# API Reference
## Structs
### NagPackProps
Interface for creating a NagPack.
#### Initializer
```typescript
import { NagPackProps } from 'cdk-nag'
const nagPackProps: NagPackProps = { ... }
```
#### Properties
| **Name** | **Type** | **Description** |
| --- | --- | --- |
| verbose | boolean | Whether or not to enable extended explanatory descriptions on warning, error, and logged ignore messages (default: false). |
| writeSuppressionsToCloudFormation | boolean | Whether to write acknowledged rules into CfnResource CloudFormation Metadata as `cdk_nag: { rules_to_suppress: [...] }` for backwards compatibility with v2 audit trail tooling (default: false). |
---
##### `verbose`Optional
```typescript
public readonly verbose: boolean;
```
- *Type:* boolean
Whether or not to enable extended explanatory descriptions on warning, error, and logged ignore messages (default: false).
---
##### `writeSuppressionsToCloudFormation`Optional
```typescript
public readonly writeSuppressionsToCloudFormation: boolean;
```
- *Type:* boolean
Whether to write acknowledged rules into CfnResource CloudFormation Metadata as `cdk_nag: { rules_to_suppress: [...] }` for backwards compatibility with v2 audit trail tooling (default: false).
---
### NagReportLine
A single line in a NagReport.
#### Initializer
```typescript
import { NagReportLine } from 'cdk-nag'
const nagReportLine: NagReportLine = { ... }
```
#### Properties
| **Name** | **Type** | **Description** |
| --- | --- | --- |
| compliance | string | *No description.* |
| resourceId | string | *No description.* |
| ruleId | string | *No description.* |
| ruleInfo | string | *No description.* |
| ruleLevel | string | *No description.* |
---
##### `compliance`Required
```typescript
public readonly compliance: string;
```
- *Type:* string
---
##### `resourceId`Required
```typescript
public readonly resourceId: string;
```
- *Type:* string
---
##### `ruleId`Required
```typescript
public readonly ruleId: string;
```
- *Type:* string
---
##### `ruleInfo`Required
```typescript
public readonly ruleInfo: string;
```
- *Type:* string
---
##### `ruleLevel`Required
```typescript
public readonly ruleLevel: string;
```
- *Type:* string
---
### NagReportSchema
Schema for the NagReport output.
#### Initializer
```typescript
import { NagReportSchema } from 'cdk-nag'
const nagReportSchema: NagReportSchema = { ... }
```
#### Properties
| **Name** | **Type** | **Description** |
| --- | --- | --- |
| lines | NagReportLine[] | *No description.* |
---
##### `lines`Required
```typescript
public readonly lines: NagReportLine[];
```
- *Type:* NagReportLine[]
---
## Classes
### AwsSolutionsChecks
Check Best practices based on AWS Solutions Security Matrix.
#### Initializers
```typescript
import { AwsSolutionsChecks } from 'cdk-nag'
new AwsSolutionsChecks(scope?: IConstruct, props?: NagPackProps)
```
| **Name** | **Type** | **Description** |
| --- | --- | --- |
| scope | constructs.IConstruct | *No description.* |
| props | NagPackProps | *No description.* |
---
##### `scope`Optional
- *Type:* constructs.IConstruct
---
##### `props`Optional
- *Type:* NagPackProps
---
#### Methods
| **Name** | **Description** |
| --- | --- |
| validate | Entry point called by the CDK validation framework. |
| validateScope | Validate a construct tree directly. |
---
##### `validate`
```typescript
public validate(context: IPolicyValidationContext): PolicyValidationPluginReport
```
Entry point called by the CDK validation framework.
Requires `appConstruct` to be present on the context (CDK core change).
For testing or direct invocation, use `validateScope(scope)`.
###### `context`Required
- *Type:* aws-cdk-lib.IPolicyValidationContext
---
##### `validateScope`
```typescript
public validateScope(scope: IConstruct): PolicyValidationPluginReport
```
Validate a construct tree directly.
This is the primary entry point
for testing and for CDK versions that do not yet provide `appConstruct` on
`IPolicyValidationContext`.
