@aws-cdk/cdk-assets-lib
CDK Asset Publishing Library
9
Versions
Apache-2.0
License
No
Install Scripts
Verified
Provenance
Supply chain provenance
Status for the latest visible version.
SLSA provenance attestation
npm registry signatures
No source commit
Maintainers
amzn-ossaws-cdk-team
Keywords
awscdk
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): AWS CDK packages migrated publishing to GitHub Actions CI/CD; SLSA provenance attestation confirms artifact integrity. This transition is expected and documented for the aws-cdk-cli monorepo. | ai | |
| phantom-deps | phantom-dep:minimatch | AI (phantom-deps): minimatch is explicitly declared as a runtime dependency in package.json; phantom-dep finding is a false positive. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Base64 decoding is used for ECR authorization token parsing — standard AWS ECR auth flow, not obfuscation. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): process.env spreading is necessary for Docker command execution in a CDK asset publishing library. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process is required for spawning Docker and shell commands — core functionality of a CDK asset publishing library. | ai | |
| semgrep | semgrep:child-process-spawn | AI (semgrep): child_process.spawn is used to execute Docker commands for asset publishing — expected and documented behavior. | ai |
Versions (showing 9 of 9)
| Version | Deps | Published |
|---|---|---|
| 1.4.9 | 14 / 33 | |
| 1.4.8 | 14 / 33 | |
| 1.4.7 | 14 / 33 | |
| 1.4.6 | 14 / 33 | |
| 1.0.4 | 14 / 30 | |
| 1.0.3 | 14 / 30 | |
| 1.0.2 | 14 / 30 | |
| 1.0.1 | 14 / 30 | |
| 1.0.0 | 14 / 30 |
v1.4.9
1 finding
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.4.8
1 finding
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.4.7
1 finding
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.4.6
1 finding
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.