add trivy

.github/ISSUE_TEMPLATE/bag.yaml

@@ -0,0 +1,60 @@
+name: Bug Report
+description: File a bug report
+title: "[Bug]: "
+labels: ["bug", "triage"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for taking the time to fill out this bug report!
+  - type: input
+    id: contact
+    attributes:
+      label: Contact Details
+      description: How can we get in touch with you if we need more info?
+      placeholder: ex. [email protected]
+    validations:
+      required: false
+  - type: textarea
+    id: what-happened
+    attributes:
+      label: What happened?
+      description: Also tell us, what did you expect to happen?
+      placeholder: Tell us what you see!
+      value: "A bug happened!"
+    validations:
+      required: true
+  - type: dropdown
+    id: version
+    attributes:
+      label: Version
+      description: What version of our software are you running?
+      options:
+        - 1.0.2 (Default)
+        - 1.0.3 (Edge)
+    validations:
+      required: true
+  - type: dropdown
+    id: browsers
+    attributes:
+      label: What browsers are you seeing the problem on?
+      multiple: true
+      options:
+        - Firefox
+        - Chrome
+        - Safari
+        - Microsoft Edge
+  - type: textarea
+    id: logs
+    attributes:
+      label: Relevant log output
+      description: Please copy and paste any relevant log output. This will be automatically formatted into code, so no need for backticks.
+      render: shell
+  - type: checkboxes
+    id: terms
+    attributes:
+      label: Code of Conduct
+      description: By submitting this issue, you agree to follow our [Code of Conduct](https://example.com)
+      options:
+        - label: I agree to follow this project's Code of Conduct
+          required: true

.github/ISSUE_TEMPLATE/new-feature.md

@@ -0,0 +1,14 @@
+---
+name: new-feature
+about: feature over view
+title: ''
+labels: enhancement
+assignees: ''
+
+---
+
+### New feature description
+
+### background
+
+### solution

.github/ISSUE_TEMPLATE/new-feature.yaml

@@ -0,0 +1,26 @@
+name: New-Feature(YAML)
+description: new feature issue
+title: "[Enhancement]: "
+labels: ["enhancement"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for taking the time to fill out this new feature!
+  - type: input
+    id: contact
+    attributes:
+      label: Contact Details
+      description: How can we get in touch with you if we need more info?
+      placeholder: ex. [email protected]
+    validations:
+      required: false
+  - type: textarea
+    id: idea
+    attributes:
+      label: idea
+      description: We need your help.
+      placeholder: Tell us what you think!
+      value: "Genious idea."
+    validations:
+      required: true

.github/workflows/react-dependency-check.yaml

@@ -0,0 +1,28 @@
+name: trivy dependency check for package.json
+# https://github.com/aquasecurity/trivy-action#usage
+on:
+  push:
+  schedule:
+    # 日曜日の午前0時に実行
+    - cron:  '0 0 * * 0'
+
+jobs:
+
+  trivy-scan:
+      runs-on: ubuntu-latest
+
+      steps:
+        - name: clone application source code
+          uses: actions/checkout@v3
+
+        - name: use trivy
+          uses: aquasecurity/[email protected]
+          with:
+            scan-type: 'fs'
+            exit-code: 1
+            scanners: 'vuln'
+            vuln-type: 'library'
+            hide-progress: true
+            format: table
+            output: 'sca-report.txt'
+            severity: CRITICAL,HIGH

.github/workflows/react-jest.yaml

@@ -0,0 +1,25 @@
+name: run-jest
+on: [push]
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  frontend-jest: # job id(Typed by user)
+    runs-on: ubuntu-latest
+
+    steps:
+      # Checkout repository to runner
+      - uses: actions/checkout@v3
+
+      - name: Set up node20
+        uses: actions/setup-node@v3
+        with:
+          node-version: '20'
+
+      - name: Install Dependencies
+        run: cd /home/runner/work/devsecops-demo-aws-ecs && npm install
+
+      - name: Run npm test
+        run: cd /home/runner/work/devsecops-demo-aws-ecs && npm test -- --watchAll=false

