NHSDigital · anthony-nhs · Jan 30, 2026 · Jan 30, 2026 · Jan 30, 2026 · Jan 30, 2026
diff --git a/.github/scripts/check_ecr_image_scan_results.sh b/.github/scripts/check_ecr_image_scan_results.sh
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -44,10 +44,12 @@ jobs:
           TAG_FORMAT=$(yq '.TAG_FORMAT' .github/config/settings.yml)
           echo "TAG_FORMAT=$TAG_FORMAT" >> "$GITHUB_OUTPUT"
   quality_checks:
-    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@27a44fb54f4023136d2c14058e3256e73af9901e
+    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@e31e25273fb87450be4ef763ddbed4f531c45f8e
     needs: [get_asdf_version, get_commit_id]
     with:
       asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }}
+      run_docker_scan: true
+      docker_images: "eps-cdk-utils"
     secrets:
       SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
 

diff --git a/.github/workflows/docker_image_upload.yml b/.github/workflows/docker_image_upload.yml
@@ -81,11 +81,3 @@ jobs:
         run: |
           docker tag "cdk-utils-build:${VERSION_NUMBER}" "${ACCOUNT_ID}.dkr.ecr.eu-west-2.amazonaws.com/cdk-utils-build-repo:latest"
           docker push "${ACCOUNT_ID}.dkr.ecr.eu-west-2.amazonaws.com/cdk-utils-build-repo:latest"
-
-      - name: Check cdk-utils-build scan results
-        env:
-          REPOSITORY_NAME: cdk-utils-build-repo
-          IMAGE_TAG: ${{ inputs.DOCKER_IMAGE_TAG }}
-        working-directory: .github/scripts
-        run: |
-          ./check_ecr_image_scan_results.sh
diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml
@@ -34,10 +34,13 @@ jobs:
   pr_title_format_check:
     uses: NHSDigital/eps-common-workflows/.github/workflows/pr_title_check.yml@27a44fb54f4023136d2c14058e3256e73af9901e
   quality_checks:
-    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@27a44fb54f4023136d2c14058e3256e73af9901e
+    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@e31e25273fb87450be4ef763ddbed4f531c45f8e
     needs: [get_asdf_version, get_commit_id]
     with:
       asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }}
+      run_docker_scan: true
+      docker_images: "eps-cdk-utils"
+
     secrets:
       SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
 

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -45,10 +45,12 @@ jobs:
           TAG_FORMAT=$(yq '.TAG_FORMAT' .github/config/settings.yml)
           echo "TAG_FORMAT=$TAG_FORMAT" >> "$GITHUB_OUTPUT"
   quality_checks:
-    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@27a44fb54f4023136d2c14058e3256e73af9901e
+    uses: NHSDigital/eps-common-workflows/.github/workflows/quality-checks.yml@e31e25273fb87450be4ef763ddbed4f531c45f8e
     needs: [get_asdf_version, get_commit_id]
     with:
       asdfVersion: ${{ needs.get_asdf_version.outputs.asdf_version }}
+      run_docker_scan: true
+      docker_images: "eps-cdk-utils"
     secrets:
       SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
 

diff --git a/.trivyignore.yaml b/.trivyignore.yaml
@@ -0,0 +1,25 @@
+vulnerabilities:
+  - id: CVE-2025-64756
+    statement: downstream dependency for glob - waiting for new npm release
+    expired_at: 2026-06-01
+  - id: CVE-2026-23745
+    statement: downstream dependency for tar - waiting for new npm release
+    expired_at: 2026-06-01
+  - id: CVE-2026-23950
+    statement: downstream dependency for tar - waiting for new npm release
+    expired_at: 2026-06-01
+  - id: CVE-2026-24842
+    statement: downstream dependency for tar - waiting for new npm release
+    expired_at: 2026-06-01
+  - id: CVE-2026-24049
+    statement: downstream dependency for wheel - waiting for new python release
+    expired_at: 2026-06-01
+  - id: CVE-2025-47907
+    statement: downstream dependency for asdf/go - waiting for new asdf release
+    expired_at: 2026-06-01
+  - id: CVE-2025-58183
+    statement: downstream dependency for asdf/go - waiting for new asdf release
+    expired_at: 2026-06-01
+  - id: CVE-2025-61729
+    statement: downstream dependency for asdf/go - waiting for new asdf release
+    expired_at: 2026-06-01
diff --git a/Makefile b/Makefile
@@ -25,10 +25,7 @@ lint-node:
 lint-githubactions:
 	actionlint
 
