Updating CDK nag to be enabled on the stacks vs app

awslabs · Oct 18, 2024 · 14f02d4 · 14f02d4
1 parent a9d2c9a
commit 14f02d4
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 6 deletions.
diff --git a/bin/lisa.ts b/bin/lisa.ts
@@ -21,8 +21,6 @@ import * as fs from 'fs';
 import * as path from 'path';
 
 import * as cdk from 'aws-cdk-lib';
-import { Aspects } from 'aws-cdk-lib';
-import { AwsSolutionsChecks } from 'cdk-nag';
 import * as yaml from 'js-yaml';
 
 import { Config, ConfigFile, ConfigSchema } from '../lib/schema';
@@ -78,10 +76,6 @@ const env: cdk.Environment = {
 
 // Application
 const app = new cdk.App();
-// Run CDK-nag on app if specified
-if (config.runCdkNag) {
-    Aspects.of(app).add(new AwsSolutionsChecks({ reports: true, verbose: true }));
-}
 
 new LisaServeApplicationStage(app, config.deploymentStage, {
     env: env,

diff --git a/lib/stages.ts b/lib/stages.ts
@@ -28,6 +28,7 @@ import {
     Tags,
 } from 'aws-cdk-lib';
 import { Construct } from 'constructs';
+import { AwsSolutionsChecks, NIST80053R5Checks } from 'cdk-nag';
 
 import { LisaChatApplicationStack } from './chat';
 import { CoreStack, ARCHITECTURE } from './core';
@@ -238,6 +239,14 @@ export class LisaServeApplicationStage extends Stage {
             });
         }
 
+        // Run CDK-nag on app if specified
+        if (config.runCdkNag) {
+            stacks.forEach((lisaStack) => {
+                Aspects.of(lisaStack).add(new AwsSolutionsChecks({ reports: true, verbose: true }));
+                Aspects.of(lisaStack).add(new NIST80053R5Checks({ reports: true, verbose: true }));
+            });
+        }
+
         // Enforce updates to EC2 launch templates
         Aspects.of(this).add(new UpdateLaunchTemplateMetadataOptions());
     }