.trivyignore.yaml

-Original file line number
+Diff line change
@@ Expand Up / @@ -23,3 +23,12 @@ vulnerabilities: @@
       - id: CVE-2025-61729
         statement: downstream dependency for asdf/go - waiting for new asdf release
         expired_at: 2026-06-01
+      - id: CVE-2025-61726
+        statement: downstream dependency for asdf/go - waiting for new asdf release
+        expired_at: 2026-06-01
+      - id: CVE-2025-61728
+        statement: downstream dependency for asdf/go - waiting for new asdf release
+        expired_at: 2026-06-01
+      - id: CVE-2026-25128
+        statement: downstream dependency for fast-xml-parser - waiting for aws-sdk release
+        expired_at: 2026-06-01

packages/cdkConstructs/src/constructs/PythonLambdaFunction.ts

-Original file line number
+Diff line change
@@ Expand Up / @@ -17,6 +17,7 @@ import { @@
     } from "aws-cdk-lib/aws-lambda"
     import {join} from "node:path"
     import {createSharedLambdaResources} from "./lambdaSharedResources"
+    import {addSuppressions} from "../utils/helpers"
     export interface PythonLambdaFunctionProps {
       /**
@@ Expand Down Expand Up / @@ -207,15 +208,11 @@ export class PythonLambdaFunction extends Construct { @@
         // Suppress CFN guard rules for Lambda function
         const cfnLambda = lambdaFunction.node.defaultChild as CfnFunction
-        cfnLambda.cfnOptions.metadata = {
-          guard: {
-            SuppressedRules: [
-              "LAMBDA_DLQ_CHECK",
-              "LAMBDA_INSIDE_VPC",
-              "LAMBDA_CONCURRENCY_CHECK"
-            ]
-          }
-        }
+        addSuppressions([cfnLambda], [
+          "LAMBDA_DLQ_CHECK",
+          "LAMBDA_INSIDE_VPC",
+          "LAMBDA_CONCURRENCY_CHECK"
+        ])
         // Create policy for external services to invoke this Lambda
         const executionManagedPolicy = new ManagedPolicy(this, "ExecuteLambdaManagedPolicy", {
@@ Expand Down @@

packages/cdkConstructs/src/constructs/TypescriptLambdaFunction.ts

-Original file line number
+Diff line change
@@ Expand Up @@
     import {Construct} from "constructs"
     import {join} from "node:path"
     import {createSharedLambdaResources} from "./lambdaSharedResources"
+    import {addSuppressions} from "../utils/helpers"
     export interface TypescriptLambdaFunctionProps {
       /**
@@ Expand Down Expand Up / @@ -231,15 +232,11 @@ export class TypescriptLambdaFunction extends Construct { @@
         })
         const cfnLambda = lambdaFunction.node.defaultChild as CfnFunction
-        cfnLambda.cfnOptions.metadata = {
-          guard: {
-            SuppressedRules: [
-              "LAMBDA_DLQ_CHECK",
-              "LAMBDA_INSIDE_VPC",
-              "LAMBDA_CONCURRENCY_CHECK"
-            ]
-          }
-        }
+        addSuppressions([cfnLambda], [
+          "LAMBDA_DLQ_CHECK",
+          "LAMBDA_INSIDE_VPC",
+          "LAMBDA_CONCURRENCY_CHECK"
+        ])
         const executionManagedPolicy = new ManagedPolicy(this, "ExecuteLambdaManagedPolicy", {
           description: `execute lambda ${functionName}`,
@@ Expand Down @@

packages/cdkConstructs/src/constructs/lambdaSharedResources.ts

-Original file line number
+Diff line change
@@ Expand Up / @@ -13,6 +13,7 @@ import { @@
     } from "aws-cdk-lib/aws-iam"
     import {NagSuppressions} from "cdk-nag"
     import {LAMBDA_INSIGHTS_LAYER_ARNS} from "../config"
+    import {addSuppressions} from "../utils/helpers"
     export interface SharedLambdaResourceProps {
       readonly functionName: string
@@ Expand Down Expand Up / @@ -65,13 +66,7 @@ export const createSharedLambdaResources = ( @@
       })
       const cfnlogGroup = logGroup.node.defaultChild as CfnLogGroup
-      cfnlogGroup.cfnOptions.metadata = {
-        guard: {
-          SuppressedRules: [
-            "CW_LOGGROUP_RETENTION_PERIOD_CHECK"
-          ]
-        }
-      }
+      addSuppressions([cfnlogGroup], ["CW_LOGGROUP_RETENTION_PERIOD_CHECK"])
       new CfnSubscriptionFilter(scope, "LambdaLogsSplunkSubscriptionFilter", {
         destinationArn: splunkDeliveryStream.streamArn,
@@ Expand Down @@

Chore: [AEA-0000] - fix adding cfn guard suppressions to not overwrite all of metadata #492