-lint-githubaction-scripts:
-	shellcheck .github/scripts/*.sh
-
-lint: lint-node lint-githubactions lint-githubaction-scripts
+lint: lint-node lint-githubactions
 
 clean:
 	rm -rf packages/cdkConstructs/lib
@@ -69,3 +66,6 @@ package: build
 build:
 	npm run build --workspace packages/cdkConstructs
 	npm run build --workspace packages/deploymentUtils
+
+docker-build:
+	docker build -t eps-cdk-utils . -f docker/Dockerfile
diff --git a/packages/cdkConstructs/src/apps/createApp.ts b/packages/cdkConstructs/src/apps/createApp.ts
@@ -5,40 +5,62 @@ import {
   StackProps
 } from "aws-cdk-lib"
 import {AwsSolutionsChecks} from "cdk-nag"
-import {getConfigFromEnvVar, getBooleanConfigFromEnvVar, calculateVersionedStackName} from "../config"
+import {getConfigFromEnvVar, getBooleanConfigFromEnvVar} from "../config"
 
 export interface StandardStackProps extends StackProps {
-  readonly stackName: string
+  /** Semantic version of the deployment (from `versionNumber`). */
   readonly version: string
+  /** Git commit identifier baked into the stack. */
   readonly commitId: string
+  /** Whether the stack originates from a pull-request environment. */
   readonly isPullRequest: boolean
+  /** Logical environment identifier (for example `dev`, `prod`). */
   readonly environment: string
+  /** CDK environment configuration used when synthesizing the stack. */
+  readonly env: {
+    /** AWS region targeted by the stack. */
+    readonly region: string
+  }
 }
 
 export interface CreateAppParams {
   readonly productName: string
   readonly appName: string
   readonly repoName: string
   readonly driftDetectionGroup: string
-  readonly isStateless?: boolean
   readonly region?: string
   readonly projectType?: string
   readonly publicFacing?: string
   readonly serviceCategory?: string
 }
 
+/**
+ * Initialize a CDK `App` pre-loaded with NHS EPS tags and mandatory configuration.
+ *
+ * Reads stack metadata from environment variables, and returns
+ * both the created `App` instance and the resolved stack props (including version info).
+ *
+ * @param params - High-level app metadata and optional deployment modifiers.
+ * @param params.productName - Product tag value for the stack.
+ * @param params.appName - Identifier used for `cdkApp` tagging.
+ * @param params.repoName - Repository name stored on the stack tags.
+ * @param params.driftDetectionGroup - Baseline drift detection tag (suffixes `-pull-request` when `isPullRequest`).
+ * @param params.region - AWS region assigned to the stack environment (default `eu-west-2`).
+ * @param params.projectType - Tag describing the project classification (default `Production`).
+ * @param params.publicFacing - Public-facing classification tag (default `Y`).
+ * @param params.serviceCategory - Service category tag (default `Platinum`).
+ * @returns The constructed CDK `App` and the resolved stack props for downstream stacks.
+ */
 export function createApp({
   productName,
   appName,
   repoName,
   driftDetectionGroup,
-  isStateless = true,
   region = "eu-west-2",
   projectType = "Production",
   publicFacing = "Y",
   serviceCategory = "Platinum"
 }: CreateAppParams): { app: App, props: StandardStackProps } {
-  let stackName = getConfigFromEnvVar("stackName")
   const versionNumber = getConfigFromEnvVar("versionNumber")
   const commitId = getConfigFromEnvVar("commitId")
   const isPullRequest = getBooleanConfigFromEnvVar("isPullRequest")
@@ -68,22 +90,16 @@ export function createApp({
   Tags.of(app).add("DeploymentTool", "CDK")
   Tags.of(app).add("version", versionNumber)
   Tags.of(app).add("commit", commitId)
-  Tags.of(app).add("stackName", stackName)
   Tags.of(app).add("cdkApp", appName)
   Tags.of(app).add("repo", repoName)
   Tags.of(app).add("cfnDriftDetectionGroup", cfnDriftDetectionGroup)
 
-  if (isStateless && !isPullRequest) {
-    stackName = calculateVersionedStackName(stackName, versionNumber)
-  }
-
   return {
     app,
     props: {
       env: {
         region
       },
-      stackName,
       version: versionNumber,
       commitId,
       isPullRequest,

diff --git a/packages/cdkConstructs/src/config/index.ts b/packages/cdkConstructs/src/config/index.ts
@@ -35,3 +35,5 @@ export async function getTrustStoreVersion(trustStoreFile: string, region: strin
 export function calculateVersionedStackName(baseStackName: string, version: string): string {
   return `${baseStackName}-${version.replaceAll(".", "-")}`
 }
+
+export {LAMBDA_INSIGHTS_LAYER_ARNS} from "./lambdaInsights"
diff --git a/packages/cdkConstructs/src/config/lambdaInsights.ts b/packages/cdkConstructs/src/config/lambdaInsights.ts
@@ -0,0 +1,6 @@
+// see https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Lambda-Insights-extension-versions.html
+// for latest ARNs
+export const LAMBDA_INSIGHTS_LAYER_ARNS = {
+  x64: "arn:aws:lambda:eu-west-2:580247275435:layer:LambdaInsightsExtension:64",
+  arm64: "arn:aws:lambda:eu-west-2:580247275435:layer:LambdaInsightsExtension-Arm64:31"
+} as const