Skip to content

build(deps-dev): bump cdk-nag from 2.38.2 to 3.0.1#94

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/cdk-nag-3.0.1
Closed

build(deps-dev): bump cdk-nag from 2.38.2 to 3.0.1#94
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/cdk-nag-3.0.1

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 22, 2026

Copy link
Copy Markdown
Contributor

Bumps cdk-nag from 2.38.2 to 3.0.1.

Release notes

Sourced from cdk-nag's releases.

v3.0.1

3.0.1 (2026-06-15)

Bug Fixes

  • walk ancestor tree in isAcknowledged and WriteNagSuppressions (#2349) (9c2d2cb)

v3.0.0

3.0.0 (2026-06-12)

⚠ BREAKING CHANGES

  • cdk nag v3 rewrites the core engine from an IAspect to an IPolicyValidationPlugin. Rule packs now participate in CDK's native policy validation framework instead of emitting annotations during synthesis.

Features

Commits

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update python code labels Jun 22, 2026
@github-actions

Copy link
Copy Markdown

No description provided.

@dependabot dependabot Bot force-pushed the dependabot/pip/cdk-nag-3.0.1 branch 5 times, most recently from 470d17c to 697c77e Compare July 3, 2026 02:51
Bumps [cdk-nag](https://github.com/cdklabs/cdk-nag) from 2.38.2 to 3.0.1.
- [Release notes](https://github.com/cdklabs/cdk-nag/releases)
- [Commits](cdklabs/cdk-nag@v2.38.2...v3.0.1)

---
updated-dependencies:
- dependency-name: cdk-nag
  dependency-version: 3.0.1
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@timpugh

timpugh commented Jul 3, 2026

Copy link
Copy Markdown
Owner

Superseded by #99: cdk-nag v3 is an engine rewrite (IAspect → policy-validation plugins, NagSuppressions removed, granular finding matching), so the bare version bump cannot compile — #99 carries the full migration with the gate-integrity work.

@timpugh timpugh closed this Jul 3, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jul 3, 2026

Copy link
Copy Markdown
Contributor Author

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@dependabot dependabot Bot deleted the dependabot/pip/cdk-nag-3.0.1 branch July 3, 2026 05:11
timpugh added a commit that referenced this pull request Jul 3, 2026
…engine) (#99)

cdk-nag v3 rewrites the rule packs from per-stack IAspects onto CDK's
native policy validation framework, which changes how packs attach, how
suppressions work, and — critically — how failure is signaled. This
migration covers all of it; supersedes #94, whose bare version bump
cannot compile against the v3 API.

Engine: the five packs are now plugins registered once at the App root
(attach_nag_packs, called from app.py and every nag-gating test
fixture). apply_compliance_aspects stays per stack carrying the
project's TemplateConventionChecks Aspect plus cdk-nag's
WriteNagSuppressionsToCloudFormationAspect — per stack because Aspects
do not cross cdk.Stage boundaries (verified live: an App-level
registration silently skipped every Stage-nested stack), which is what
keeps the v2-style cdk_nag Metadata audit trail in the templates and
snapshots.

Suppressions: NagSuppressions is gone; acknowledge_rules in nag_utils
adapts this repo's unchanged {id, reason, applies_to} data shape onto
Validations.of().acknowledge(). v3 matches granular IAM4/IAM5 findings
individually — a bare rule id matches nothing — so every previously
blanket wildcard is now enumerated with its exact finding id (singleton
IAM4 managed policies, the BucketDeployment handler's seven s3 grants,
the RUM cleanup log-group ARN, CodeDeploy and API Gateway CloudWatch
roles). Two upstream sharp edges are worked around and documented in
place: CDK's acknowledge API rejects ids with more than one '::' while
the packs emit exactly such ids for IAM4 (metadata fallback in
acknowledge_rules), and raw IAM5 resource finding ids reproduce
whichever partition rendering the synth used (both arn:aws: and
arn:<AWS::Partition>: forms acknowledged where ARNs embed partitions).

Gate integrity: CDK signals validation failure by setting
process.exitCode in the NODE process — jsii's throwaway kernel for a
Python app — so neither app.synth() nor cdk synth fails natively
(verified live: a non-compliant canary synthesized 'successfully' via
the CLI). The hard gate is now explicit on both paths:
scripts/check_validation_report.py (fails on violations AND on a
missing report) runs after synth in make cdk-synth and the CI cdk-check
job, and TestNagCompliance parses each shape's validation-report.json
in-process, with test_nag_gate_can_fail as the non-vacuousness canary.
That CLI checker caught the partition-rendering split during this very
migration.

The RUM cleanup grant ARN switched from a token-embedding monitor-id
prefix to a monitor-name suffix wildcard: the delete call still targets
the exact log group, and the literal ARN is what makes the finding id
reproducible enough to acknowledge.

Docs updated (CLAUDE.md nag sections, nine README passages); snapshots
regenerated — the metadata diff is the v3 write-aspect recording
acknowledgments subtree-wide.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file python Pull requests that update python code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant