Skip to main content

AWS CDK Security Scannerbuilt for the construct tree

CDK Insights is a security scanner for AWS CDK applications. It analyses your CDK code at synth time, runs 104 rules across 35 AWS services, and points findings straight back at the file and line in your CDK source. The static scanner is free forever via npm.

Run your first scanView pricing

Run it now

npx cdk-insights scan

Run from any AWS CDK project root. The scanner synthesises your stacks, applies the rule pack, and returns a table of findings with file-and-line attribution. No account or license key needed.

What this AWS CDK security scanner catches

A representative slice of the 104-rule pack. The full registry is in the static analysis documentation.

IAM

  • Wildcard resource and action permissions
  • Cross-account trust without external IDs
  • Permission boundaries missing on production roles
  • Roles with policies attached directly to users

S3

  • Public ACLs and block-public-access misconfigurations
  • Bucket policies that lock the account out of its own bucket
  • Buckets without server-side encryption
  • Bucket policies that permit non-SSL requests

Networking

  • Security groups open to 0.0.0.0/0 on sensitive ports
  • Public subnets with auto-assign public IP
  • NAT Gateway costs surfaced before deploy
  • VPC flow logs missing on production VPCs

Data stores

  • RDS publicly accessible flag set to true
  • DynamoDB tables without point-in-time recovery
  • Redshift clusters reachable from the public internet
  • Unencrypted EBS volumes and snapshots

How a CDK-native scanner is different

Generic IaC scanners read the CloudFormation that comes out of synth. CDK Insights also reads what went in.

Install via npm

No account needed for static scans. Add it as a dev dependency, run `npx cdk-insights init`, and the npm scripts plug into the workflow you already have.

Synth-aware analysis

CDK Insights synthesises your CDK app the same way the AWS CDK CLI does, then walks both the construct tree and the generated CloudFormation. Findings carry CDK construct paths, not just CloudFormation logical IDs.

Source-location attribution

Every finding maps back to the file and line in your CDK source where the issue originates. No hunting through 4,000-line YAML to find which `new s3.Bucket(...)` call triggered it.

CDK Nag built in

If you already use cdk-nag, the aspect captures its findings into the same report โ€” non-blocking by default, so you decide what to fail on. The two scanners work together rather than competing.

What makes this scanner trustworthy

  • Static analysis runs entirely on your machine โ€” your CDK source never leaves it.
  • AI-powered insights are opt-in. Even then, only synthesised CloudFormation resource definitions are sent for context.
  • Open about what each rule checks: every finding includes the WAF pillar, the rule ID, and a reproducible explanation.
  • Free static analysis forever via npm โ€” no credit card, no signup wall, no telemetry by default.

Related resources

CDK static analysisCDK Nag & other alternativesFull rule listGitHub Action setup

Scan your AWS CDK app in under a minute

One command, no signup. Static analysis is free forever.

Quick Start guideGitHub Action