###### `scope`Required
- *Type:* constructs.IConstruct
---
#### Properties
| **Name** | **Type** | **Description** |
| --- | --- | --- |
| name | string | The name of the plugin that will be displayed in the validation report. |
| readPackName | string | *No description.* |
| ruleIds | string[] | The list of rule IDs that the plugin will evaluate. |
| version | string | The version of the plugin, following the Semantic Versioning specification (see https://semver.org/). This version is used for analytics purposes, to measure the usage of different plugins and different versions. The value of this property should be kept in sync with the actual version of the software package. If the version is not provided or is not a valid semantic version, it will be reported as `0.0.0`. |
---
##### `name`Required
```typescript
public readonly name: string;
```
- *Type:* string
The name of the plugin that will be displayed in the validation report.
---
##### `readPackName`Required
```typescript
public readonly readPackName: string;
```
- *Type:* string
---
##### `ruleIds`Optional
```typescript
public readonly ruleIds: string[];
```
- *Type:* string[]
The list of rule IDs that the plugin will evaluate.
Used for analytics
purposes.
---
##### `version`Optional
```typescript
public readonly version: string;
```
- *Type:* string
The version of the plugin, following the Semantic Versioning specification (see https://semver.org/). This version is used for analytics purposes, to measure the usage of different plugins and different versions. The value of this property should be kept in sync with the actual version of the software package. If the version is not provided or is not a valid semantic version, it will be reported as `0.0.0`.
---
### HIPAASecurityChecks
Check for HIPAA Security compliance.
Based on the HIPAA Security AWS operational best practices: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-hipaa_security.html
#### Initializers
```typescript
import { HIPAASecurityChecks } from 'cdk-nag'
new HIPAASecurityChecks(scope?: IConstruct, props?: NagPackProps)
```
| **Name** | **Type** | **Description** |
| --- | --- | --- |
| scope | constructs.IConstruct | *No description.* |
| props | NagPackProps | *No description.* |
---
##### `scope`Optional
- *Type:* constructs.IConstruct
---
##### `props`Optional
- *Type:* NagPackProps
---
#### Methods
| **Name** | **Description** |
| --- | --- |
| validate | Entry point called by the CDK validation framework. |
| validateScope | Validate a construct tree directly. |
---
##### `validate`
```typescript
public validate(context: IPolicyValidationContext): PolicyValidationPluginReport
```
Entry point called by the CDK validation framework.
Requires `appConstruct` to be present on the context (CDK core change).
For testing or direct invocation, use `validateScope(scope)`.
###### `context`Required
- *Type:* aws-cdk-lib.IPolicyValidationContext
---
##### `validateScope`
```typescript
public validateScope(scope: IConstruct): PolicyValidationPluginReport
```
Validate a construct tree directly.
This is the primary entry point
for testing and for CDK versions that do not yet provide `appConstruct` on
`IPolicyValidationContext`.
###### `scope`Required
- *Type:* constructs.IConstruct
---
#### Properties
| **Name** | **Type** | **Description** |
| --- | --- | --- |
| name | string | The name of the plugin that will be displayed in the validation report. |
| readPackName | string | *No description.* |
| ruleIds | string[] | The list of rule IDs that the plugin will evaluate. |
| version | string | The version of the plugin, following the Semantic Versioning specification (see https://semver.org/). This version is used for analytics purposes, to measure the usage of different plugins and different versions. The value of this property should be kept in sync with the actual version of the software package. If the version is not provided or is not a valid semantic version, it will be reported as `0.0.0`. |
---
##### `name`Required
```typescript
public readonly name: string;
```
- *Type:* string
The name of the plugin that will be displayed in the validation report.
---
##### `readPackName`Required
```typescript
public readonly readPackName: string;
```
- *Type:* string
---
##### `ruleIds`Optional
```typescript
public readonly ruleIds: string[];
```
- *Type:* string[]
The list of rule IDs that the plugin will evaluate.
Used for analytics
purposes.
---
##### `version`Optional
```typescript
public readonly version: string;
```
- *Type:* string
The version of the plugin, following the Semantic Versioning specification (see https://semver.org/). This version is used for analytics purposes, to measure the usage of different plugins and different versions. The value of this property should be kept in sync with the actual version of the software package. If the version is not provided or is not a valid semantic version, it will be reported as `0.0.0`.