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged

MatthewPopat-NHS merged 2 commits into main from fix_nag_suppressions

Feb 2, 2026

-Original file line number
+Diff line change
@@ Expand Up / @@ -23,3 +23,12 @@ vulnerabilities: @@
       - id: CVE-2025-61729
         statement: downstream dependency for asdf/go - waiting for new asdf release
         expired_at: 2026-06-01
+      - id: CVE-2025-61726
+        statement: downstream dependency for asdf/go - waiting for new asdf release
+        expired_at: 2026-06-01
+      - id: CVE-2025-61728
+        statement: downstream dependency for asdf/go - waiting for new asdf release
+        expired_at: 2026-06-01
+      - id: CVE-2026-25128
+        statement: downstream dependency for fast-xml-parser - waiting for aws-sdk release
+        expired_at: 2026-06-01

-Original file line number
+Diff line change
@@ Expand Up / @@ -17,6 +17,7 @@ import { @@
     } from "aws-cdk-lib/aws-lambda"
     import {join} from "node:path"
     import {createSharedLambdaResources} from "./lambdaSharedResources"
+    import {addSuppressions} from "../utils/helpers"
     export interface PythonLambdaFunctionProps {
       /**
@@ Expand Down Expand Up / @@ -207,15 +208,11 @@ export class PythonLambdaFunction extends Construct { @@
         // Suppress CFN guard rules for Lambda function
         const cfnLambda = lambdaFunction.node.defaultChild as CfnFunction
-        cfnLambda.cfnOptions.metadata = {
-          guard: {
-            SuppressedRules: [
-              "LAMBDA_DLQ_CHECK",
-              "LAMBDA_INSIDE_VPC",
-              "LAMBDA_CONCURRENCY_CHECK"
-            ]
-          }
-        }
+        addSuppressions([cfnLambda], [
+          "LAMBDA_DLQ_CHECK",
+          "LAMBDA_INSIDE_VPC",
+          "LAMBDA_CONCURRENCY_CHECK"
+        ])
         // Create policy for external services to invoke this Lambda
         const executionManagedPolicy = new ManagedPolicy(this, "ExecuteLambdaManagedPolicy", {
@@ Expand Down @@

-Original file line number
+Diff line change
@@ Expand Up @@
     import {Construct} from "constructs"
     import {join} from "node:path"
     import {createSharedLambdaResources} from "./lambdaSharedResources"
+    import {addSuppressions} from "../utils/helpers"
     export interface TypescriptLambdaFunctionProps {
       /**
@@ Expand Down Expand Up / @@ -231,15 +232,11 @@ export class TypescriptLambdaFunction extends Construct { @@
         })
         const cfnLambda = lambdaFunction.node.defaultChild as CfnFunction
-        cfnLambda.cfnOptions.metadata = {
-          guard: {
-            SuppressedRules: [
-              "LAMBDA_DLQ_CHECK",
-              "LAMBDA_INSIDE_VPC",
-              "LAMBDA_CONCURRENCY_CHECK"
-            ]
-          }
-        }
+        addSuppressions([cfnLambda], [
+          "LAMBDA_DLQ_CHECK",
+          "LAMBDA_INSIDE_VPC",
+          "LAMBDA_CONCURRENCY_CHECK"
+        ])
         const executionManagedPolicy = new ManagedPolicy(this, "ExecuteLambdaManagedPolicy", {
           description: `execute lambda ${functionName}`,
@@ Expand Down @@

-Original file line number
+Diff line change
@@ Expand Up / @@ -13,6 +13,7 @@ import { @@
     } from "aws-cdk-lib/aws-iam"
     import {NagSuppressions} from "cdk-nag"
     import {LAMBDA_INSIGHTS_LAYER_ARNS} from "../config"
+    import {addSuppressions} from "../utils/helpers"
     export interface SharedLambdaResourceProps {
       readonly functionName: string
@@ Expand Down Expand Up / @@ -65,13 +66,7 @@ export const createSharedLambdaResources = ( @@
       })
       const cfnlogGroup = logGroup.node.defaultChild as CfnLogGroup
-      cfnlogGroup.cfnOptions.metadata = {
-        guard: {
-          SuppressedRules: [
-            "CW_LOGGROUP_RETENTION_PERIOD_CHECK"
-          ]
-        }
-      }
+      addSuppressions([cfnlogGroup], ["CW_LOGGROUP_RETENTION_PERIOD_CHECK"])
       new CfnSubscriptionFilter(scope, "LambdaLogsSplunkSubscriptionFilter", {
         destinationArn: splunkDeliveryStream.streamArn,
@@ Expand Down @@

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Chore: [AEA-0000] - fix adding cfn guard suppressions to not overwrite all of metadata #492

Uh oh!

Diff view

Diff view

There are no files selected for viewing