resources */ export interface SensitiveDataSummary { /** Total number of resources scanned */ totalResourcesScanned: number; /** Number of resources with sensitive data detected */ resourcesWithSensitiveData: number; /** Total number of sensitive findings across all resources */ totalFindings: number; /** Whether any resources were skipped from AI analysis */ hasSkippedResources: boolean; /** List of resource IDs that were skipped */ skippedResourceIds: string[]; /** All detection results */ detectionResults: SensitiveDataDetectionResult[]; } /** * Constants for sensitive data detection */ export declare const SENSITIVE_DATA_CONSTANTS: { /** WAF pillar for sensitive data findings */ readonly WAF_PILLAR: WAFPillars; /** Rule ID prefix for sensitive data findings */ readonly RULE_ID_PREFIX: "CDK-INSIGHTS-SENSITIVE"; /** Found by identifier */ readonly FOUND_BY: "cdkInsights"; }; /** * Severity ladder for sensitive-data findings. * * Entropy is a weak prior — a string being lexically dense ("high entropy") * says nothing about whether it's a secret. JSON blobs, partner identifiers, * CDK-generated names, base64 config all trip the entropy heuristic. Using * CRITICAL as the flat severity made every false positive block a deploy; * this ladder requires stronger evidence for stronger severity. * * Ladder: * - value_pattern (AKIA…, sk_live_…, PEM header, JWT shape) → CRITICAL * High-confidence regex match against a known secret format. * - property_name (Api_Key, Password, Token, *Secret) → HIGH * Name smells like a secret; value may or may not be one. * - high_entropy (entropy-only, no other signal) → MEDIUM * Weakest signal; advisory. Does not block `fail-on: high/critical`. */ export declare const severityForDetectionReason: (reason: DetectionReason) => Severity; /** * Severity for a consolidated finding (multiple reasons across one * resource). Picks the highest severity on the ladder so a single * confirmed secret in a resource still surfaces as CRITICAL even when * other findings in the same resource are only entropy-based. */ export declare const consolidatedSeverity: (findings: readonly SensitiveDataFinding[]) => Severity;