diff --git a/src/typescript/detector/high/exposure_of_sensitive_information_cdk/exposure_of_sensitive_information_cdk.ts b/src/typescript/detector/high/exposure_of_sensitive_information_cdk/exposure_of_sensitive_information_cdk.ts
new file mode 100644
index 0000000..f5f4a73
--- /dev/null
+++ b/src/typescript/detector/high/exposure_of_sensitive_information_cdk/exposure_of_sensitive_information_cdk.ts
@@ -0,0 +1,41 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+
+// {fact rule=exposure-of-sensitive-information-cdk@v1.0 defects=1}
+import * as cdk from '@aws-cdk/core'
+import { CfnSecurityGroupIngress, } from 'aws-cdk-lib/aws-ec2'
+import {Stack} from 'aws-cdk-lib/core'
+
+export class CdkStarterStack extends cdk.Stack {
+    constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
+        super(scope, id, props)
+
+        // Noncompliant: 0.0.0.0/0 range is used
+        new CfnSecurityGroupIngress(Stack, 'rIngress', {
+            ipProtocol: 'tcp',
+            cidrIp: '0.0.0.0/0',
+        })
+    }
+}
+// {/fact}
+
+// {fact rule=exposure-of-sensitive-information-cdk@v1.0 defects=0}
+import * as cdk from '@aws-cdk/core'
+import { CfnSecurityGroupIngress, } from 'aws-cdk-lib/aws-ec2'
+import {Stack} from 'aws-cdk-lib/core'
+
+export class CdkStarterStack extends cdk.Stack {
+    constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
+        super(scope, id, props)
+
+        // Compliant: 0.0.0.0/0 range is not used
+        new CfnSecurityGroupIngress(Stack, 'rIngress', {
+            ipProtocol: 'tcp',
+            cidrIp: '1.2.3.4/32',
+            })
+    }
+}
+// {/fact}
diff --git a/src/typescript/detector/high/s3_partial_encrypt_cdk/s3_partial_encrypt_cdk.ts b/src/typescript/detector/high/s3_partial_encrypt_cdk/s3_partial_encrypt_cdk.ts
new file mode 100644
index 0000000..774ae23
--- /dev/null
+++ b/src/typescript/detector/high/s3_partial_encrypt_cdk/s3_partial_encrypt_cdk.ts
@@ -0,0 +1,38 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+
+// {fact rule=s3-partial-encrypt-cdk@v1.0 defects=1}
+import * as s3 from '@aws-cdk/aws-s3'
+import * as cdk from '@aws-cdk/core'
+
+
+export class CdkStarterStack extends cdk.Stack {
+
+    constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
+        super(scope, id, props)
+
+        // Noncompliant: No encryption specified
+        const bucket = new s3.Bucket(this, 's3-bucket-bad')
+    }
+}
+// {/fact}
+
+// {fact rule=s3-partial-encrypt-cdk@v1.0 defects=0}
+import * as s3 from '@aws-cdk/aws-s3'
+import * as cdk from '@aws-cdk/core'
+
+
+export class CdkStarterStack extends cdk.Stack {
+
+    constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
+        super(scope, id, props)
+
+        // Compliant: S3_MANGAGED encryption being used
+        const bucket = new s3.Bucket(this, 's3-bucket',
+                                   { encryption: s3.BucketEncryption.S3_MANAGED })
+    }
+}
+// {/fact}