Skip to main content
terminal ● cdk-insights scan
βœ“ 52 issues found
πŸ’‘ 134 Insights

Scroll down to learn more

Scroll Down Arrow

Write code.
Get insights.
Repeat.

Catch security issues and misconfigurations before they reach AWS

CDK Insights uses AI and static analysis to find security gaps, compliance violations, and cost waste in your CDK stacks β€” across 100+ rules and 35+ AWS services. Your source code never leaves your machine.

Check Mark Icon
Free forever static analysis
Shield Icon
Code never leaves your machine
Lightning Icon
Results in under 3 minutes
Shield Check Icon
100+
security rules
Cloud Icon
35+
AWS services
Document Icon
6
output formats

Find Problems Before
Your Users Do

Static analysis catches the obvious. AI catches everything else. Start free, upgrade when you need deeper insights.

Free Forever
Static Analysis

Free Forever Static Analysis

  • Checkmark Icon
    Security & compliance checks with CDK Nag
  • Checkmark Icon
    Linting and best practices
  • Checkmark Icon
    Fast feedback in terminal or CI
  • Checkmark Icon
    No credit card required
See QuickstartArrow Right Icon
Pro & AI
AI Analysis

AI-Powered Deep Analysis

  • Checkmark Icon
    Findings mapped to Well-Architected Framework pillars
  • Checkmark Icon
    Deep security analysis via AWS Bedrock
  • Checkmark Icon
    Actionable, context-aware recommendations
  • Checkmark Icon
    JSON, Markdown, Table, or Summary output
Why Choose CDK Insights?Arrow Right Icon

Every Deployment
Is a Risk

CDK makes it easy to ship infrastructure fast. But speed without visibility means shipping misconfigurations to production β€” where they become incidents, breaches, and compliance failures.

CRITICAL

Public S3 Buckets

A single misconfigured bucket can expose customer data and trigger breach notification requirements

CRITICAL

Wildcard IAM Policies

Over-permissive roles are the #1 attack vector in cloud breaches β€” and the hardest to spot in code review

HIGH

Unencrypted Resources

Missing encryption on databases, queues, and storage can mean automatic compliance failures

MEDIUM

Missing Monitoring

No alarms, no logging, no trail β€” when something breaks in production, you find out from your users

CDK Insights catches these before they reach production.

100+ rules. 35+ AWS services. Static analysis is free forever β€” no signup required.

Start Scanning FreeArrow Right Icon

Zero to Insights
in 3 Minutes

No signup. No configuration. One command and you're scanning your CDK stacks for security issues, cost waste, and best practice violations.

1

Install & Run

30 seconds

One command. No registration, no API keys, no complex setup β€” start analyzing your CDK stacks immediately.

Terminal
$ npm install -g cdk-insights
$ cdk-insights scan
πŸ” Analyzing your infrastructure...
2

AI Analysis

~2 min

AI scans your infrastructure across 34 AWS services for deep security and cost insights

AI Sparkles Icon
✨
34
AWS Services
3

Security

Instant

Identify vulnerabilities and compliance issues

CRITICAL
S3 Public Access
MEDIUM
IAM Permissions
LOW
Encryption
8
Issues Found
4

Cost Optimization

Identify opportunities to reduce AWS spend

LAMBDA
High memory allocation
S3
Missing lifecycle policy
S3
Intelligent tiering disabled
3
Optimizations Found
5

Export & Integrate

Multiple output formats for any workflow

JSON for CI/CD pipelines
MD
Markdown reports
β–€
Table output
⚑
SARIF for GitHub Code Scanning
6
Output Formats

Ready to find what your CDK is hiding?

Get Started FreeArrow Right Icon
🧠AI-Powered Analysis

Beyond Static Analysis

CDK Insights integrates advanced AI powered by AWS Bedrock to deliver context-aware recommendations, intelligent code suggestions, and architectural insights that understand your specific infrastructure. Access your analysis history and manage licenses through the web dashboard.

