Is there a way to continue with synthesis and just output a report?
nessadc opened this issue · 2 comments
General Issue
I would like to continue with the cdk synth even if my resources are non compliant.
The Question
I'm investigating a use case where we do not want to block developers from synthesizing their stack if the resources are non compliant, rather we just want the report outputted. Besides ignoring all the possible rules per NagPack, is there another way to continue with the synth process? Apologies if I'm missing something critical about how CDK Aspects work and if this is not possible.
This is the code I have so far:
import aws_cdk as cdk
from cdk_nag import (
NIST80053R5Checks,
NagSuppressions,
NagPackSuppression,
NagReportFormat,
)
from infrastructure.stack import MainStack
app = cdk.App()
stack = MainStack(app)
cdk.Aspects.of(app).add(
NIST80053R5Checks(
report_formats=[NagReportFormat.JSON, NagReportFormat.CSV], log_ignores=True
)
)
NagSuppressions.add_stack_suppressions(
stack,
[NagPackSuppression(id="NIST.800.53.R5-LambdaDLQ", reason="ignored because why")],
)cdk-nag version
2.27.116
Language
Typescript, Python
Other information
No response
Besides ignoring all the possible rules per
NagPack, is there another way to continue with the synth process?
The synth process should complete. The Errors generated using cdk Annotations (which is what cdk-nag uses) will stop deploy but not synth. The generated CloudFormation template should still be available in the cdk.out after a synth
For the deploy process, no there is way to just generate reports and have the deploy succeed on the included NagPacks. All the included NagPacks have the Annotations reporting mechanism (and can not be disabled). You will have to build a custom NagPack if you want to disable the Annotations reporting entirely