update Docker file

.dockerignore

@@ -1,5 +1,11 @@
-copilot/*
 docker_test.sh
 README.md
-src/__tests__/*
 .gitignore
+CODEOWNERS
+LICENSE
+.trivyignore
+.pre-commit-config.yaml
+.git/
+.github/
+src/__tests__/*
+copilot/*

.github/ISSUE_TEMPLATE/bag.yaml

@@ -0,0 +1,60 @@
+name: Bug Report
+description: File a bug report
+title: "[Bug]: "
+labels: ["bug", "triage"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for taking the time to fill out this bug report!
+  - type: input
+    id: contact
+    attributes:
+      label: Contact Details
+      description: How can we get in touch with you if we need more info?
+      placeholder: ex. email@example.com
+    validations:
+      required: false
+  - type: textarea
+    id: what-happened
+    attributes:
+      label: What happened?
+      description: Also tell us, what did you expect to happen?
+      placeholder: Tell us what you see!
+      value: "A bug happened!"
+    validations:
+      required: true
+  - type: dropdown
+    id: version
+    attributes:
+      label: Version
+      description: What version of our software are you running?
+      options:
+        - 1.0.2 (Default)
+        - 1.0.3 (Edge)
+    validations:
+      required: true
+  - type: dropdown
+    id: browsers
+    attributes:
+      label: What browsers are you seeing the problem on?
+      multiple: true
+      options:
+        - Firefox
+        - Chrome
+        - Safari
+        - Microsoft Edge
+  - type: textarea
+    id: logs
+    attributes:
+      label: Relevant log output
+      description: Please copy and paste any relevant log output. This will be automatically formatted into code, so no need for backticks.
+      render: shell
+  - type: checkboxes
+    id: terms
+    attributes:
+      label: Code of Conduct
+      description: By submitting this issue, you agree to follow our [Code of Conduct](https://example.com)
+      options:
+        - label: I agree to follow this project's Code of Conduct
+          required: true

.github/ISSUE_TEMPLATE/new-feature.md

@@ -0,0 +1,14 @@
+---
+name: new-feature
+about: feature over view
+title: ''
+labels: enhancement
+assignees: ''
+
+---
+
+### New feature description
+
+### background
+
+### solution

.github/ISSUE_TEMPLATE/new-feature.yaml

@@ -0,0 +1,26 @@
+name: New-Feature(YAML)
+description: new feature issue
+title: "[Enhancement]: "
+labels: ["enhancement"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for taking the time to fill out this new feature!
+  - type: input
+    id: contact
+    attributes:
+      label: Contact Details
+      description: How can we get in touch with you if we need more info?
+      placeholder: ex. email@example.com
+    validations:
+      required: false
+  - type: textarea
+    id: idea
+    attributes:
+      label: idea
+      description: We need your help.
+      placeholder: Tell us what you think!
+      value: "Genious idea."
+    validations:
+      required: true

.github/workflows/react-dependency-check.yaml

@@ -0,0 +1,38 @@
+name: trivy dependency check for package.json
+# https://github.com/aquasecurity/trivy-action#usage
+on:
+  push:
+  schedule:
+    # 日曜日の午前0時に実行
+    - cron:  '0 0 * * 0'
+
+jobs:
+
+  trivy-scan:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: clone application source code
+        uses: actions/checkout@v3
+
+      - name: use trivy
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          #exit-code: 1
+          scanners: 'vuln'
+          vuln-type: 'library'
+          hide-progress: true
+          format: 'sarif'
+          output: 'sca-report.sarif'
+          severity: 'CRITICAL,HIGH'
+      - name: save report as pipeline artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: sca-report.sarif
+          path: sca-report.sarif
+      - name: publish trivy alerts
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'sca-report.sarif'
+          category: trivy

.github/workflows/react-jest.yaml

@@ -0,0 +1,25 @@
+name: run-jest
+on: [push]
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  frontend-jest: # job id(Typed by user)
+    runs-on: ubuntu-latest
+
+    steps:
+      # Checkout repository to runner
+      - uses: actions/checkout@v3
+
+      - name: Set up node20
+        uses: actions/setup-node@v3
+        with:
+          node-version: '20'
+
+      - name: Install Dependencies
+        run: cd /home/runner/work/devsecops-demo-aws-ecs/devsecops-demo-aws-ecs && npm install
+
+      - name: Run npm test
+        run: cd /home/runner/work/devsecops-demo-aws-ecs/devsecops-demo-aws-ecs && npm test -- --watchAll=false

