diff --git a/README.md b/README.md index 9b5f931..7c6260a 100644 --- a/README.md +++ b/README.md @@ -13,8 +13,10 @@ - node:20 ****** + # ABOUT Sample for DevSecOps environment. +If you need help or questions, please contact [twitter](https://twitter.com/sigma5736394841), issues. ## AWS - app-infrastructure-roles ![app-infrastructure-roles](./doc/fig/cfn/app-infrastructure-roles.png) @@ -165,10 +167,14 @@ git secrets --register-aws # awsのクレデンシャル検知ルールを登録 # HOW TO USE -[PREPARING](#PREPARING)の設定後にはGitHubにコードをコミットしたり,pushするだけ。 +1. [PREPARING](#PREPARING)の設定を先にやる。 +2. commit時にはpre-commitとgit-secretが作動 +3. push時にはGitHub ActionsによりSAST(semgrep),UnitTest(jest),Dependency Check(trivy)が実行される。 +4. masterブランチにマージしたりmasterにpushした時にCodePipelineによってAWSへリポジトリがクローンされ,ビルド(image scanを含む),developmentへのデプロイが始まる。 +5. developmentで問題がなければCodePipeline上で承認し,productionへデプロイ ****** # MEMO +## nginx: [emerg] bind() to 0.0.0.0:80 failed (13: Permission denied) - [ECSの仕様で非特権ユーザを使用したコンテナでは80番ポートが使えないっぽい](https://repost.aws/questions/QU1bCV9wT4T5iBrrP1c2ISfg/container-cannot-bind-to-port-80-running-as-non-root-user-on-ecs-fargate) --> つまり,localのdockerで80でサービスが起動できてもECSだと権限エラーになる。このため,コンテナで開放するportは8080としている(ALBに対して8080がマッピングされているためブラウザからは80でアクセスできる)。 -> nginx: [emerg] bind() to 0.0.0.0:80 failed (13: Permission denied) diff --git a/copilot/pipelines/react-app-pipeline/buildspec.yml b/copilot/pipelines/react-app-pipeline/buildspec.yml index a84fc8e..9408aa8 100644 --- a/copilot/pipelines/react-app-pipeline/buildspec.yml +++ b/copilot/pipelines/react-app-pipeline/buildspec.yml @@ -8,6 +8,10 @@ phases: # Download the copilot linux binary. - wget -q https://ecs-cli-v2-release.s3.amazonaws.com/copilot-linux-v1.32.0 -O copilot-linux - chmod +x ./copilot-linux + # Download trivy. https://aquasecurity.github.io/trivy/v0.48/getting-started/installation/ + - echo "install trivy" + - rpm -ivh https://github.com/aquasecurity/trivy/releases/download/v0.48.0/trivy_0.48.0_Linux-64bit.rpm + build: commands: - echo "Run your tests" @@ -48,11 +52,11 @@ phases: for env in $pl_envs; do tag=$(echo ${CODEBUILD_BUILD_ID##*:}-$env | sed 's/:/-/g' | rev | cut -c 1-128 | rev) for svc in $svcs; do - ./copilot-linux svc package -n $svc -e $env --output-dir './infrastructure' --tag $tag --upload-assets; - if [ $? -ne 0 ]; then - echo "Cloudformation stack and config files were not generated. Please check build logs to see if there was a manifest validation error." 1>&2; - exit 1; - fi + ./copilot-linux svc package -n $svc -e $env --output-dir './infrastructure' --tag $tag --upload-assets; + if [ $? -ne 0 ]; then + echo "Cloudformation stack and config files were not generated. Please check build logs to see if there was a manifest validation error." 1>&2; + exit 1; + fi done; for job in $jobs; do ./copilot-linux job package -n $job -e $env --output-dir './infrastructure' --tag $tag --upload-assets; @@ -63,6 +67,10 @@ phases: done; done; - ls -lah ./infrastructure + - cat ./infrastructure/dev-svc-dev-env.params.json + # Run trivy scan on the docker images. + - trivy image --vuln-type os --no-progress --format table -o container-scanning-report.txt --severity CRITICAL,HIGH $(jq -r '.Parameters[].ContainerImage' ./infrastructure/dev-svc-dev-env.params.json) + - cat container-scanning-report.txt artifacts: files: - "infrastructure/*" diff --git a/docker_test.sh b/docker_test.sh index 0ced2ea..3730dbb 100755 --- a/docker_test.sh +++ b/docker_test.sh @@ -9,6 +9,6 @@ ########################################################################## docker rmi react-app:latest -f docker build -t react-app:latest . --no-cache -docker run -p 80:80 react-app:latest # -p containerport:localport +docker run -p 80:8080 react-app:latest # -p localport:containerport # open your browser and go to `localhost:80`. diff --git a/sca-report.sarif b/sca-report.sarif deleted file mode 100644 index e95f38e..0000000 --- a/sca-report.sarif +++ /dev/null @@ -1,80 +0,0 @@ -{ - "version": "2.1.0", - "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json", - "runs": [ - { - "tool": { - "driver": { - "fullName": "Trivy Vulnerability Scanner", - "informationUri": "https://github.com/aquasecurity/trivy", - "name": "Trivy", - "rules": [ - { - "id": "CVE-2021-3803", - "name": "LanguageSpecificPackageVulnerability", - "shortDescription": { - "text": "inefficient regular expression complexity" - }, - "fullDescription": { - "text": "nth-check is vulnerable to Inefficient Regular Expression Complexity" - }, - "defaultConfiguration": { - "level": "error" - }, - "helpUri": "https://avd.aquasec.com/nvd/cve-2021-3803", - "help": { - "text": "Vulnerability CVE-2021-3803\nSeverity: HIGH\nPackage: nth-check\nFixed Version: 2.0.1\nLink: [CVE-2021-3803](https://avd.aquasec.com/nvd/cve-2021-3803)\nnth-check is vulnerable to Inefficient Regular Expression Complexity", - "markdown": "**Vulnerability CVE-2021-3803**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|HIGH|nth-check|2.0.1|[CVE-2021-3803](https://avd.aquasec.com/nvd/cve-2021-3803)|\n\nnth-check is vulnerable to Inefficient Regular Expression Complexity" - }, - "properties": { - "precision": "very-high", - "security-severity": "7.5", - "tags": [ - "vulnerability", - "security", - "HIGH" - ] - } - } - ], - "version": "0.47.0" - } - }, - "results": [ - { - "ruleId": "CVE-2021-3803", - "ruleIndex": 0, - "level": "error", - "message": { - "text": "Package: nth-check\nInstalled Version: 1.0.2\nVulnerability CVE-2021-3803\nSeverity: HIGH\nFixed Version: 2.0.1\nLink: [CVE-2021-3803](https://avd.aquasec.com/nvd/cve-2021-3803)" - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "package-lock.json", - "uriBaseId": "ROOTPATH" - }, - "region": { - "startLine": 15755, - "startColumn": 1, - "endLine": 15762, - "endColumn": 1 - } - }, - "message": { - "text": "package-lock.json: nth-check@1.0.2" - } - } - ] - } - ], - "columnKind": "utf16CodeUnits", - "originalUriBaseIds": { - "ROOTPATH": { - "uri": "file:///home/tomita/devsecops-demo-aws-ecs/" - } - } - } - ] -}