Auto-Fix

Apply mechanical remediations directly to your CDK source.cdk-insights fix reads findings, looks up the registered fixer for each rule, and mutates the relevant props with the TypeScript compiler API.

Why Auto-Fix?

Single-keystroke remediation

Many findings have a single mechanically-correct fix: add enforceSSL: true, set pointInTimeRecovery: true, swap an EOL Lambda runtime. The CLI does it for you.

Reviewable diffs

Auto-fix only mutates inline object literals — the kind of change that produces a clean git diff. No surprise refactors.

Dry-run by default

Running cdk-insights fix without flags prints the proposed changes and exits without writing. Pass --apply when you’re ready.

Pairs with diff mode

Run --diff to see what's new, then fix --apply to remediate the mechanical ones in a single review pass.

Quick Start

1. See what would change

npx cdk-insights fix

The default dry-run mode prints every proposed change, the file and line, and the exact property being added or replaced. Nothing is written.

2. Apply

npx cdk-insights fix --apply

Writes the fixes to disk. Multiple fixes in the same file are applied bottom-up so earlier insertions don’t shift the line numbers of later ones.

3. Target a single rule

npx cdk-insights fix --rule AwsSolutions-DDB3 --apply

Useful when you want to land a focused PR for one remediation type rather than a multi-rule sweep.

4. Verify

npm run build && npx cdk-insights scan --diff

Re-build the CDK app to confirm the change compiles, then re-scan with --diff to verify the targeted rules no longer fire.

Supported Rules

Rule IDs starting with AwsSolutions- come from cdk-nag and surface with that prefix in the issue text. Rule IDs starting with CDKI- are synthetic — assigned to cdk-insights’ own findings via stable issue-text patterns, since cdk-insights’ built-in rules don’t carry per-issue rule IDs.

Rule ID	Fix	Operation	Construct
`AwsSolutions-S10`	S3 SSL enforcement `enforceSSL: true`	insert	aws-cdk-lib/aws-s3 → Bucket
`AwsSolutions-S2`	S3 bucket versioning `versioned: true`	insert	aws-cdk-lib/aws-s3 → Bucket
`AwsSolutions-DDB3`	DynamoDB Point-in-Time Recovery `pointInTimeRecovery: true`	insert	aws-cdk-lib/aws-dynamodb → Table
`AwsSolutions-L1`	Lambda runtime upgrade `runtime: lambda.Runtime.NODEJS_22_X`	replace (when value matches a known-stale runtime)	aws-cdk-lib/aws-lambda → Function
`CDKI-S3-ENCRYPTION`	S3 server-side encryption `encryption: s3.BucketEncryption.S3_MANAGED`	insert	aws-cdk-lib/aws-s3 → Bucket
`CDKI-DDB-KMS`	DynamoDB AWS-managed KMS encryption `encryption: dynamodb.TableEncryption.AWS_MANAGED`	replace (TableEncryption.DEFAULT → AWS_MANAGED) or insert if absent	aws-cdk-lib/aws-dynamodb → Table
`CDKI-LAMBDA-TRACING`	Lambda X-Ray tracing `tracing: lambda.Tracing.ACTIVE`	insert	aws-cdk-lib/aws-lambda → Function

When Auto-Fix Skips or Refuses

Auto-fix is conservative on purpose. Each of these cases produces an explicit message in the output so you know what to do next.

Property already set to the right value

Skipped with a note. The rule may still fire for other reasons.

Props passed via a variable, spread, or function call

Refused with a clear error. Auto-fix only mutates inline object literals so the change stays local and reviewable.

Lambda runtime is current or unrecognised

Refused. The runtime fixer only replaces known-stale runtimes (NodeJS 12/14/16/18/20, Python 3.7/3.8/3.9). It will not downgrade.

TypeScript not installed in the project

Errored with an actionable message. Run `npm install --save-dev typescript` to enable the AST parser.

Source location drifted from the actual construct

Errored with the file:line:column the scanner reported. Usually means a recent edit shifted the file but cdk.out is stale; re-run with --noCache.

Limitations

No new resources. Findings that need a new construct (a log target bucket, a VPC flow log group, a DLQ, a WAF) are intentionally out of scope. They require architectural decisions auto-fix cannot make.
No code refactors. Wildcard IAM, MFA policies, API Gateway authorisers — these are judgment calls. Auto-fix sticks to mechanical changes whose remediation is unambiguous.
Assumes conventional imports. Inserted values reference modules by their conventional aliases (s3.BucketEncryption, dynamodb.TableEncryption, lambda.Tracing). If your project imports individual symbols differently, the fix will leave a compile error you can resolve.
Re-run scan to confirm. The output reports what the AST mutator did, not whether the rule still fires. Always re-run cdk-insights scan after applying fixes.

CLI Flags

--apply

Write the fixes to disk. Without this flag, cdk-insights fix runs in dry-run mode and only prints the proposed changes.

--dry-run

Default behaviour. Prints what would change and exits 0 without modifying files.

--rule <rule-id>

Restrict the run to a single rule (e.g. AwsSolutions-S10). Useful when you want focused, single-purpose PRs rather than a sweeping fix-everything change.

Recommended Workflow

Auto-fix is most useful in combination with diff mode:

Snapshot today’s findings: cdk-insights scan --writeBaseline
On a PR, see only what's new: cdk-insights scan --diff
Auto-remediate the mechanical ones: cdk-insights fix --apply
Update the baseline once you accept the smaller debt: cdk-insights scan --writeBaseline

Read the Diff Mode docs

Documentation

Auto-Fix

Docs Home