.github/workflows/react-semgrep.yaml

@@ -0,0 +1,38 @@
+name: Semgrep Full Scan
+# sarifファイルをアップロードするために事前にgithubのリソースに対するアクセス権を与える必用がある。
+#リポジトリの設定から --> Code and automation --> Actions --> GeneralのWorkflow permissionsをRead and write permissionsに[参考画像](../../doc/fig/semgrep_upgrade_grant.png)
+on:
+  push:
+  schedule:
+    # 日曜日の午前0時に実行
+    - cron:  '0 0 * * 0'
+
+jobs:
+
+  semgrep-full:
+      runs-on: ubuntu-latest
+      container:
+        image: returntocorp/semgrep
+
+      steps:
+        - name: clone application source code
+          uses: actions/checkout@v3
+
+        - name: full scan
+          run: |
+            semgrep \
+              --sarif --output report.sarif \
+              --metrics=off \
+              --config="p/default"
+        # reportsを生成(Actionsから確認できる)
+        - name: save report as pipeline artifact
+          uses: actions/upload-artifact@v3
+          with:
+            name: report.sarif
+            path: report.sarif
+        # scanの結果を解析。GithubのSecurity --> Code Scanning等でアラートが見られる。
+        - name: publish code scanning alerts
+          uses: github/codeql-action/upload-sarif@v2
+          with:
+            sarif_file: report.sarif
+            category: semgrep

.pre-commit-config.yaml

@@ -0,0 +1,32 @@
+# See https://pre-commit.com for more information
+# See https://pre-commit.com/hooks.html for more hooks
+repos:
+-   repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v3.2.0
+    hooks:
+    -   id: trailing-whitespace
+    -   id: end-of-file-fixer
+    -   id: check-yaml
+    -   id: check-added-large-files
+        exclude: '.*\.md$' # mdでend-of-file-fixerが謎の挙動をするので除外
+    # hadolint
+-   repo: https://github.com/hadolint/hadolint
+    rev: v2.12.0
+    hooks:
+    -   id: hadolint
+         #args: [--trusted-registry, grc.io, ./react-app/Dockerfile]
+        args: [./Dockerfile]
+        files: Dockerfile$
+    # ESLint
+-   repo: https://github.com/pre-commit/mirrors-eslint
+    rev: v8.54.0 # 一番新しいやつにした
+    hooks:
+    -   id: eslint
+        files: \.[jt]sx?$  # *.js, *.jsx, *.ts and *.tsx
+        types: [file]
+    # prettier
+-   repo: https://github.com/pre-commit/mirrors-prettier
+    rev: v2.5.1 # rvest.vs-code-prettier-eslintにあわせた
+    hooks:
+    -   id: prettier
+        files: \.[jt]sx?$  # *.js, *.jsx, *.ts and *.tsx

CODEOWNERS

@@ -0,0 +1 @@
+/* @RyosukeDTomita

Dockerfile

@@ -1,25 +1,31 @@
-# ビルド環境
+# Build Image
 FROM node:20 as build
 WORKDIR /app
 COPY . .
 RUN npm install && npm run build
 
 
-# プロダクション環境
+# Product Image
 FROM public.ecr.aws/eks-distro-build-tooling/eks-distro-minimal-base-nginx:latest-al23
 COPY --from=build /app/build /usr/share/nginx/html
-COPY nginx.conf /etc/nginx/conf.d/default.conf
+COPY nginx.conf /etc/nginx/nginx.conf
+#COPY default.conf /etc/nginx/conf.d/default.conf
 
