import type { ConstructMetadata } from '../analysis/static/solutionConstructs/loadConstructMetadata'; import type { AWSServiceChecks } from '../functions/factories/awsServices'; export type ServiceCheckKey = Exclude; export type SpecificServiceName = 'IAM' | 'S3' | 'Lambda' | 'DynamoDB' | 'RDS' | 'EC2' | 'SNS' | 'SQS' | 'StepFunctions' | 'CloudTrail' | 'ApiGateway' | 'SecretsManager' | 'KMS' | 'EventBridge' | 'CloudFront' | 'ELB' | 'ECS' | 'Cognito' | 'WAF' | 'CloudWatch' | 'Route53' | 'ElastiCache' | 'ECR' | 'OpenSearch' | 'ACM' | 'Backup' | 'VPC' | 'Kinesis' | 'AppSync' | 'EKS' | 'Redshift' | 'MSK' | 'Glue' | 'EFS' | 'AutoScaling'; export type ServiceName = 'All services' | SpecificServiceName; export type RunAnalysisTypes = { stacks: Record; inlineFindings: Issue[]; pathToLogicalId: Record; output: string; recommendationMapPerStack: Record>; assetSourcePaths?: Record; failOnCritical?: boolean; fingerprint?: string; redact?: boolean; withIssue?: boolean; services?: ServiceName[]; summaryOnly?: boolean; ruleFilter?: string[]; authToken?: string; /** * --diff: fingerprints from a saved baseline that should be excluded from * the rendered report and from fail-on-critical evaluation. */ baselineExclude?: Set; /** * --writeBaseline: a Set the analysis fills with every issue's fingerprint * so the caller can write a fresh baseline file at the end of the run. * Populated even when baselineExclude is also set, so it represents the * full pre-diff state. */ collectFingerprints?: Set; /** * Don't render per-stack or consolidated output (table/json/markdown). * Used by --writeBaseline since the operator wants a fingerprint * snapshot, not a full report. */ skipRendering?: boolean; ignoreRules?: string[]; ignorePaths?: string[]; acknowledgementsPerStack?: Record; tier?: 'free' | 'pro' | 'team' | 'trial'; noCache?: boolean; allowOveruse?: boolean; warnSensitive?: boolean; sensitiveDataDetection?: Record; cache?: { enabled?: boolean; ttl?: number; maxSize?: number; }; quotaValidation?: unknown; cdkContext?: Record; resourceIdMetadata?: Record; aiModelId?: string; aiBatchSize?: number; }; export type Severity = 'CRITICAL' | 'HIGH' | 'MEDIUM' | 'LOW'; /** * A CDK Mixin that was applied to a construct during synth, recovered from * the `aws:cdk:analytics:mixin` metadata that aws-cdk-lib writes for every * successful `.with()` / `Mixins.of(scope).apply(...)` call. * * Built-in mixins carry their jsii FQN (e.g. * `aws-cdk-lib.aws_s3.mixins.BucketVersioning`). User-defined mixins are * reported by aws-cdk-lib as the literal `'*'` (anonymised for analytics * privacy); cdk-insights surfaces those as `isCustom: true` so reviewers * still see that *some* mixin touched the construct even if its identity * is opaque. */ export type AppliedMixin = { fqn: string; isCustom: boolean; }; export type WAFPillars = 'Operational Excellence' | 'Security' | 'Cost Optimization' | 'Reliability' | 'Performance Efficiency' | 'Sustainability'; export type WAFIssueCount = Record; export type Issue = { resourceId: string; issue: string; recommendation?: string; severity: Severity; wafPillar: WAFPillars; foundBy: 'cdkNag' | 'cdkInsights' | 'validationReport'; /** * Originating plugin when `foundBy === 'validationReport'`. Either a * registered validation plugin name (e.g. a third-party policy validator) * or 'Construct Annotations' when the finding came from a user-written * `Annotations.of(scope).addError/Warning(...)