πŸ“Š

Static Analysis

Fast & Free Forever

Checkmark

Rule-based Security Checks

30+ AWS services covered

Checkmark

Cost Optimization

Find obvious savings opportunities

Checkmark

Instant Results

One-command analysis

🧠

AI Analysis

Powered by AWS Bedrock

Checkmark

Context-Aware Recommendations

Understands your specific infrastructure

Checkmark

Custom Code Suggestions

Tailored fixes with code examples

Checkmark

Architectural Pattern Recognition

Spots complex multi-resource issues

Checkmark

Natural Language Explanations

Clear explanations of issues and solutions

Checkmark

Web Dashboard Access

View analysis history and manage licenses

See AI Analysis in Action

Here's how AI goes beyond static analysis to provide intelligent, context-aware recommendations

⚠️

Static Analysis

Rule-based detection

⚠️ MEDIUM: Lambda function has high memory allocation

Memory usage may be excessive for this function

πŸ’‘ Recommendation: Consider reducing memory allocation

🧠

AI Analysis

Context-aware insights

⚠️ MEDIUM: Lambda function has high memory allocation

Memory usage may be excessive for this function

🧠 AI Insight: Based on your function's 30s timeout and SQS message processing, 3008MB is likely over-provisioned. Most SQS processing functions work efficiently with 512-1024MB.

πŸ’‘ Smart Suggestion: Reduce to 1024MB and monitor

memorySize: 1024

Powered by AWS Bedrock

CDK Insights leverages multiple foundation models via AWS Bedrock for intelligent infrastructure analysis with built-in failover

✨

Claude 3 Sonnet

Anthropic

Advanced reasoning for complex security analysis and architectural recommendations.

Deep Analysis
πŸ”₯

Mixtral 8x7B

Mistral AI

Fast mixture-of-experts model for efficient infrastructure pattern analysis.

Fast Inference
πŸ¦™

Llama 3 70B

Meta

Open-weight model providing high-quality code understanding and suggestions.

Code Analysis
⭐

Amazon Nova

AWS

AWS-native model optimized for cloud infrastructure understanding.

AWS Native
πŸš€

Amazon Titan

AWS

Enterprise-grade foundation model with strong security focus.

Enterprise
πŸ”„

Smart Failover

Built-in Redundancy

Automatic model failover ensures high availability and consistent analysis results.

Multi-Model Failover
πŸ”’

Privacy-First AI Analysis

Your code never leaves your environment

Checkmark

Redacted CloudFormation Only

Only anonymized infrastructure templates are analyzed

Checkmark

Source Code Stays Local

Your CDK source code never leaves your machine

Checkmark

Automatic Redaction

Sensitive data automatically removed before analysis

Checkmark

AWS Bedrock Security

Enterprise-grade security from AWS

Built for CDK.
Not Retrofitted.

Generic tools treat your CDK like raw CloudFormation and miss what matters. CDK Insights understands constructs, patterns, and intent β€” so you get actionable results, not noise.

CDK-Insights Icon

CDK Insights

Purpose-built for CDK

CDK-Specific Check

CDK-Specific Analysis

Understands CDK constructs, patterns, and best practices β€” not just CloudFormation

Free Forever Check

Free Forever Static Analysis

No trials, no limits on basic analysis β€” comprehensive static checking always free

No Registration Check

No Registration Required

Start analyzing immediately β€” no accounts, no signups, no barriers

Privacy-First Check

Privacy-First Design

Free tier: 100% local analysis. AI tier: sends only redacted CloudFormation templates, never source code

AI-Powered Check

Optional AI Enhancement

Upgrade to AI-powered analysis for deeper insights and contextual recommendations

Traditional Tools Icon

Traditional Tools

Generic CloudFormation analysis

Generic Analysis Cross

Generic CloudFormation Analysis

Treats your CDK code like raw CloudFormation β€” misses CDK-specific patterns

Pay-Walled Cross

Pay-Walled or Trial Limited

Basic analysis often requires payment or limited trial periods

Account Required Cross

Account Registration Required

Sign up barriers and account creation before you can try anything

Data Upload Cross

Data Upload Required

Upload your infrastructure code to external services for analysis

No AI Cross

Limited AI Integration

Basic rule-based analysis without intelligent context-aware recommendations

The CDK Insights Difference

Purpose-built for CDK developers who want deep, actionable insights without compromising privacy

Instant Setup Icon

Instant Setup

One command gets you started:
npx cdk-insights scan
CDK-Native Icon

CDK-Native

Understands your CDK constructs, L2/L3 patterns, and TypeScript code structure

Smart Analysis Icon

Smart Analysis

Context-aware AI that understands your specific infrastructure patterns and requirements

Try it yourself. One command, zero commitment.

npx cdk-insights scan
Quick Start GuideArrow Right Icon
View Pricing

Local-First.
Privacy-Guaranteed.

