Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: CdkNagValidationFailure should use failing rule's ruleId as findingId #1818

Closed
1 of 2 tasks
cgatt opened this issue Oct 23, 2024 · 1 comment · Fixed by #1826
Closed
1 of 2 tasks

feat: CdkNagValidationFailure should use failing rule's ruleId as findingId #1818

cgatt opened this issue Oct 23, 2024 · 1 comment · Fixed by #1826
Labels
feature-request A feature should be added or improved.

Comments

@cgatt
Copy link
Contributor

cgatt commented Oct 23, 2024

Description

In order to allow fine-grained suppression of CdkNagValidationFailure annotations via appliesTo in NagSuppressions, CdkNagValidationFailure should treat the rule on which the error occurred as the findingId for the message and suppression evaluation.
Further, if a suppression that has no appliesTo is already in place for the rule , the CdkNagValidationFailure should also be suppressed .

Use Case

Error suppression should be scoped as tightly as possible to avoid accidentally suppressing unexpected errors.
As an example, I have an AwsCustomResource construct, which uses Fn::FindInMap to find the latest node runtime by region. As a result, rule AwsSolutions-L1 throws an error during validation, despite being suppressed for the custom resource.
Hence I want to suppress CdkNagValidationFailure for this known and expected exception, but do not want to suppress any other validation failures on the same resource.

Proposed Solution

Modify CdkNagValidationFailure to treat the ruleId as other rules treat findingId, allowing fine-grained suppression of CdkNagValidationFailure like so:

NagSuppressions.addResourceSuppressions(
  awsCustomResource,
  [{ id: 'CdkNagValidationFailure', reason: 'lorem ipsum', appliesTo: ['AwsSolutions-L1'] }],
  true,
);

Even better, if I already have the following suppression then validation failures for that rule on the given resource would be suppressed automatically:

NagSuppressions.addResourceSuppressions(
  awsCustomResource,
  [{ id: 'AwsSolutions-L1', reason: 'lorem ipsum' }],
  true,
);

Other information

No response

Acknowledge

  • I may be able to implement this feature request
  • This feature might incur a breaking change
@cgatt cgatt added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Oct 23, 2024
@dontirun
Copy link
Collaborator

Good idea! Looking forward to the PR

@dontirun dontirun removed the needs-triage This issue or PR still needs to be triaged. label Oct 24, 2024
@cgatt cgatt mentioned this issue Oct 29, 2024
Merged
@mergify mergify bot closed this as completed in #1826 Nov 7, 2024
@mergify mergify bot closed this as completed in 86917b3 Nov 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature-request A feature should be added or improved.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: add per-rule granular error suppression cgatt/cdk-nag
2 participants
@dontirun @cgatt