` call. */ validationPluginName?: string; /** * True when this finding was also surfaced by `cdk synth` via the CDK * validation report (aws-cdk-lib >= 2.253). Used so the markdown report * can flag duplicates the user has already seen rather than re-reporting * the same issue twice. */ seenInSynth?: boolean; constructName?: string; resourceName?: string; friendlyName?: string; displayName?: string; locationHint?: string; codeSnippet?: string; constructPath?: string; constructType?: string; /** * CDK construct level inferred from the construct's FQN. Lets renderers, * AI prompts, and consumers reason about whether a finding is on a raw * `Cfn*` escape hatch (high-confidence user choice), a curated L2, or a * resource owned by an L3 pattern (often deliberately configured). */ constructLevel?: 'L1' | 'L2' | 'L3-aws-solutions' | 'L3-third-party' | 'L3-custom' | 'unknown'; /** * Fully-qualified construct type name from the CDK manifest, e.g. * `aws-cdk-lib.aws_s3.Bucket`. Useful for richer findings or per-construct * version checks. */ fqn?: string; githubUrl?: string; docUrl?: string; sourceLocation?: { filePath: string; line: number; column: number; confidence: 'high' | 'medium' | 'low'; /** * Full user-side frame list when CDK 2.252+ Box traces are available. * `frames[0]` mirrors filePath/line/column; subsequent frames are * secondary call sites (e.g., the construct constructor when the * primary is a property setter). Renderers may surface these as SARIF * relatedLocations, PR-comment "deferred from" lines, or AI prompt * context. Absent on older CDKs or when no trace was available. */ frames?: Frame[]; }; stackName?: string; stackId?: string; timestamp?: string; ruleId?: string; context?: { property?: string; value?: string; expected?: string; /** * Privacy-preserving per-finding diagnostics (entropy score, * value shape, matched pattern). Populated by the sensitive-data * scanner so downstream tooling can surface why a value was flagged * without ever exposing the value itself. */ diagnostics?: Array>; }; /** AI confidence score (1-10) for AI-generated findings. 10 = absolutely certain, 1 = speculative */ aiConfidence?: number; }; export type IssueGroup = { resourceId: string; friendlyName: string; cdkPath: string; isGenerated: boolean; sources: { cdkInsights: { issues: Issue[]; }; cdkNag: { issues: Issue[]; }; /** * Findings originating from CDK's post-synth validation report — * third-party policy plugins and user-written `Annotations.of(...) * .addError/Warning(...)` calls. Findings emitted by CDK Insights' own * Validations plugin are matched against `cdkInsights` issues and used * to set `seenInSynth: true`; they don't appear here. */ validationReport?: { issues: Issue[]; }; }; constructName?: string; resourceName?: string; displayName?: string; type?: string; locationHint?: string; githubUrl?: string; docUrl?: string; children?: Record; parentPath?: string; childCount?: number; tags?: Record; constructType?: string; sourceLocation?: { filePath: string; line: number; column: number; endLine?: number; endColumn?: number; confidence?: 'high' | 'medium' | 'low'; method?: string; enclosingScope?: string; codeSnippet?: string; }; constructHierarchy?: Array<{ id: string; type: string; fqn?: string; }>; logicalId?: string; serviceCategory?: string; dependencies?: string[]; dependents?: string[]; sensitiveProperties?: Array<{ path: string; value: string | boolean | number | null; isDefault?: boolean; recommendation?: string; }>; usesDefaults?: boolean; l2ConstructType?: string; l2ConstructId?: string; /** Human-readable description of what created this resource */ createdBy?: string; /** Source location of the nearest ancestor with a known location */ rootSourceLocation?: { filePath: string; line: number; column: number; confidence?: 'high' | 'medium' | 'low'; method?: string; enclosingScope?: string; codeSnippet?: string; }; /** Search hint to help users find this resource in their code */ searchHint?: string; /** * CDK Mixins applied to this construct during synth. Empty/undefined when * the user is on aws-cdk-lib without mixin support (< 2.230) or the * construct had no mixin applications. */ appliedMixins?: AppliedMixin[]; }; export type Summary = { totalResources: number; totalIssues: number; severityCounts: Record; wafIssues: Record; generatedBy: string; generatedAt: string; }; export type Report = { summary: Summary; recommendations: Record; }; export type Recommendations = { [resourceId: string]: { issues: Issue[]; }; }; export type Recommendation = { resourceId: string; issue: string; severity: Severity; wafPillar: WAFPillars; recommendation?: string; issueLocation?: string; locationHint?: string; sources?: { cdkInsights?: { issues: Issue[]; }; cdkNag?: { issues: Issue[]; }; }; constructDocs?: string; constructGitHub?: string; }; export type RecommendationMap = { [resourceId: string]: IssueGroup; }; export type ReportRecommendation = Omit; export type SingleResourceAnalysis = { resourceId: string; issues: Issue[]; resourceName?: string; }; export type AnalysisResults = Record; export type AnalysisResult = { [resourceId: string]: { issues: Issue[]; resourceName?: string; }; }; export type InitiateAnalysisResponse = { jobId: string; }; export type PollJobStatusResponse = { status: 'completed' | 'failed' | 'processing'; result?: AnalysisResult; error?: string; }; export type Policy = { PolicyDocument: { Statement: StatementParameter[]; }; }; export type StatementParameter = { Effect?: string; Action?: string | string[]; Resource?: string | string[]; Principal?: string | { [key: string]: string | string[]; }; }; /** * Helper type for safe property access on CloudFormation resources * Use this instead of 'as any' when accessing dynamic properties */ export type CloudFormationResourceProperties = { Name?: string; ResourceName?: string; FunctionName?: string; IsLogging?: boolean; AccessPolicies?: string[]; BillingMode?: string; Attachments?: { TargetGroupArn?: string; TargetType?: string; Port?: number; Protocol?: string; HealthCheckProtocol?: string; InstanceId?: string; Device?: string; }[]; ProvisionedThroughput?: { ReadCapacityUnits?: number; WriteCapacityUnits?: number; }; SubnetRouteTableAssociations?: { RouteTableId?: string; SubnetId?: string; Ref?: string; }[]; TableName?: string; AllocationId?: { [key: string]: string[]; }; SubnetId?: { Ref?: string; }; MemorySize?: number; InstanceType?: string; StreamSpecification?: { StreamViewType?: string; }; StorageEncrypted?: boolean; EndpointConfiguration?: { Types?: string[]; }; BucketName?: string; MultiAZ?: boolean; StorageType?: string; SecurityGroupIngress?: { CidrIp?: string; CidrIpv6?: string; IpProtocol: string; FromPort: number; ToPort: number; }[]; State?: string; Engine?: string; EngineVersion?: string; Policies?: Policy[]; KeyPolicy?: { Statement: StatementParameter[]; }; Environment?: { Variables?: Record; }; PublicPolicy?: { Statement: StatementParameter[]; }; Definition?: string | { States?: Record; }; AttributeDefinitions?: { AttributeName?: string; AttributeType?: string; }[]; KeySchema?: { AttributeName?: string; KeyType?: string; }[]; Size?: number; AvailabilityZone?: string; Encrypted?: boolean; VolumeType?: string; KmsKeyId?: string; RoleArn?: string; LoggingConfiguration?: { Level?: string; IncludeExecutionData?: boolean; Destinations?: { CloudWatchLogsLogGroup?: { LogGroupArn?: string; }; }[]; }; Code?: { S3Bucket?: string; S3Key?: string; ZipFile?: string; }; Handler?: string; Role?: string; Runtime?: string; QueueName?: string; DisplayName?: string; KmsMasterKeyId?: string; BucketEncryption?: { ServerSideEncryptionConfiguration?: { ServerSideEncryptionByDefault?: { SSEAlgorithm: string; }[]; }[]; }; IntelligentTieringConfigurations?: { Id?: string; Prefix?: string; Status?: string; Tierings?: { AccessTier?: string; Days?: number; }[]; }[]; PublicAccessBlockConfiguration?: { BlockPublicAcls?: boolean; BlockPublicPolicy?: boolean; IgnorePublicAcls?: boolean; RestrictPublicBuckets?: boolean; }; VersioningConfiguration?: { Status?: string; }; Actions?: { TargetGroupArn?: string; Type?: string; RedirectConfig?: { Protocol?: string; StatusCode?: string; }; }[]; DefaultActions?: { TargetGroupArn?: string; Type?: string; RedirectConfig?: { Protocol?: string; StatusCode?: string; }; }[]; Principal?: string | { [key: string]: string | string[]; }; Uri?: string; TopicRulePayload?: { actions?: Record[]; }; Protocol?: string; TemplateURL?: string | string[]; DistributionConfig?: { DefaultCacheBehavior?: { ViewerProtocolPolicy?: 'allow-all' | 'https-only' | 'redirect-to-https'; CachePolicyId?: string; }; WebACLId?: string; Logging?: { Bucket?: string; Enabled?: boolean; Prefix?: string; }; ViewerCertificate?: { MinimumProtocolVersion?: string; CloudFrontDefaultCertificate?: boolean; }; Origins?: { DomainName?: string; S3OriginConfig?: { OriginAccessIdentity?: string; }; }[]; }; LoadBalancerAttributes?: { Key?: string; Value?: string; }[]; Scheme?: string; SecurityGroups?: string[]; Subnets?: string[]; SslPolicy?: string; Port?: number; Certificates?: { CertificateArn?: string; }[]; ContainerDefinitions?: { Name?: string; Image?: string; Secrets?: { Name?: string; ValueFrom?: string; }[]; Environment?: { Name?: string; Value?: string; }[]; LogConfiguration?: { LogDriver?: string; Options?: Record; }; Cpu?: number; Memory?: number; MemoryReservation?: number; }[]; RequiresCompatibilities?: string[]; ExecutionRoleArn?: string; TaskRoleArn?: string; ServiceConnectConfiguration?: { Enabled?: boolean; Namespace?: string; LogConfiguration?: { LogDriver?: string; Options?: Record; SecretOptions?: { Name?: string; ValueFrom?: string; }[]; }; Services?: { PortName?: string; DiscoveryName?: string; ClientAliases?: { Port?: number; DnsName?: string; }[]; }[]; }; MfaConfiguration?: 'OFF' | 'ON' | 'OPTIONAL'; UserPoolAddOns?: { AdvancedSecurityMode?: 'OFF' | 'AUDIT' | 'ENFORCED'; }; PasswordPolicy?: { MinimumLength?: number; RequireUppercase?: boolean; RequireLowercase?: boolean; RequireNumbers?: boolean; RequireSymbols?: boolean; TemporaryPasswordValidityDays?: number; }; ReservedConcurrentExecutions?: number; DeadLetterConfig?: { TargetArn?: string; }; VpcConfig?: { SubnetIds?: string[]; SecurityGroupIds?: string[]; }; Timeout?: number; SecurityGroupEgress?: { CidrIp?: string; CidrIpv6?: string; IpProtocol: string; FromPort?: number; ToPort?: number; }[]; PubliclyAccessible?: boolean; BackupRetentionPeriod?: number; DBParameterGroupName?: string; DeletionProtection?: boolean; LifecycleConfiguration?: { Rules?: { Status?: string; Transitions?: { StorageClass?: string; TransitionInDays?: number; }[]; ExpirationInDays?: number; }[]; }; ReplicationConfiguration?: { Role?: string; Rules?: { Status?: string; Destination?: { Bucket?: string; }; }[]; }; S3LoggingConfiguration?: { DestinationBucketName?: string; LogFilePrefix?: string; }; DefaultAction?: { Allow?: Record; Block?: Record; }; VisibilityConfig?: { CloudWatchMetricsEnabled?: boolean; SampledRequestsEnabled?: boolean; MetricName?: string; }; Rules?: Array<{ Name?: string; Priority?: number; Statement?: Record; Action?: Record; VisibilityConfig?: Record; }>; ResourceArn?: string | { Ref?: string; 'Fn::GetAtt'?: string[]; }; RetentionInDays?: number; AlarmActions?: string[]; OKActions?: string[]; InsufficientDataActions?: string[]; TreatMissingData?: string; HostedZoneId?: string | { Ref?: string; }; HostedZoneConfig?: { Comment?: string; }; HealthCheckConfig?: { Type?: string; RequestInterval?: number; FailureThreshold?: number; ResourcePath?: string; FullyQualifiedDomainName?: string; }; AuthToken?: string; TransitEncryptionEnabled?: boolean; AtRestEncryptionEnabled?: boolean; AutomaticFailoverEnabled?: boolean; NumNodeGroups?: number; ReplicasPerNodeGroup?: number; MultiAZEnabled?: boolean; ImageScanningConfiguration?: { ScanOnPush?: boolean; }; LifecyclePolicy?: { LifecyclePolicyText?: string; RegistryId?: string; }; ImageTagMutability?: string; EncryptionAtRestOptions?: { Enabled?: boolean; KmsKeyId?: string; }; NodeToNodeEncryptionOptions?: { Enabled?: boolean; }; AdvancedSecurityOptions?: { Enabled?: boolean; InternalUserDatabaseEnabled?: boolean; MasterUserOptions?: Record; }; VPCOptions?: { SubnetIds?: string[]; SecurityGroupIds?: string[]; }; LogPublishingOptions?: { AUDIT_LOGS?: { CloudWatchLogsLogGroupArn?: string; Enabled?: boolean; }; ES_APPLICATION_LOGS?: { CloudWatchLogsLogGroupArn?: string; Enabled?: boolean; }; SEARCH_SLOW_LOGS?: { CloudWatchLogsLogGroupArn?: string; Enabled?: boolean; }; INDEX_SLOW_LOGS?: { CloudWatchLogsLogGroupArn?: string; Enabled?: boolean; }; }; ValidationMethod?: string; CertificateTransparencyLoggingPreference?: string; BackupPlan?: { BackupPlanName?: string; BackupPlanRule?: Array<{ RuleName?: string; TargetBackupVault?: string; ScheduleExpression?: string; StartWindowMinutes?: number; CompletionWindowMinutes?: number; Lifecycle?: { DeleteAfterDays?: number; MoveToColdStorageAfterDays?: number; }; CopyActions?: Array<{ DestinationBackupVaultArn?: string; Lifecycle?: { DeleteAfterDays?: number; MoveToColdStorageAfterDays?: number; }; }>; }>; }; BackupVaultName?: string | { Ref?: string; }; EncryptionKeyArn?: string | { Ref?: string; }; GroupName?: string; ResourceType?: string; ResourceId?: string | { Ref?: string; }; StreamEncryption?: { EncryptionType?: string; KeyId?: string; }; RetentionPeriodHours?: number; StreamModeDetails?: { StreamMode?: string; }; AuthenticationType?: string; AdditionalAuthenticationProviders?: Array<{ AuthenticationType?: string; OpenIDConnectConfig?: Record; UserPoolConfig?: Record; }>; LogConfig?: { CloudWatchLogsRoleArn?: string; FieldLogLevel?: string; ExcludeVerboseContent?: boolean; }; XrayEnabled?: boolean; ResourcesVpcConfig?: { EndpointPublicAccess?: boolean; EndpointPrivateAccess?: boolean; PublicAccessCidrs?: string[]; SubnetIds?: string[]; SecurityGroupIds?: string[]; }; EncryptionConfig?: Array<{ Provider?: { KeyArn?: string; }; Resources?: string[]; }>; Logging?: { ClusterLogging?: { EnabledTypes?: Array<{ Type?: string; }>; }; }; LoggingProperties?: { BucketName?: string; S3KeyPrefix?: string; }; ClientAuthentication?: { Tls?: { CertificateAuthorityArnList?: string[]; Enabled?: boolean; }; Sasl?: { Iam?: { Enabled?: boolean; }; Scram?: { Enabled?: boolean; }; }; Unauthenticated?: { Enabled?: boolean; }; }; EncryptionInfo?: { EncryptionAtRest?: { DataVolumeKMSKeyId?: string; }; EncryptionInTransit?: { ClientBroker?: string; InCluster?: boolean; }; }; LoggingInfo?: { BrokerLogs?: { CloudWatchLogs?: { Enabled?: boolean; LogGroup?: string; }; Firehose?: { Enabled?: boolean; DeliveryStream?: string; }; S3?: { Enabled?: boolean; Bucket?: string; Prefix?: string; }; }; }; ConnectionInput?: { ConnectionType?: string; PhysicalConnectionRequirements?: { AvailabilityZone?: string; SecurityGroupIdList?: string[]; SubnetId?: string; }; ConnectionProperties?: Record; }; SecurityConfiguration?: string; PermissionsBoundary?: string; AssumeRolePolicyDocument?: { Statement?: StatementParameter[]; }; ManagedPolicyArns?: string[]; [key: string]: unknown; }; /** * Get a resource name from CloudFormation resource properties */ export declare const getResourceName: (properties: CloudFormationResourceProperties | undefined) => string; export type CloudFormationResource = { Type: string; Properties?: CloudFormationResourceProperties; Metadata?: { 'aws:cdk:path'?: string; }; DependsOn?: string | string[]; Condition?: string; DeletionPolicy?: string; UpdateReplacePolicy?: string; displayName?: string; __fileHint?: string; __friendlyName?: string; __description?: string; __github?: string; __docs?: string; __constructType?: string; __stackId?: string; __sourceLocation?: { filePath: string; line: number; column: number; endLine?: number; endColumn?: number; confidence?: 'high' | 'medium' | 'low'; method?: string; enclosingScope?: string; codeSnippet?: string; }; __parentPath?: string; __childCount?: number; __tags?: Record; __metadataVersion?: string; __logicalId?: string; __constructHierarchy?: Array<{ id: string; type: string; fqn?: string; }>; __serviceCategory?: string; __dependencies?: string[]; __sensitiveProperties?: Array<{ path: string; value: string | boolean | number | null; isDefault?: boolean; recommendation?: string; }>; __usesDefaults?: boolean; __l2ConstructType?: string; __l2ConstructId?: string; __createdBy?: string; __rootSourceLocation?: { filePath: string; line: number; column: number; confidence?: 'high' | 'medium' | 'low'; method?: string; enclosingScope?: string; codeSnippet?: string; }; __searchHint?: string; /** * Mixins applied to this construct, harvested from `aws:cdk:analytics:mixin` * manifest metadata. Populated by `parseManifestMetadata`. */ __appliedMixins?: AppliedMixin[]; }; export type CloudFormationParameter = { Type: string; Default?: string | number | boolean; Description?: string; AllowedValues?: (string | number)[]; AllowedPattern?: string; ConstraintDescription?: string; }; export type CloudFormationMapping = Record>; export type CloudFormationCondition = Record; export type CloudFormationOutput = { Description?: string; Value: string | Record; Export?: { Name: string; }; }; export type BedrockResponse = { inputTextTokenCount: number; results: [ { outputText: string; tokenCount: number; completionReason?: string; } ]; outputTokens: number; }; export type AIAnalysis = { recommendations?: string[]; inputTokens?: number; outputTokens?: number; }; export type CloudFormationStack = { AWSTemplateFormatVersion?: string; Description?: string; Parameters?: Record; Resources: Record; Mappings?: Record; Conditions?: Record; Outputs?: Record; Metadata?: Record; }; export type RedactionMapping = Record; export type NagFinding = { message: string; severity: 'LOW' | 'MEDIUM' | 'HIGH' | 'CRITICAL'; tracePath: string; }; /** * A single user-side stack frame extracted from a CDK trace. Box API * (aws-cdk-lib >= 2.252) tracks per-property creation sites, so a finding * may legitimately have multiple meaningful frames: the construct constructor, * the property setter, and the lazy callback that produced the value. */ export type Frame = { filePath: string; line: number; column: number; /** * What this frame represents. `creation` is the construct constructor; * `property` is a `propertyAssignment` trace from Box; `unknown` is a * generic frame from a legacy stack trace. */ kind?: 'creation' | 'property' | 'unknown'; /** Property name when kind === 'property'. */ propertyName?: string; }; export type FileHint = { filePath: string; line?: number; column?: number; /** * Full user-side frame stack when available. The first entry mirrors * `filePath`/`line`/`column`; subsequent entries are secondary call sites * (e.g., the construct constructor when the primary is a property setter). * Populated when the manifest carries Box-style multi-frame traces. */ frames?: Frame[]; }; export type ManifestEntry = { type: string; data: string | string[] | Record; }; /** * An inline acknowledgement of a cdk-insights finding, recorded by the * user via `Validations.of(scope).acknowledge({ id: 'cdk-insights::', reason })` * (aws-cdk-lib >= 2.252.0). Surfaces during synth as * `aws:cdk:acknowledged-rules` node metadata; cdk-insights treats it * as a per-(path, ruleId) suppression that composes with the * `.cdk-insights.json` `ignoreRules`/`ignorePaths` config. */ export type InlineAcknowledgement = { /** Construct path the acknowledgement was attached to (cascade root). */ constructPath: string; /** Bare cdk-insights rule ID — the `cdk-insights::` prefix is stripped. */ ruleId: string; /** User-supplied reason; preserved for audit trail. */ reason: string; }; export type ManifestArtifact = { metadata?: Record; /** * CloudAssembly v53+ (CDK 2.252+) writes per-stack metadata to a sidecar * file (`.metadata.json`) and stores its filename here instead of * inlining `metadata`. `loadManifest` follows this pointer and re-inlines * the entries so downstream consumers continue to read * `artifacts..metadata` transparently. */ additionalMetadataFile?: string; }; export type Manifest = { /** CloudAssembly schema version. */ version?: string; artifacts?: Record; }; /** * Reason AI analysis was skipped for this run, when applicable. Surfaced * in the rendered report so the user can distinguish "AI ran and found * nothing extra" (rare) from "AI didn't run at all" (which today produces * an identical-looking static-only report). * * - `cap-reached`: monthly credit allowance exhausted on the backend * - `auth`: no license key / authentication failed * - `local-mode`: user passed `--local` to force static-only * - `unavailable`: backend transient failure or no license tier supports AI */ export type AiSkippedReason = 'cap-reached' | 'auth' | 'local-mode' | 'unavailable'; export type AnalysisSummary = { totalResources: number; totalIssues: number; severityCounts: Record; wafIssues: WAFIssueCount; generatedBy: string; generatedAt: string; resourcesWithIssues: number; percentWithIssues: number; /** Set when AI analysis was unavailable for this run; renderers use it * to surface a banner so the user isn't left wondering whether AI ran * and found nothing. */ aiSkippedReason?: AiSkippedReason; }; export type SeverityCount = Record; export type CreateFindingFunction = (resourceId: string, issue: string, recommendation: string, severity: 'LOW' | 'MEDIUM' | 'HIGH' | 'CRITICAL', wafPillar: WAFPillars, constructPath: string, foundBy: 'cdkNag' | 'cdkInsights') => Issue; export declare const createFinding: CreateFindingFunction; /** * Optional context passed to rule check functions. Lets rules adapt their * behaviour based on: * - The construct level of each resource (L1 escape hatches vs L2 vs L3 * patterns) — skip false positives on patterns that own their own * configuration, give level-appropriate remediation. * - The user's `cdk.json` feature flags — skip findings when CDK's own * behaviour already addresses the issue. * * Always optional. Rules that don't take advantage of context still work * unchanged with the original two-argument signature. */ export type RuleContext = { /** * Per-logical-id metadata harvested from `tree.json` (construct level, * FQN, GitHub/docs URLs). Keyed by CloudFormation logical ID. */ resourceIdMetadata?: Record; /** * The `context` block from the user's `cdk.json`. Includes CDK feature * flags (e.g. `@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy`) and * any custom user context. */ cdkContext?: Record; }; export type AWSServiceCheckFunction = (template: CloudFormationStack, createFinding: CreateFindingFunction, ruleContext?: RuleContext) => AnalysisResults; type SolutionsPatternsArgs = { template: CloudFormationStack; uriPrefix?: string; uriContains?: string; action?: string; protocol?: string; registry?: string; }; export type DetectSolutionsPatterns = (template: CloudFormationStack, registry: Record) => Issue[]; export type AWSSolutionsPatternFunction = (template: CloudFormationStack, ...extras: Extras) => boolean; type SolutionsTuple = SolutionsPatternsArgs[K] extends undefined ? [] : [NonNullable]; export type SolutionsFunctions = AWSSolutionsPatternFunction>; export type TreeNode = { id: string; attributes?: { description?: string; 'aws:cdk:cloudformation:props'?: { description?: string; }; }; children?: Record; constructInfo?: { fqn: string; version: string; metadata?: unknown[]; }; }; export type FlatNode = { logicalId?: string; path: string; fqn?: string; description?: string; }; export type AnalysisStatus = 'processing' | 'completed' | 'failed'; export interface AnalysisConfig { stacks: Record; inlineFindings: any[]; pathToLogicalId: Record; recommendationMapPerStack: Record; assetSourcePaths: Record; output: 'json' | 'table' | 'markdown' | 'summary'; services: string[]; redact: boolean; withIssue: boolean; ruleFilter: string[]; failOnCritical: boolean; aiEnabled: boolean; githubEnabled: boolean; } export {};