The free tier runs 100% on your machine. No data leaves your environment. The AI analysis sends only redacted CloudFormation templates for advanced analysis.

Your Machine Icon

Your Machine

CDK Insights runs directly on your local machine. Your code never leaves your environment.

Analysis Flow Arrow Vertical
Analysis Engine Icon

Local Analysis

Powerful static analysis engine processes your CDK code locally using CDK-Nag and custom rules.

No Network Icon

No Network

Works completely offline. No internet connection required.

No Uploads Icon

No Uploads

Your code stays on your machine. Nothing gets uploaded anywhere.

No Tracking Icon

No Tracking

We don't track usage, collect analytics, or monitor your activity.

No Accounts Icon

No Accounts

No registration, no sign-ups, no personal information required.

How Local Analysis Works

Behind the scenes, CDK Insights leverages proven open-source tools to deliver comprehensive analysis

CDK-Nag Icon

CDK-Nag Integration

Built on AWS's own CDK-Nag for security and compliance checking

Static Analysis Icon

Static Code Analysis

Comprehensive TypeScript AST parsing and pattern matching

CloudFormation Icon

CloudFormation Synthesis

Analyzes synthesized CloudFormation templates for infrastructure insights

Best Practices Icon

Best Practice Rules

Curated rules for AWS Well-Architected Framework compliance

Export Icon

Multiple Export Formats

6 export formats including JSON, Markdown, Table, Summary, SARIF, and GitHub Actions

Fast Analysis Icon

Fast Analysis

Fast local analysis β€” no cloud round-trips required for static scans

Ready for Privacy-First Analysis?

Experience the security of local analysis. No servers, no uploads, no compromises.

Privacy-First.
Security-Built.

Your code should stay yours. That's why CDK Insights is designed to run locally first, with AI features that only process what you choose to share.

Local Analysis Icon

Local Analysis

Free tier runs 100% locally on your machine. No code leaves your environment. Static analysis with CDK-Nag happens entirely offline.

AI tier sends only redacted CloudFormation templates to our backend for AI analysis - never your source code.

Zero data transmission
Control Icon

You're In Control

AI analysis is completely opt-in. Static analysis runs locally by default. You decide if and when to use AI-powered features β€” there's no automatic data collection or background processing.

Opt-in AI features
No AI Training Icon

No AI Training

Your data is never used for AI training. CDK Insights uses AWS Bedrock, which guarantees that your inputs and outputs are not used to train or improve foundation models.

AWS Bedrock guarantee

Additional Security Measures

End-to-End Encryption Check

End-to-End Encryption

All data in transit protected with TLS 1.2+ encryption

Zero-Knowledge Architecture Check

Minimal Data Collection

We only collect the minimum data necessary for analysis and recommendations

Secure Payment Processing Check

Secure Payment Processing

Payments handled by Stripe β€” we never store card details

Regular Security Audits Check

Security Monitoring

Built-in monitoring and security best practices

GDPR & SOC 2 Compliant Check

Privacy Standards

Designed with privacy-first principles and minimal data collection

AWS Infrastructure Check

AWS Infrastructure

Built on AWS with enterprise-grade security and compliance

Ready to analyze your CDK stacks with complete privacy? Start with our free tier β€” no registration required.

Built for Trust.
Designed for Reliability.

Your trust is everything. CDK Insights is built with security and reliability at its core, ensuring your infrastructure analysis is both safe and accurate.

Security First Icon

Security First

Privacy by design

Local First Check

Local-First Analysis

Static analysis runs entirely on your machine

Encryption Check

End-to-End Encryption

All communications protected with TLS 1.2+ encryption

Audit Check

Security Best Practices

Built with industry-standard security practices and principles

CDK-Nag Integration Check

CDK-Nag Integration

Works with AWS's open source CDK-Nag for static analysis

Reliability Icon

Reliability

Built to last

Uptime Check

High Availability

Built on AWS's reliable cloud infrastructure

Graceful Fallback Check

Graceful Fallbacks

Static analysis always works, even without connectivity

Serverless Check

Serverless Architecture

Scales automatically with demand, no single points of failure

Monitoring Check

System Monitoring

Built-in monitoring and error tracking

Transparency Icon

Transparency

Open and honest

Clear Pricing Check

Clear Pricing

Simple, transparent pricing with no hidden fees or surprises

Privacy Check

Privacy Policy

Clear documentation of our data handling practices

Documentation Check

Open Documentation

Comprehensive guides and documentation freely available

Changelog Check

Public Changelog

Detailed release notes and feature updates

Security & Privacy Principles

Built on industry best practices for security, privacy, and reliability

Security-First Design Icon

Security-First Design

Built with security as a core design principle

Privacy-Focused Icon

Privacy-Focused

Minimal data collection with privacy-first design principles

Industry Standards Icon

Industry Standards

Follows established security best practices

AWS Security Icon

AWS Security

Built on AWS's secure cloud infrastructure

Trust Built on Action, Not Words

Every design decision prioritizes your security and privacy. Experience the difference of infrastructure analysis built for the modern enterprise.