-# rootユーザ以外でサービスを起動するために最低限の権限を付与
+
+# Change owner to allow non-root users to start the service
 USER root
-RUN <<EOF
-mkdir -p /var/log/nginx
-chown -R nginx:nginx /var/log/nginx
-touch /run/nginx.pid
-chown -R nginx:nginx /run/nginx.pid
-EOF
+# RUN <<EOF
+# mkdir -p /var/log/nginx
+# chown -R nginx:nginx /var/log/nginx
+# touch /run/nginx.pid
+# chown -R nginx:nginx /run/nginx.pid
+# EOF
+RUN mkdir -p /var/log/nginx \
+    && chown -R nginx:nginx /var/log/nginx \
+    && touch /run/nginx.pid \
+    && chown -R nginx:nginx /run/nginx.pid
 
 
 EXPOSE 80
-#USER nginx
+USER nginx
 CMD ["nginx", "-g", "daemon off;"]

LICENSE

@@ -0,0 +1,24 @@
+This is free and unencumbered software released into the public domain.
+
+Anyone is free to copy, modify, publish, use, compile, sell, or
+distribute this software, either in source code form or as a compiled
+binary, for any purpose, commercial or non-commercial, and by any
+means.
+
+In jurisdictions that recognize copyright laws, the author or authors
+of this software dedicate any and all copyright interest in the
+software to the public domain. We make this dedication for the benefit
+of the public at large and to the detriment of our heirs and
+successors. We intend this dedication to be an overt act of
+relinquishment in perpetuity of all present and future rights to this
+software under copyright law.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+OTHER DEALINGS IN THE SOFTWARE.
+
+For more information, please refer to <https://unlicense.org>

README.md

@@ -1,4 +1,13 @@
+# INDEX
 
-```shell
-DOCKER_DEFAULT_PLATFORM=linux/amd64 copilot init
-```
+- [ABOUT](#ABOUT)
+- [ENVIRONMENT](#ENVIRONMENT)
+- [PREPARING](#PREPARING)
+- [HOW TO USE](#HOW-TO-USE)
+- [REFERENCE](#REFERENCE)
+
+# ABOUT
+# ENVIRONMENT
+# PREPARING
+# HOW TO USE
+# REFERENCE

copilot/dev-svc/manifest.yml

@@ -23,14 +23,16 @@ image:
 
 cpu: 256       # Number of CPU units for the task.
 memory: 512    # Amount of memory in MiB used by the task.
-count: 1       # Number of tasks that should be running in your service.
+count:       # Number of tasks that should be running in your service.
+  range: 1-2
+  cpu_percentage: 50
 exec: true     # Enable running commands in your container.
 network:
   connect: true # Enable Service Connect for intra-environment traffic between services.
 
 # storage:
   # readonly_fs: true       # Limit to read-only access to mounted root filesystems.
- 
+
 # Optional fields for more advanced use-cases.
 #
 #variables:                    # Pass environment variables as key value pairs.
@@ -44,4 +46,4 @@ network:
 #  test:
 #    count: 2               # Number of tasks to run for the "test" environment.
 #    deployment:            # The deployment strategy for the "test" environment.
-#       rolling: 'recreate' # Stops existing tasks before new ones are started for faster deployments.
+#       rolling: 'recreate' # Stops existing tasks before new ones are started for faster deployments.

copilot/environments/app-scanner-env/manifest.yml

@@ -0,0 +1,30 @@
+# The manifest for the "app-scanner-env" environment.
+# Read the full specification for the "Environment" type at:
+#  https://aws.github.io/copilot-cli/docs/manifest/environment/
+
+# Your environment name will be used in naming your resources like VPC, cluster, etc.
+name: app-scanner-env
+type: Environment
+
+# Import your own VPC and subnets or configure how they should be created.
+network:
+  vpc:
+    id: vpc-03581f28225eebcf8
+    subnets:
+      public:
+        - id: subnet-02af5dce7bdaae4c9
+        - id: subnet-070a378ffc7a92766
+        - id: subnet-0bfd16c35ed005f62
+      private:
+        - id: subnet-059ce9420f335d7b0
+        - id: subnet-0cb914099ba5f287b
+        - id: subnet-003d479c3698684de
+
+# Configure the load balancers in your environment, once created.
+# http:
+#   public:
+#   private:
+
+# Configure observability for your environment resources.
+observability:
+  container_insights: false