Skip to main content
Skip to main content

Scan History

Opt in to upload each analyse run to your CDK Insights dashboard. Past runs are searchable, shareable, and auto-expire after 30 days. Off by default โ€” flip a single flag to start.

Why turn it on?

See your scans in one place

Every analyse run shows up in /scans with severity counts, stacks, and CLI version. No more digging through CI logs to remember what last week looked like.

Drill into any past run

Click a row to see the full report โ€” per-stack tabs, every finding with its source location, recommendation, and snippet. Same shape as the local report, but persistent.

Share without exporting

A teammate with access to your dashboard can pull up the same scan you ran locally. No copy-pasting JSON into Slack.

Off by default

Nothing is uploaded until you flip the flag. The CLI is fully usable โ€” including AI analysis โ€” without ever sending a scan to the dashboard.

Enable it

Add the scanHistory block to your .cdk-insights.json. The next analyse run will upload its report at the end and show you a viewable URL in the terminal.

{
  "output": "table",
  "failOnCritical": true,
  "scanHistory": {
    "enabled": true
  }
}

Run a scan as normal:

npx cdk-insights analyse

At the end of the run you'll see a block like:

โ˜๏ธ  Scan history
   View scan: https://cdkinsights.dev/scans/3cb98ef2-699b-46fc-85b9-830fa062d646
   Retention: 30 days

View your scans

All your uploaded scans live at cdkinsights.dev/scans (you'll need to be signed in). The list view shows severity counts and stack names per scan. Clicking a row opens the full report โ€” Summary tab plus a tab per stack, with every finding, recommendation, and source location.

Scans are scoped to your license. Other users on your account see their own runs; team accounts see the team's runs across all seats.

What's uploaded

The CLI sends a JSON envelope containing your scan report. Two things to know:

License key

Never sent. The CLI sends a sha256 digest of your license key (32 hex chars), and the server only ever sees that digest.

Report body

The structured findings JSON is uploaded as-is. It contains stack names, construct paths, resource logical IDs, finding text, and (where the rule provides one) source locations from your CDK manifest.

CloudFormation templates

Not uploaded. Scan history stores the analysis output, not the synthesized templates the analysis ran against.

CLI version + platform

Sent as request metadata so the dashboard can show what produced each scan. No hostnames, no usernames, no IP.

Retention & expiry

Each scan is automatically deleted 30 days after upload. The countdown is shown on the detail page so you always know when a scan is about to age out.

You can delete a scan at any time from its detail page (Delete scan), or wipe everything from Account โ†’ Scan history โ†’ Erase all scans.

Turn it off

Set scanHistory.enabled back to false in your .cdk-insights.json:

"scanHistory": { "enabled": false }

Future runs stop uploading immediately. To remove the scans you already uploaded, use Erase all scans on the account page.

What happens if upload fails?

The upload is best-effort and out-of-band โ€” it never blocks your run. If the network is down, the server is unreachable, or the request times out, you see a single warning line in the terminal and the scan completes normally with the local report intact.

CI runs treat upload failures the same way: the scan's exit code is determined by the findings (and failOnCritical), never by whether scan history uploaded successfully.

Pair with Diff Mode

Scan history shows you what each run found. Diff mode shows you what changed since the last accepted scan. Together they give you both the per-run snapshot and the trend across runs.

Read the Diff Mode docs

Documentation

Scan History

Docs Home