From 56af12b3c8f791761dd13debfd66f4fcd3a7f873 Mon Sep 17 00:00:00 2001
From: Anthony Brown <anthony.brown8@nhs.net>
Date: Mon, 16 Mar 2026 16:50:46 +0000
Subject: [PATCH 1/3] add exclude

---
 .../src/constructs/PythonLambdaFunction.ts    | 24 +++++++++++++++++--
 1 file changed, 22 insertions(+), 2 deletions(-)

diff --git a/packages/cdkConstructs/src/constructs/PythonLambdaFunction.ts b/packages/cdkConstructs/src/constructs/PythonLambdaFunction.ts
index c49db862..83c8a1b1 100644
--- a/packages/cdkConstructs/src/constructs/PythonLambdaFunction.ts
+++ b/packages/cdkConstructs/src/constructs/PythonLambdaFunction.ts
@@ -80,6 +80,17 @@ export interface PythonLambdaFunctionProps {
    * @default Architecture.X86_64
    */
   readonly architecture?: Architecture
+   /**
+   * Any files to exclude from the Lambda asset bundle.
+   * Defaults to these files
+   * "tests",
+   * "pytest.ini",
+   * ".vscode",
+   * "__pycache__",
+   * "*.pyc"
+   */
+  readonly excludeFromAsset?: Array<string>
+
 }
 
 export class PythonLambdaFunction extends Construct {
@@ -167,7 +178,14 @@ export class PythonLambdaFunction extends Construct {
       layers = [], // Default to empty array
       timeoutInSeconds = 50,
       runtime = Runtime.PYTHON_3_14,
-      architecture = Architecture.X86_64
+      architecture = Architecture.X86_64,
+      excludeFromAsset = [
+        "tests",
+        "pytest.ini",
+        ".vscode",
+        "__pycache__",
+        "*.pyc"
+      ]
     } = props
 
     const {logGroup, role, insightsLayer} = createSharedLambdaResources(this, {
@@ -196,7 +214,9 @@ export class PythonLambdaFunction extends Construct {
       functionName: functionName,
       architecture,
       handler: handler,
-      code: Code.fromAsset(join(projectBaseDir, packageBasePath)),
+      code: Code.fromAsset(join(projectBaseDir, packageBasePath), {
+        exclude: excludeFromAsset
+      }),
       role,
       environment: {
         ...environmentVariables,

From 3ddd3b9215c5d25c58da24b57a6bda3afea28e94 Mon Sep 17 00:00:00 2001
From: Anthony Brown <anthony.brown8@nhs.net>
Date: Mon, 16 Mar 2026 17:16:43 +0000
Subject: [PATCH 2/3] fix trivy

---
 .trivy_out/license_scan.txt | 25 -------------------------
 .trivyignore.yaml           |  6 ++++++
 2 files changed, 6 insertions(+), 25 deletions(-)
 delete mode 100644 .trivy_out/license_scan.txt

diff --git a/.trivy_out/license_scan.txt b/.trivy_out/license_scan.txt
deleted file mode 100644
index bf2f164e..00000000
--- a/.trivy_out/license_scan.txt
+++ /dev/null
@@ -1,25 +0,0 @@
-
-Report Summary
-
-┌─────────────────────────────────────────────────────────────────┬────────┬──────────┐
-│                             Target                              │  Type  │ Licenses │
-├─────────────────────────────────────────────────────────────────┼────────┼──────────┤
-│ node_modules/@aws-cdk/asset-awscli-v1/layer/requirements.txt    │  pip   │    -     │
-├─────────────────────────────────────────────────────────────────┼────────┼──────────┤
-│ node_modules/aws-cdk/lib/init-templates/app/java/pom.xml        │  pom   │    -     │
-├─────────────────────────────────────────────────────────────────┼────────┼──────────┤
-│ node_modules/aws-cdk/lib/init-templates/sample-app/java/pom.xml │  pom   │    -     │
-├─────────────────────────────────────────────────────────────────┼────────┼──────────┤
-│ package-lock.json                                               │  npm   │    -     │
-├─────────────────────────────────────────────────────────────────┼────────┼──────────┤
-│ poetry.lock                                                     │ poetry │    -     │
-├─────────────────────────────────────────────────────────────────┼────────┼──────────┤
-│ requirements.txt                                                │  pip   │    -     │
-├─────────────────────────────────────────────────────────────────┼────────┼──────────┤
-│ package-lock.json                                               │   -    │    0     │
-├─────────────────────────────────────────────────────────────────┼────────┼──────────┤
-│ requirements.txt                                                │   -    │    0     │
-└─────────────────────────────────────────────────────────────────┴────────┴──────────┘
-Legend:
-- '-': Not scanned
-- '0': Clean (no security findings detected)
diff --git a/.trivyignore.yaml b/.trivyignore.yaml
index 0eb58b01..0754eb44 100644
--- a/.trivyignore.yaml
+++ b/.trivyignore.yaml
@@ -71,3 +71,9 @@ vulnerabilities:
   - id: CVE-2026-27142
     statement: asdf go stdlib
     expired_at: 2026-06-01
+  - id: CVE-2026-27142
+    statement: asdf go stdlib
+    expired_at: 2026-06-01
+  - id: CVE-2026-32141
+    statement: flatted
+    expired_at: 2026-06-01

From 4044ed868bf80b2bc72cd4627159629d9d4f8839 Mon Sep 17 00:00:00 2001
From: Anthony Brown <anthony.brown8@nhs.net>
Date: Mon, 16 Mar 2026 17:17:01 +0000
Subject: [PATCH 3/3] update ignore

---
 .gitignore | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.gitignore b/.gitignore
index be8b69f6..d28ca73f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -25,4 +25,5 @@ _site/
 .sass-cache
 .jekyll-cache
 .jekyll-metadata
-vendor
\ No newline at end of file
+vendor
+.trivy_out/