---
### NagPack
- *Implements:* aws-cdk-lib.IPolicyValidationPlugin
Base class for all rule packs.
Implements IPolicyValidationPlugin so that
packs are registered via `Validations.of(app).addPlugins(new MyPack(app))`
instead of `Aspects.of(app).add(...)`.
#### Initializers
```typescript
import { NagPack } from 'cdk-nag'
new NagPack(scope?: IConstruct, props?: NagPackProps)
```
| **Name** | **Type** | **Description** |
| --- | --- | --- |
| scope | constructs.IConstruct | *No description.* |
| props | NagPackProps | *No description.* |
---
##### `scope`Optional
- *Type:* constructs.IConstruct
---
##### `props`Optional
- *Type:* NagPackProps
---
#### Methods
| **Name** | **Description** |
| --- | --- |
| validate | Entry point called by the CDK validation framework. |
| validateScope | Validate a construct tree directly. |
---
##### `validate`
```typescript
public validate(context: IPolicyValidationContext): PolicyValidationPluginReport
```
Entry point called by the CDK validation framework.
Requires `appConstruct` to be present on the context (CDK core change).
For testing or direct invocation, use `validateScope(scope)`.
###### `context`Required
- *Type:* aws-cdk-lib.IPolicyValidationContext
---
##### `validateScope`
```typescript
public validateScope(scope: IConstruct): PolicyValidationPluginReport
```
Validate a construct tree directly.
This is the primary entry point
for testing and for CDK versions that do not yet provide `appConstruct` on
`IPolicyValidationContext`.
###### `scope`Required
- *Type:* constructs.IConstruct
---
#### Properties
| **Name** | **Type** | **Description** |
| --- | --- | --- |
| name | string | The name of the plugin that will be displayed in the validation report. |
| readPackName | string | *No description.* |
| ruleIds | string[] | The list of rule IDs that the plugin will evaluate. |
| version | string | The version of the plugin, following the Semantic Versioning specification (see https://semver.org/). This version is used for analytics purposes, to measure the usage of different plugins and different versions. The value of this property should be kept in sync with the actual version of the software package. If the version is not provided or is not a valid semantic version, it will be reported as `0.0.0`. |
---
##### `name`Required
```typescript
public readonly name: string;
```
- *Type:* string
The name of the plugin that will be displayed in the validation report.
---
##### `readPackName`Required
```typescript
public readonly readPackName: string;
```
- *Type:* string
---
##### `ruleIds`Optional
```typescript
public readonly ruleIds: string[];
```
- *Type:* string[]
The list of rule IDs that the plugin will evaluate.
Used for analytics
purposes.
---
##### `version`Optional
```typescript
public readonly version: string;
```
- *Type:* string
The version of the plugin, following the Semantic Versioning specification (see https://semver.org/). This version is used for analytics purposes, to measure the usage of different plugins and different versions. The value of this property should be kept in sync with the actual version of the software package. If the version is not provided or is not a valid semantic version, it will be reported as `0.0.0`.
---
### NagRules
Helper class with methods for rule creation.
#### Initializers
```typescript
import { NagRules } from 'cdk-nag'
new NagRules()
```
| **Name** | **Type** | **Description** |
| --- | --- | --- |
---
#### Static Functions
| **Name** | **Description** |
| --- | --- |
| resolveIfPrimitive | Use in cases where a primitive value must be known to pass a rule. |
| resolveResourceFromInstrinsic | *No description.* |
| resolveResourceFromIntrinsic | Use in cases where a token resolves to an intrinsic function and the referenced resource must be known to pass a rule. |
---
##### `resolveIfPrimitive`
```typescript
import { NagRules } from 'cdk-nag'
NagRules.resolveIfPrimitive(node: CfnResource, parameter: any)
```
Use in cases where a primitive value must be known to pass a rule.
https://developer.mozilla.org/en-US/docs/Glossary/Primitive
###### `node`Required
- *Type:* aws-cdk-lib.CfnResource
The CfnResource to check.
---
###### `parameter`Required
- *Type:* any
The value to attempt to resolve.
