Include (or not) CDK Nag Report as part of the ASH aggregated report

[rafaelpereyra]

This issue is to discuss a potential feature request.

When using ASH to scan a repository containing CDK Code that uses cdk-nag, cdk nag report is NOT included in the report.

cdk-nag works differently than other static scanners, and it's evaluated during cdk synthesize process (cdk code being converted to Cloudformation templates). At this point a report (in csv format) is generated inside the cdk.out folder.

ASH is currently not including this file in the aggregated results.

However when ASH encounters a Cloudformation template in the repository, the file is imported to a CDK project with cdk-nag enabled, and the report is added:

https://github.com/awslabs/automated-security-helper/blob/6ae7d8cef7e34865a94ef86d8ad8f4aa9706d91e/utils/cdk-docker-execute.sh#L169

This leads to confusion regarding the ability of ASH to support CDK.

One possible solution is to allow ASH to look for the existing nag report inside the cdk.out folder and include them in the report (similar to the link provided above) only if the file exists.

The downside of this approach is that the report is not generated at runtime by ASH and it might be stale (product of a previous synthesize operation for example).

ASH cannot (and shouldn't) attempt to synthesize the CDK stack since it won't have information about the context (parameters) for such operation or AWS credentials needed.

[climbertjh2]

I think support/processing for CDK applications should be re-designed (or actually initially designed) completely.

My suggestions:

• treat CDK as a separate "type" - do not try to approximate CDK checking with cfn_nag scanning (or, only use cfn_nag as ONE of several tools used for CDK checking
• identify CDK application(s) in the folder tree (look for cdk.json files I think), and then use cdk synth (This MAY involve setting up Python VENVs and NPM/Yarn/pnpm installing things (!!)). If a CDK-Nag report gets generated ... great! Use it. If not ...
• attempt to CDK-Nagify the application - either attempt to find the CDK App in the source and add in Aspects.of(app).add(new AwsSolutionsChecks({verbose: true}) (or the Python equivalent), or cfnInclude() the CDK-synthed CloudFormation template into a wrapping CDK application and synth that.
• consider also adding in CDK's CfnGuardValidator checking. Reference: https://docs.aws.amazon.com/cdk/v2/guide/policy-validation-synthesis.html .

That gives the potential for running 3 separate sets of checks on CDK code: CDK-Nag, cfn_nag, and CfnGuardValidator (in addition to the source code language scanners for Python/TypeScript that will be run as well).