From d583ce8e4261353718e0528685ab9aa5ed1c795e Mon Sep 17 00:00:00 2001
From: Anthony Brown <anthony.brown8@nhs.net>
Date: Mon, 2 Feb 2026 11:51:43 +0000
Subject: [PATCH 1/2] fix adding supressions

---
 .../src/constructs/PythonLambdaFunction.ts        | 15 ++++++---------
 .../src/constructs/TypescriptLambdaFunction.ts    | 15 ++++++---------
 .../src/constructs/lambdaSharedResources.ts       |  9 ++-------
 3 files changed, 14 insertions(+), 25 deletions(-)

diff --git a/packages/cdkConstructs/src/constructs/PythonLambdaFunction.ts b/packages/cdkConstructs/src/constructs/PythonLambdaFunction.ts
index 63775ad..c49db86 100644
--- a/packages/cdkConstructs/src/constructs/PythonLambdaFunction.ts
+++ b/packages/cdkConstructs/src/constructs/PythonLambdaFunction.ts
@@ -17,6 +17,7 @@ import {
 } from "aws-cdk-lib/aws-lambda"
 import {join} from "node:path"
 import {createSharedLambdaResources} from "./lambdaSharedResources"
+import {addSuppressions} from "../utils/helpers"
 
 export interface PythonLambdaFunctionProps {
   /**
@@ -207,15 +208,11 @@ export class PythonLambdaFunction extends Construct {
 
     // Suppress CFN guard rules for Lambda function
     const cfnLambda = lambdaFunction.node.defaultChild as CfnFunction
-    cfnLambda.cfnOptions.metadata = {
-      guard: {
-        SuppressedRules: [
-          "LAMBDA_DLQ_CHECK",
-          "LAMBDA_INSIDE_VPC",
-          "LAMBDA_CONCURRENCY_CHECK"
-        ]
-      }
-    }
+    addSuppressions([cfnLambda], [
+      "LAMBDA_DLQ_CHECK",
+      "LAMBDA_INSIDE_VPC",
+      "LAMBDA_CONCURRENCY_CHECK"
+    ])
 
     // Create policy for external services to invoke this Lambda
     const executionManagedPolicy = new ManagedPolicy(this, "ExecuteLambdaManagedPolicy", {
diff --git a/packages/cdkConstructs/src/constructs/TypescriptLambdaFunction.ts b/packages/cdkConstructs/src/constructs/TypescriptLambdaFunction.ts
index 6fcd376..ff8c5de 100644
--- a/packages/cdkConstructs/src/constructs/TypescriptLambdaFunction.ts
+++ b/packages/cdkConstructs/src/constructs/TypescriptLambdaFunction.ts
@@ -15,6 +15,7 @@ import {NodejsFunction, NodejsFunctionProps} from "aws-cdk-lib/aws-lambda-nodejs
 import {Construct} from "constructs"
 import {join} from "node:path"
 import {createSharedLambdaResources} from "./lambdaSharedResources"
+import {addSuppressions} from "../utils/helpers"
 
 export interface TypescriptLambdaFunctionProps {
   /**
@@ -231,15 +232,11 @@ export class TypescriptLambdaFunction extends Construct {
     })
 
     const cfnLambda = lambdaFunction.node.defaultChild as CfnFunction
-    cfnLambda.cfnOptions.metadata = {
-      guard: {
-        SuppressedRules: [
-          "LAMBDA_DLQ_CHECK",
-          "LAMBDA_INSIDE_VPC",
-          "LAMBDA_CONCURRENCY_CHECK"
-        ]
-      }
-    }
+    addSuppressions([cfnLambda], [
+      "LAMBDA_DLQ_CHECK",
+      "LAMBDA_INSIDE_VPC",
+      "LAMBDA_CONCURRENCY_CHECK"
+    ])
 
     const executionManagedPolicy = new ManagedPolicy(this, "ExecuteLambdaManagedPolicy", {
       description: `execute lambda ${functionName}`,
diff --git a/packages/cdkConstructs/src/constructs/lambdaSharedResources.ts b/packages/cdkConstructs/src/constructs/lambdaSharedResources.ts
index 65da9a4..c85efc2 100644
--- a/packages/cdkConstructs/src/constructs/lambdaSharedResources.ts
+++ b/packages/cdkConstructs/src/constructs/lambdaSharedResources.ts
@@ -13,6 +13,7 @@ import {
 } from "aws-cdk-lib/aws-iam"
 import {NagSuppressions} from "cdk-nag"
 import {LAMBDA_INSIGHTS_LAYER_ARNS} from "../config"
+import {addSuppressions} from "../utils/helpers"
 
 export interface SharedLambdaResourceProps {
   readonly functionName: string
@@ -65,13 +66,7 @@ export const createSharedLambdaResources = (
   })
 
   const cfnlogGroup = logGroup.node.defaultChild as CfnLogGroup
-  cfnlogGroup.cfnOptions.metadata = {
-    guard: {
-      SuppressedRules: [
-        "CW_LOGGROUP_RETENTION_PERIOD_CHECK"
-      ]
-    }
-  }
+  addSuppressions([cfnlogGroup], ["CW_LOGGROUP_RETENTION_PERIOD_CHECK"])
 
   new CfnSubscriptionFilter(scope, "LambdaLogsSplunkSubscriptionFilter", {
     destinationArn: splunkDeliveryStream.streamArn,

From 1afe077081ad928272180bf6c1d4202ddcd87965 Mon Sep 17 00:00:00 2001
From: Anthony Brown <anthony.brown8@nhs.net>
Date: Mon, 2 Feb 2026 11:56:04 +0000
Subject: [PATCH 2/2] more supressions

---
 .trivyignore.yaml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/.trivyignore.yaml b/.trivyignore.yaml
index 3cc8bce..c8a5f69 100644
--- a/.trivyignore.yaml
+++ b/.trivyignore.yaml
@@ -23,3 +23,12 @@ vulnerabilities:
   - id: CVE-2025-61729
     statement: downstream dependency for asdf/go - waiting for new asdf release
     expired_at: 2026-06-01
+  - id: CVE-2025-61726
+    statement: downstream dependency for asdf/go - waiting for new asdf release
+    expired_at: 2026-06-01
+  - id: CVE-2025-61728
+    statement: downstream dependency for asdf/go - waiting for new asdf release
+    expired_at: 2026-06-01
+  - id: CVE-2026-25128
+    statement: downstream dependency for fast-xml-parser - waiting for aws-sdk release
+    expired_at: 2026-06-01