feat(core): integrate construct annotations into validation report

[kaizencc]

Reason for this change

Part of the Validations RFC.

This PR furthers the RFC by integrating construct annotations (warnings and errors added via Annotations.of() or Validations.of()) into the existing policy validation report. Currently, annotations are only surfaced through the CLI's standard metadata display and are not part of the validation report, meaning users who rely on the report for compliance visibility don't see annotation-based issues alongside plugin violations.

Description of changes

Integrate construct annotations into the existing validation report pipeline by collecting annotation metadata post-synthesis and converting it into a NamedValidationPluginReport with source "Construct Annotations". This is not the final unified report format discussed in the RFC — it is an integration of annotations as a "plugin" into the existing report framework and structure.

core/lib/private/synthesis.ts:

• collectAnnotationReport() — walks the full construct tree (including across Stage boundaries via iterateDfsPreorder) to collect aws:cdk:warning and aws:cdk:error metadata entries, converting them to PolicyViolation format. Violations are grouped by rule name + severity + description so that multiple constructs triggering the same rule appear as one violation with multiple resources.
• extractRuleName() — extracts the rule ID from [ack: <id>] tags when available; falls back to generic aws-cdk:warning / aws-cdk:error for untagged annotations (these cannot be acknowledged, so uniqueness is not required). Includes a coupling note documenting the dependency on the ackTag() format in annotations.ts.
• findNearestResource() — maps a construct to its nearest CfnResource for logical ID and template path resolution
• invokeValidationPlugins() — calls collectAnnotationReport() after plugin execution and merges the result into the reports[] array

core/lib/validation/private/report.ts:

• formatJson filter changed from !rep.success to !rep.success || rep.violations.length > 0 so that warning-only reports (which are success: true) still render their violations. This is intentional — violations should always be visible regardless of the overall success status. This broadens behavior for all validation sources: a plugin returning success: true with violations would now appear in the report when it previously didn't.
• Report headers renamed from "Plugin Report" / "Plugin:" to "Validation Report" / "Source:" to accommodate non-plugin validation sources

⚠️ User-visible output changes: The report header and summary table labels have changed (Plugin Report → Validation Report, Plugin: → Source:, Plugin column → Source). CI scripts or tools that parse the text report output may need updating.

core/test/validation/validation.test.ts:

• 10 new tests covering: annotation warnings in report, annotation errors causing failure, acknowledged warnings excluded, partial acknowledgment via Validations.of().acknowledge(), annotations alongside plugins, annotations without plugins, orphan constructs (verifying construct path fallback), Validations.of().addWarning, Validations.of().addError, and extractRuleName regex coupling with addWarningV2 format
• Updated test helpers to match renamed report headers

Sample output

Below is the validation report output showing a plugin (CfnGuardValidator) and construct annotations side-by-side:

Performing Policy Validations

Validation Report
-----------------

╔═══════════════════════════════╗
║       Validation Report       ║
║   Source: CfnGuardValidator   ║
║   Version: N/A                ║
║   Status: failure             ║
╚═══════════════════════════════╝


(Violations)

S3_BUCKET_VERSIONING_ENABLED (1 occurrences)
Severity: high

  Occurrences:

    - Construct Path: DemoStack/MyBucket/Resource
    - Template Path: <outdir>/DemoStack.template.json
    - Creation Stack:
	└──  DemoStack (DemoStack)
	     │ Construct: constructs.Construct
	     └──  MyBucket (DemoStack/MyBucket)
	          └──  Resource (DemoStack/MyBucket/Resource)
    - Resource ID: MyBucketF68F3FF0
    - Template Locations:
      > Properties/VersioningConfiguration

  Description: S3 Bucket should have versioning enabled
  How to fix: Set the "VersioningConfiguration.Status" property to "Enabled"

╔═══════════════════════════════════╗
║         Validation Report         ║
║   Source: Construct Annotations   ║
║   Version: N/A                    ║
║   Status: failure                 ║
╚═══════════════════════════════════╝


(Violations)

@aws-cdk/aws-s3:bucketNotEncrypted (1 occurrences)
Severity: warning

  Occurrences:

    - Construct Path: DemoStack/MyBucket/Resource
    - Template Path: <outdir>/DemoStack.template.json
    - Creation Stack:
	└──  DemoStack (DemoStack)
	     └──  MyBucket (DemoStack/MyBucket)
	          └──  Resource (DemoStack/MyBucket/Resource)
    - Resource ID: MyBucketF68F3FF0
    - Template Locations:

  Description: This bucket does not have default encryption enabled [ack: @aws-cdk/aws-s3:bucketNotEncrypted]

aws-cdk:error (1 occurrences)
Severity: error

  Occurrences:

    - Construct Path: DemoStack/MyQueue/Resource
    - Template Path: <outdir>/DemoStack.template.json
    - Creation Stack:
	└──  DemoStack (DemoStack)
	     └──  MyQueue (DemoStack/MyQueue)
	          └──  Resource (DemoStack/MyQueue/Resource)
    - Resource ID: MyQueueE6CA6235
    - Template Locations:

  Description: Queue does not have a dead letter queue configured

annotation::TopicNoEncryption (1 occurrences)
Severity: warning

  Occurrences:

    - Construct Path: DemoStack/MyTopic/Resource
    - Template Path: <outdir>/DemoStack.template.json
    - Creation Stack:
	└──  DemoStack (DemoStack)
	     └──  MyTopic (DemoStack/MyTopic)
	          └──  Resource (DemoStack/MyTopic/Resource)
    - Resource ID: MyTopic86869434
    - Template Locations:

  Description: SNS Topic is not encrypted at rest [ack: annotation::TopicNoEncryption]

Policy Validation Report Summary

╔═══════════════════════╤═════════╗
║ Source                │ Status  ║
╟───────────────────────┼─────────╢
║ CfnGuardValidator     │ failure ║
╟───────────────────────┼─────────╢
║ Construct Annotations │ failure ║
╚═══════════════════════╧═════════╝

Validation failed. See the validation report above for details

Describe any new or updated permissions being added

N/A

Description of how you validated changes

• tsc --noEmit passes cleanly
• All 36 validation tests pass (26 existing + 10 new)
• Visual report output verified with a demo app exercising all three annotation paths (Annotations.of().addWarningV2, Annotations.of().addError, Validations.of().addWarning)

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

➡️ PR build request submitted to test-main-pipeline ⬅️

A maintainer must now check the pipeline and add the pr-linter/cli-integ-tested label once the pipeline succeeds.

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[mergify]

Merge Queue Status

• ✅ Entered queue — 2026-05-05 02:45 UTC · Rule: default-squash
• ✅ Checks passed · in-place
• ✅ Merged — 2026-05-05 03:14 UTC · at 89546651b793ea9fd960eb7d1c8225fc23a6b411 · squash

This pull request spent 29 minutes 27 seconds in the queue, including 29 minutes 11 seconds running CI.

Required conditions to merge

• #approved-reviews-by >= 1 [🛡 GitHub branch protection]
  • feat(core): integrate construct annotations into validation report #37712
• #changes-requested-reviews-by = 0 [🛡 GitHub branch protection]
  • feat(core): integrate construct annotations into validation report #37712
• any of [🛡 GitHub branch protection]:
  • check-success = validate-pr
  • check-neutral = validate-pr
  • check-skipped = validate-pr
• any of [🛡 GitHub branch protection]:
  • check-success = build
  • check-neutral = build
  • check-skipped = build

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.