---
##### ~~`resolveResourceFromInstrinsic`~~
```typescript
import { NagRules } from 'cdk-nag'
NagRules.resolveResourceFromInstrinsic(node: CfnResource, parameter: any)
```
###### `node`Required
- *Type:* aws-cdk-lib.CfnResource
The CfnResource to check.
---
###### `parameter`Required
- *Type:* any
The value to attempt to resolve.
---
##### `resolveResourceFromIntrinsic`
```typescript
import { NagRules } from 'cdk-nag'
NagRules.resolveResourceFromIntrinsic(node: CfnResource, parameter: any)
```
Use in cases where a token resolves to an intrinsic function and the referenced resource must be known to pass a rule.
###### `node`Required
- *Type:* aws-cdk-lib.CfnResource
The CfnResource to check.
---
###### `parameter`Required
- *Type:* any
The value to attempt to resolve.
---
### NIST80053R4Checks
Check for NIST 800-53 rev 4 compliance.
Based on the NIST 800-53 rev 4 AWS operational best practices: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-nist-800-53_rev_4.html
#### Initializers
```typescript
import { NIST80053R4Checks } from 'cdk-nag'
new NIST80053R4Checks(scope?: IConstruct, props?: NagPackProps)
```
| **Name** | **Type** | **Description** |
| --- | --- | --- |
| scope | constructs.IConstruct | *No description.* |
| props | NagPackProps | *No description.* |
---
##### `scope`Optional
- *Type:* constructs.IConstruct
---
##### `props`Optional
- *Type:* NagPackProps
---
#### Methods
| **Name** | **Description** |
| --- | --- |
| validate | Entry point called by the CDK validation framework. |
| validateScope | Validate a construct tree directly. |
---
##### `validate`
```typescript
public validate(context: IPolicyValidationContext): PolicyValidationPluginReport
```
Entry point called by the CDK validation framework.
Requires `appConstruct` to be present on the context (CDK core change).
For testing or direct invocation, use `validateScope(scope)`.
###### `context`Required
- *Type:* aws-cdk-lib.IPolicyValidationContext
---
##### `validateScope`
```typescript
public validateScope(scope: IConstruct): PolicyValidationPluginReport
```
Validate a construct tree directly.
This is the primary entry point
for testing and for CDK versions that do not yet provide `appConstruct` on
`IPolicyValidationContext`.
###### `scope`Required
- *Type:* constructs.IConstruct
---
#### Properties
| **Name** | **Type** | **Description** |
| --- | --- | --- |
| name | string | The name of the plugin that will be displayed in the validation report. |
| readPackName | string | *No description.* |
| ruleIds | string[] | The list of rule IDs that the plugin will evaluate. |
| version | string | The version of the plugin, following the Semantic Versioning specification (see https://semver.org/). This version is used for analytics purposes, to measure the usage of different plugins and different versions. The value of this property should be kept in sync with the actual version of the software package. If the version is not provided or is not a valid semantic version, it will be reported as `0.0.0`. |
---
##### `name`Required
```typescript
public readonly name: string;
```
- *Type:* string
The name of the plugin that will be displayed in the validation report.
---
##### `readPackName`Required
```typescript
public readonly readPackName: string;
```
- *Type:* string
---
##### `ruleIds`Optional
```typescript
public readonly ruleIds: string[];
```
- *Type:* string[]
The list of rule IDs that the plugin will evaluate.
Used for analytics
purposes.
---
##### `version`Optional
```typescript
public readonly version: string;
```
- *Type:* string
The version of the plugin, following the Semantic Versioning specification (see https://semver.org/). This version is used for analytics purposes, to measure the usage of different plugins and different versions. The value of this property should be kept in sync with the actual version of the software package. If the version is not provided or is not a valid semantic version, it will be reported as `0.0.0`.
---
### NIST80053R5Checks
Check for NIST 800-53 rev 5 compliance.
Based on the NIST 800-53 rev 5 AWS operational best practices: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-nist-800-53_rev_5.html
#### Initializers
```typescript
import { NIST80053R5Checks } from 'cdk-nag'
new NIST80053R5Checks(scope?: IConstruct, props?: NagPackProps)
```
| **Name** | **Type** | **Description** |
| --- | --- | --- |
| scope | constructs.IConstruct | *No description.* |
| props | NagPackProps | *No description.* |
---
##### `scope`Optional
- *Type:* constructs.IConstruct
---
##### `props`Optional
- *Type:* NagPackProps
---
#### Methods
| **Name** | **Description** |
| --- | --- |
| validate | Entry point called by the CDK validation framework. |
| validateScope | Validate a construct tree directly. |
---
##### `validate`
```typescript
public validate(context: IPolicyValidationContext): PolicyValidationPluginReport
```
Entry point called by the CDK validation framework.
Requires `appConstruct` to be present on the context (CDK core change).
For testing or direct invocation, use `validateScope(scope)`.
###### `context`Required
- *Type:* aws-cdk-lib.IPolicyValidationContext
---
##### `validateScope`
```typescript
public validateScope(scope: IConstruct): PolicyValidationPluginReport
```
Validate a construct tree directly.
This is the primary entry point
for testing and for CDK versions that do not yet provide `appConstruct` on
`IPolicyValidationContext`.
###### `scope`Required
- *Type:* constructs.IConstruct
---
#### Properties
| **Name** | **Type** | **Description** |
| --- | --- | --- |
| name | string | The name of the plugin that will be displayed in the validation report. |
| readPackName | string | *No description.* |
| ruleIds | string[] | The list of rule IDs that the plugin will evaluate. |
| version | string | The version of the plugin, following the Semantic Versioning specification (see https://semver.org/). This version is used for analytics purposes, to measure the usage of different plugins and different versions. The value of this property should be kept in sync with the actual version of the software package. If the version is not provided or is not a valid semantic version, it will be reported as `0.0.0`. |
---
##### `name`Required
```typescript
public readonly name: string;
```
- *Type:* string
The name of the plugin that will be displayed in the validation report.
---
##### `readPackName`Required
```typescript
public readonly readPackName: string;
```
- *Type:* string
---
##### `ruleIds`Optional
```typescript
public readonly ruleIds: string[];
```
- *Type:* string[]
The list of rule IDs that the plugin will evaluate.
Used for analytics
purposes.
---
##### `version`Optional
```typescript
public readonly version: string;
```
- *Type:* string
The version of the plugin, following the Semantic Versioning specification (see https://semver.org/). This version is used for analytics purposes, to measure the usage of different plugins and different versions. The value of this property should be kept in sync with the actual version of the software package. If the version is not provided or is not a valid semantic version, it will be reported as `0.0.0`.
---
### PCIDSS321Checks
Check for PCI DSS 3.2.1 compliance. Based on the PCI DSS 3.2.1 AWS operational best practices: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-pci-dss.html.
#### Initializers
```typescript
import { PCIDSS321Checks } from 'cdk-nag'
new PCIDSS321Checks(scope?: IConstruct, props?: NagPackProps)
```
| **Name** | **Type** | **Description** |
| --- | --- | --- |
| scope | constructs.IConstruct | *No description.* |
| props | NagPackProps | *No description.* |
---
##### `scope`Optional
- *Type:* constructs.IConstruct
---
##### `props`Optional
- *Type:* NagPackProps
---
#### Methods
| **Name** | **Description** |
| --- | --- |
| validate | Entry point called by the CDK validation framework. |
| validateScope | Validate a construct tree directly. |
---
##### `validate`
```typescript
public validate(context: IPolicyValidationContext): PolicyValidationPluginReport
```
Entry point called by the CDK validation framework.
Requires `appConstruct` to be present on the context (CDK core change).
For testing or direct invocation, use `validateScope(scope)`.
###### `context`Required
- *Type:* aws-cdk-lib.IPolicyValidationContext
---
##### `validateScope`
```typescript
public validateScope(scope: IConstruct): PolicyValidationPluginReport
```
Validate a construct tree directly.
This is the primary entry point
for testing and for CDK versions that do not yet provide `appConstruct` on
`IPolicyValidationContext`.
###### `scope`Required
- *Type:* constructs.IConstruct
---
#### Properties
| **Name** | **Type** | **Description** |
| --- | --- | --- |
| name | string | The name of the plugin that will be displayed in the validation report. |
| readPackName | string | *No description.* |
| ruleIds | string[] | The list of rule IDs that the plugin will evaluate. |
| version | string | The version of the plugin, following the Semantic Versioning specification (see https://semver.org/). This version is used for analytics purposes, to measure the usage of different plugins and different versions. The value of this property should be kept in sync with the actual version of the software package. If the version is not provided or is not a valid semantic version, it will be reported as `0.0.0`. |
---
##### `name`Required
```typescript
public readonly name: string;
```
- *Type:* string
The name of the plugin that will be displayed in the validation report.
---
##### `readPackName`Required
```typescript
public readonly readPackName: string;
```
- *Type:* string
---
##### `ruleIds`Optional
```typescript
public readonly ruleIds: string[];
```
- *Type:* string[]
The list of rule IDs that the plugin will evaluate.
Used for analytics
purposes.
---
##### `version`Optional
```typescript
public readonly version: string;
```
- *Type:* string
The version of the plugin, following the Semantic Versioning specification (see https://semver.org/). This version is used for analytics purposes, to measure the usage of different plugins and different versions. The value of this property should be kept in sync with the actual version of the software package. If the version is not provided or is not a valid semantic version, it will be reported as `0.0.0`.
---
### ServerlessChecks
Serverless Checks are a compilation of rules to validate infrastructure-as-code template against recommended practices.
#### Initializers
```typescript
import { ServerlessChecks } from 'cdk-nag'
new ServerlessChecks(scope?: IConstruct, props?: NagPackProps)
```
| **Name** | **Type** | **Description** |
| --- | --- | --- |
| scope | constructs.IConstruct | *No description.* |
| props | NagPackProps | *No description.* |
---
##### `scope`Optional
- *Type:* constructs.IConstruct
---
##### `props`Optional
- *Type:* NagPackProps
---
#### Methods
| **Name** | **Description** |
| --- | --- |
| validate | Entry point called by the CDK validation framework. |
| validateScope | Validate a construct tree directly. |
---
##### `validate`
```typescript
public validate(context: IPolicyValidationContext): PolicyValidationPluginReport
```
Entry point called by the CDK validation framework.
Requires `appConstruct` to be present on the context (CDK core change).
For testing or direct invocation, use `validateScope(scope)`.
###### `context`Required
- *Type:* aws-cdk-lib.IPolicyValidationContext
---
##### `validateScope`
```typescript
public validateScope(scope: IConstruct): PolicyValidationPluginReport
```
Validate a construct tree directly.
This is the primary entry point
for testing and for CDK versions that do not yet provide `appConstruct` on
`IPolicyValidationContext`.
###### `scope`Required
- *Type:* constructs.IConstruct
---
#### Properties
| **Name** | **Type** | **Description** |
| --- | --- | --- |
| name | string | The name of the plugin that will be displayed in the validation report. |
| readPackName | string | *No description.* |
| ruleIds | string[] | The list of rule IDs that the plugin will evaluate. |
| version | string | The version of the plugin, following the Semantic Versioning specification (see https://semver.org/). This version is used for analytics purposes, to measure the usage of different plugins and different versions. The value of this property should be kept in sync with the actual version of the software package. If the version is not provided or is not a valid semantic version, it will be reported as `0.0.0`. |
---
##### `name`Required
```typescript
public readonly name: string;
```
- *Type:* string
The name of the plugin that will be displayed in the validation report.
---
##### `readPackName`Required
```typescript
public readonly readPackName: string;
```
- *Type:* string
---
##### `ruleIds`Optional
```typescript
public readonly ruleIds: string[];
```
- *Type:* string[]
The list of rule IDs that the plugin will evaluate.
Used for analytics
purposes.
---
##### `version`Optional
```typescript
public readonly version: string;
```
- *Type:* string
The version of the plugin, following the Semantic Versioning specification (see https://semver.org/). This version is used for analytics purposes, to measure the usage of different plugins and different versions. The value of this property should be kept in sync with the actual version of the software package. If the version is not provided or is not a valid semantic version, it will be reported as `0.0.0`.
---
### WriteNagSuppressionsToCloudFormationAspect
- *Implements:* aws-cdk-lib.IAspect
An IAspect that reads acknowledged rules from construct metadata and writes them into the CfnResource's CloudFormation Metadata for audit trail persistence in the synthesized template.
Preserves the v2 `cdk_nag`
metadata format.
#### Initializers
```typescript
import { WriteNagSuppressionsToCloudFormationAspect } from 'cdk-nag'
new WriteNagSuppressionsToCloudFormationAspect()
```
| **Name** | **Type** | **Description** |
| --- | --- | --- |
---
#### Methods
| **Name** | **Description** |
| --- | --- |
| visit | All aspects can visit an IConstruct. |
---
##### `visit`
```typescript
public visit(node: IConstruct): void
```
All aspects can visit an IConstruct.
###### `node`Required
- *Type:* constructs.IConstruct
---
## Protocols
### IApplyRule
- *Implemented By:* IApplyRule
Interface for JSII interoperability for passing parameters and the Rule Callback to.
#### Methods
| **Name** | **Description** |
| --- | --- |
| rule | The callback to the rule. |
---
##### `rule`
```typescript
public rule(node: CfnResource): NagRuleCompliance | string[]
```
The callback to the rule.
###### `node`Required
- *Type:* aws-cdk-lib.CfnResource
The CfnResource to check.
---
#### Properties
| **Name** | **Type** | **Description** |
| --- | --- | --- |
| explanation | string | Why the rule exists. |
| info | string | Why the rule was triggered. |
| level | NagMessageLevel | The annotations message level to apply to the rule if triggered. |
| node | aws-cdk-lib.CfnResource | The CfnResource to check. |
| ruleSuffixOverride | string | Override for the suffix of the Rule ID for this rule. |
---
##### `explanation`Required
```typescript
public readonly explanation: string;
```
- *Type:* string
Why the rule exists.
---
##### `info`Required
```typescript
public readonly info: string;
```
- *Type:* string
Why the rule was triggered.
---
##### `level`Required
```typescript
public readonly level: NagMessageLevel;
```
- *Type:* NagMessageLevel
The annotations message level to apply to the rule if triggered.
---
##### `node`Required
```typescript
public readonly node: CfnResource;
```
- *Type:* aws-cdk-lib.CfnResource
The CfnResource to check.
---
##### `ruleSuffixOverride`Optional
```typescript
public readonly ruleSuffixOverride: string;
```
- *Type:* string
Override for the suffix of the Rule ID for this rule.
---
### INagValidationContext
- *Extends:* aws-cdk-lib.IPolicyValidationContext
- *Implemented By:* INagValidationContext
Extended validation context that includes the construct tree.
Requires CDK core change to populate `appConstruct` during plugin validation.
#### Properties
| **Name** | **Type** | **Description** |
| --- | --- | --- |
| templatePaths | string[] | The absolute path of all templates to be processed. |
| appConstruct | constructs.IConstruct | *No description.* |
---
##### `templatePaths`Required
```typescript
public readonly templatePaths: string[];
```
- *Type:* string[]
The absolute path of all templates to be processed.
---
##### `appConstruct`Required
```typescript
public readonly appConstruct: IConstruct;
```
- *Type:* constructs.IConstruct
---
## Enums
### NagMessageLevel
The severity level of the rule.
#### Members
| **Name** | **Description** |
| --- | --- |
| WARN | *No description.* |
| ERROR | *No description.* |
| INFO | *No description.* |
---
##### `WARN`
---
##### `ERROR`
---
##### `INFO`
---
### NagReportFormat
Possible output formats of the NagReport.
#### Members
| **Name** | **Description** |
| --- | --- |
| CSV | *No description.* |
| JSON | *No description.* |
---
##### `CSV`
---
##### `JSON`
---
### NagRuleCompliance
The compliance level of a resource in relation to a rule.
#### Members
| **Name** | **Description** |
| --- | --- |
| COMPLIANT | *No description.* |
| NON_COMPLIANT | *No description.* |
| NOT_APPLICABLE | *No description.* |
---
##### `COMPLIANT`
---
##### `NON_COMPLIANT`
---
##### `NOT_APPLICABLE`
---
### NagRulePostValidationStates
Additional states a rule can be in post compliance validation.
#### Members
| **Name** | **Description** |
| --- | --- |
| UNKNOWN | *No description.* |
---
##### `UNKNOWN`
---