import type { CustomRuleDefinition } from '../rules/customRules.types'; import type { ServiceName, Severity } from '../types/analysis.types'; export interface PolicyViolatingResource { readonly resourceLogicalId: string; readonly locations: string[]; readonly templatePath: string; } export interface PolicyViolation { readonly ruleName: string; readonly description: string; readonly violatingResources: PolicyViolatingResource[]; readonly fix?: string; readonly severity?: string; readonly ruleMetadata?: { readonly [key: string]: string; }; } export interface PolicyValidationPluginReport { readonly violations: PolicyViolation[]; readonly success: boolean; readonly pluginVersion?: string; readonly metadata?: { readonly [key: string]: string; }; } export interface PolicyValidationContext { readonly templatePaths: string[]; } export interface CdkInsightsPolicyValidationPluginOptions { /** Restrict checks to these AWS services. Defaults to all services. */ readonly selectedServices?: ServiceName[]; /** Drop violations below this severity. Defaults to LOW (no filter). */ readonly minimumSeverity?: Severity; /** Reported back to CDK for analytics; arbitrary semver string. */ readonly version?: string; /** User-defined custom rules to evaluate alongside built-ins. */ readonly customRules?: CustomRuleDefinition[]; /** * Skip reading `.cdk-insights.json` from the project root. Defaults to * `false` — the plugin honours the same `ignoreRules` / `ignorePaths` the * `cdk-insights scan` command does, so plugin and CLI agree on what's a * finding. Set to `true` to opt out of project-config suppression. */ readonly ignoreProjectConfig?: boolean; /** * Skip reading inline `Validations.of(scope).acknowledge(...)` entries * from the cdk manifest. Defaults to `false`. Set to `true` to opt out * of inline-acknowledgement suppression at synth time. */ readonly ignoreInlineAcknowledgements?: boolean; /** * Working directory used to locate `.cdk-insights.json`. Defaults to * `process.cwd()`. Mostly useful for tests. */ readonly cwd?: string; /** * Emit a consolidated SARIF report into the cloud assembly (`cdk.out`) at * synth time, so `cdk synth` alone produces a GitHub Code Scanning artifact * with no separate `cdk-insights scan` run. Defaults to `false`. * * Requires aws-cdk-lib >= 2.258.0 (where validation plugins may create new * assembly files without failing the integrity check, aws/aws-cdk#38007). * On older versions the emission is silently skipped — the file is never * written, so synth is never broken. The SARIF mirrors `cdk-insights scan`: * same findings, same suppressions, same source locations. */ readonly emitSarif?: boolean; /** * File name for the emitted SARIF, relative to the cloud assembly directory. * Defaults to `cdk-insights.sarif`. Only used when `emitSarif` is `true`. */ readonly sarifFileName?: string; } /** * CDK Insights as a CDK policy validation plugin. * * Register with the v2.251.0+ `Validations` API: * ```ts * import { App, Validations } from 'aws-cdk-lib'; * import { CdkInsightsPolicyValidationPlugin } from 'cdk-insights'; * * const app = new App(); * Validations.of(app).addPlugins(new CdkInsightsPolicyValidationPlugin()); * ``` * * On older aws-cdk-lib versions, register via the constructor prop: * ```ts * new App({ policyValidationBeta1: [new CdkInsightsPolicyValidationPlugin()] }); * ``` * * The returned `PolicyViolation[]` carries no source locations (CDK renders * them from the construct path). For a GitHub Code Scanning artifact, set * `emitSarif: true` (aws-cdk-lib >= 2.258): the plugin resolves source * locations against the synth manifest — the same resolution `cdk-insights * scan` uses — and writes a consolidated `cdk-insights.sarif` into `cdk.out` * at synth time, so no separate scan run is needed. */ export declare class CdkInsightsPolicyValidationPlugin { readonly name = "cdk-insights"; readonly version?: string; readonly ruleIds: string[]; private readonly options; constructor(options?: CdkInsightsPolicyValidationPluginOptions); validate(context: PolicyValidationContext): PolicyValidationPluginReport; /** * Writes the consolidated SARIF into the cloud assembly. Hard-gated on * aws-cdk-lib >= 2.258.0: below that the assembly integrity check runs * *after* `validate()` returns and would fail synth on the new file (a * failure no local try/catch here could absorb), so we must not write at * all. Any other failure is swallowed — the artifact is best-effort and must * never break a user's synth. */ private writeSarifToAssembly; } /** Functional factory for parity with `createCdkInsightsAspect`. */ export declare const createCdkInsightsPolicyValidationPlugin: (options?: CdkInsightsPolicyValidationPluginOptions) => CdkInsightsPolicyValidationPlugin;