Outputs That Fit Your Workflow

CDK Insights is designed to fit into your existing workflow. Whether you prefer markdown reports, GitHub issues, or direct integration, you'll get insights in the format that works best for you.

cdk-insights scan
markdown output
↕ scroll

**Executive Summary:**

We discovered **366 total issues** across **71 resources** (97.2% with issues).

**Top Priorities:**

πŸ”΄ 14 Critical severity issues

🟠 52 High severity issues

MetricCount
Resources scanned71
Resources with issues69
Total issues found366
% of resources with issues97.2%

### WAF Pillar Impact

β€’ **Operational Excellence**: 136

β€’ **Security**: 140

β€’ **Cost Optimization**: 66

β€’ **Reliability**: 18

β€’ **Performance Efficiency**: 6

β€’ **Sustainability**: 0

### Next Steps

1. Triage πŸ”΄ critical issues first

2. Fix 🟠 high‐impact items next

3. Schedule 🟑 medium‐priority tasks

4. Plan 🟒 low‐priority enhancements

Resource: InsecureIamRole41A4AD76

πŸ”΄πŸ”΄πŸ”΄ CRITICAL Severity Issue πŸ”΄πŸ”΄πŸ”΄

  • β€’ Issue: IAM policy allows full access to all resources.
  • β€’ Recommendation: Restrict IAM policies to least privilege access.
  • β€’ πŸ“ Source Location: cdk/stacks/TestCdkInsightsStack.ts:26:5
  • β€’ Source Path: TestCdkInsightsStack/InsecureIamRole41A4AD76
  • β€’ WAF Pillar: Security

πŸ”΄πŸ”΄πŸ”΄ CRITICAL Severity Issue πŸ”΄πŸ”΄πŸ”΄

  • β€’ Issue: The role has been granted the AWS managed policy AdministratorAccess, which provides full access to AWS services and resources.
  • β€’ Recommendation: Review the permissions granted to the role and replace the AdministratorAccess policy with the minimum necessary permissions.
  • β€’ πŸ“ Source Location: cdk/stacks/TestCdkInsightsStack.ts:26:5
  • β€’ Source Path: TestCdkInsightsStack/InsecureIamRole41A4AD76
  • β€’ WAF Pillar: Security

Potential Fix Example:

// Example of a more restrictive policy
const restrictedPolicy = new iam.Policy(this, 'RestrictedPolicy', {
  statements: [
    new iam.PolicyStatement({
      actions: ['s3:GetObject', 's3:PutObject'],
      effect: iam.Effect.ALLOW,
      resources: ['arn:aws:s3:::example-bucket/*']
    }),
  ],
});
// Assign the policy to the role
role.addManagedPolicy(restrictedPolicy);
JSON Format Icon

JSON Export

Machine-readable structured data perfect for automation and CI/CD pipelines.

cdk-insights scan --output json
Markdown Format Icon

Markdown Reports

Human-readable documentation perfect for GitHub issues and team sharing.

cdk-insights scan --output markdown
Table Format Icon

Table View

Clean tabular output with colored severity levels - the default format.

cdk-insights scan --output table
Summary Format Icon

Summary View

Concise overview showing just the essential metrics and highest priority issues.

cdk-insights scan --output summary
GitHub Integration Icon

GitHub Integration

Automatically create GitHub issues from findings

# Create GitHub issues from findings cdk-insights scan --with-issue # Perfect for CI/CD workflows cdk-insights scan --output json --with-issue

Requires GitHub CLI (gh) to be installed and authenticated

Configuration Icon

Smart Configuration

Save your preferences and customize analysis

# Set your preferred output format cdk-insights config set output markdown # Focus on specific services cdk-insights config set services IAM,S3,Lambda # View current settings cdk-insights config list

Configuration persists across all analyses