feature/add git secrets

README.md

@@ -13,8 +13,10 @@
 - node:20
 ******
 
+
 # ABOUT
 Sample for DevSecOps environment.
+If you need help or questions, please contact [twitter](https://twitter.com/sigma5736394841), issues.
 ## AWS
 - app-infrastructure-roles
 ![app-infrastructure-roles](./doc/fig/cfn/app-infrastructure-roles.png)
@@ -165,10 +167,14 @@ git secrets --register-aws # awsのクレデンシャル検知ルールを登録
 
 
 # HOW TO USE
-[PREPARING](#PREPARING)の設定後にはGitHubにコードをコミットしたり，pushするだけ。
+1. [PREPARING](#PREPARING)の設定を先にやる。
+2. commit時にはpre-commitとgit-secretが作動
+3. push時にはGitHub ActionsによりSAST(semgrep)，UnitTest(jest)，Dependency Check(trivy)が実行される。
+4. masterブランチにマージしたりmasterにpushした時にCodePipelineによってAWSへリポジトリがクローンされ，ビルド(image scanを含む)，developmentへのデプロイが始まる。
+5. developmentで問題がなければCodePipeline上で承認し，productionへデプロイ
 ******
 
 
 # MEMO
+## nginx: [emerg] bind() to 0.0.0.0:80 failed (13: Permission denied)
 - [ECSの仕様で非特権ユーザを使用したコンテナでは80番ポートが使えないっぽい](https://repost.aws/questions/QU1bCV9wT4T5iBrrP1c2ISfg/container-cannot-bind-to-port-80-running-as-non-root-user-on-ecs-fargate) --> つまり，localのdockerで80でサービスが起動できてもECSだと権限エラーになる。このため，コンテナで開放するportは8080としている(ALBに対して8080がマッピングされているためブラウザからは80でアクセスできる)。
-> nginx: [emerg] bind() to 0.0.0.0:80 failed (13: Permission denied)

copilot/pipelines/react-app-pipeline/buildspec.yml

@@ -8,6 +8,10 @@ phases:
       # Download the copilot linux binary.
       - wget -q https://ecs-cli-v2-release.s3.amazonaws.com/copilot-linux-v1.32.0 -O copilot-linux
       - chmod +x ./copilot-linux
+      # Download trivy. https://aquasecurity.github.io/trivy/v0.48/getting-started/installation/
+      - echo "install trivy"
+      - rpm -ivh https://github.com/aquasecurity/trivy/releases/download/v0.48.0/trivy_0.48.0_Linux-64bit.rpm
+
   build:
     commands:
       - echo "Run your tests"
@@ -48,11 +52,11 @@ phases:
         for env in $pl_envs; do
           tag=$(echo ${CODEBUILD_BUILD_ID##*:}-$env | sed 's/:/-/g' | rev | cut -c 1-128 | rev)
           for svc in $svcs; do
-          ./copilot-linux svc package -n $svc -e $env --output-dir './infrastructure' --tag $tag --upload-assets;
-          if [ $? -ne 0 ]; then
-            echo "Cloudformation stack and config files were not generated. Please check build logs to see if there was a manifest validation error." 1>&2;
-            exit 1;
-          fi
+            ./copilot-linux svc package -n $svc -e $env --output-dir './infrastructure' --tag $tag --upload-assets;
+            if [ $? -ne 0 ]; then
+              echo "Cloudformation stack and config files were not generated. Please check build logs to see if there was a manifest validation error." 1>&2;
+              exit 1;
+            fi
           done;
           for job in $jobs; do
           ./copilot-linux job package -n $job -e $env --output-dir './infrastructure' --tag $tag --upload-assets;
@@ -63,6 +67,10 @@ phases:
           done;
         done;
       - ls -lah ./infrastructure
+      - cat ./infrastructure/dev-svc-dev-env.params.json
+      # Run trivy scan on the docker images.
+      - trivy image --vuln-type os --no-progress --format table -o container-scanning-report.txt --severity CRITICAL,HIGH $(jq -r '.Parameters[].ContainerImage' ./infrastructure/dev-svc-dev-env.params.json)
+      - cat container-scanning-report.txt
 artifacts:
   files:
     - "infrastructure/*"

docker_test.sh

@@ -9,6 +9,6 @@
 ##########################################################################
 docker rmi react-app:latest -f
 docker build -t react-app:latest . --no-cache
-docker run -p 80:80 react-app:latest # -p containerport:localport
+docker run -p 80:8080 react-app:latest # -p localport:containerport
 
 # open your browser and go to `localhost:80`.