.github/workflows/react-semgrep.yaml

@@ -0,0 +1,37 @@
+name: Semgrep Full Scan
+
+on:
+  push:
+  schedule:
+    # 日曜日の午前0時に実行
+    - cron:  '0 0 * * 0'
+
+jobs:
+
+  semgrep-full:
+      runs-on: ubuntu-latest
+      container:
+        image: returntocorp/semgrep
+
+      steps:
+        - name: clone application source code
+          uses: actions/checkout@v3
+
+        - name: full scan
+          run: |
+            semgrep \
+              --sarif --output report.sarif \
+              --metrics=off \
+              --config="p/default"
+        # reportsを生成(Actionsから確認できる)
+        - name: save report as pipeline artifact
+          uses: actions/upload-artifact@v3
+          with:
+            name: report.sarif
+            path: report.sarif
+        # scanの結果を解析。GithubのSecurity --> Code Scanning等でアラートが見られる。
+        - name: publish code scanning alerts
+          uses: github/codeql-action/upload-sarif@v2
+          with:
+            sarif_file: report.sarif
+            category: semgrep

.pre-commit-config.yaml

@@ -6,7 +6,7 @@ repos:
     hooks:
     -   id: trailing-whitespace
     -   id: end-of-file-fixer
-    # -   id: check-yaml
+    -   id: check-yaml
     -   id: check-added-large-files
         exclude: '.*\.md$' # mdでend-of-file-fixerが謎の挙動をするので除外
     # hadolint
@@ -16,7 +16,7 @@ repos:
     -   id: hadolint
          #args: [--trusted-registry, grc.io, ./react-app/Dockerfile]
         args: [./Dockerfile]
-        files: ./Dockerfile$
+        files: Dockerfile$
     # ESLint
 -   repo: https://github.com/pre-commit/mirrors-eslint
     rev: v8.54.0 # 一番新しいやつにした

Dockerfile

@@ -8,8 +8,8 @@ RUN npm install && npm run build
 # Product Image
 FROM public.ecr.aws/eks-distro-build-tooling/eks-distro-minimal-base-nginx:latest-al23
 COPY --from=build /app/build /usr/share/nginx/html
-COPY default.conf /etc/nginx/conf.d/default.conf
 COPY nginx.conf /etc/nginx/nginx.conf
+#COPY default.conf /etc/nginx/conf.d/default.conf
 
 
 # Change owner to allow non-root users to start the service

copilot/dev-svc/manifest.yml

@@ -32,7 +32,7 @@ network:
 
 # storage:
   # readonly_fs: true       # Limit to read-only access to mounted root filesystems.
- 
+
 # Optional fields for more advanced use-cases.
 #
 #variables:                    # Pass environment variables as key value pairs.
@@ -46,4 +46,4 @@ network:
 #  test:
 #    count: 2               # Number of tasks to run for the "test" environment.
 #    deployment:            # The deployment strategy for the "test" environment.
-#       rolling: 'recreate' # Stops existing tasks before new ones are started for faster deployments.
+#       rolling: 'recreate' # Stops existing tasks before new ones are started for faster deployments.

copilot/pipelines/tomita-pipeline/manifest.yml

@@ -36,4 +36,3 @@ stages:
     requires_approval: true
     # Optional: use test commands to validate this stage of your build.
     # test_commands: [echo 'running tests', make test]
-

copilot/prod-svc/manifest.yml

@@ -30,7 +30,7 @@ network:
 
 # storage:
   # readonly_fs: true       # Limit to read-only access to mounted root filesystems.
- 
+
 # Optional fields for more advanced use-cases.
 #
 #variables:                    # Pass environment variables as key value pairs.
@@ -44,4 +44,4 @@ network:
 #  test:
 #    count: 2               # Number of tasks to run for the "test" environment.
 #    deployment:            # The deployment strategy for the "test" environment.
-#       rolling: 'recreate' # Stops existing tasks before new ones are started for faster deployments.
+#       rolling: 'recreate' # Stops existing tasks before new ones are started for faster deployments.

doc/tools_doc/hadolint.md

@@ -0,0 +1,30 @@
+# hadolintの使い方
+## 概要
+> [hadolint github](https://github.com/hadolint/hadolint)
+Dockerfileを綺麗にするツール。
+******
+
+
+## install
+
+```shell
+sudo wget -O /bin/hadolint https://github.com/hadolint/hadolint/releases/download/v2.10.0/hadolint-Linux-x86_64
+sudo chmod 755 /usr/bin/hadolint
+```
+******
+
+
+## 実行
+
+```shell
+ls
+myapp/  pre-commit-setup.sh
+hadolint --trusted-registry grc.io ./myapp/Dockerfile # --trusted-registryに登録されているイメージ以外で警告を出す。
+./myapp/Dockerfile:1 DL3026 error: Use only an allowed registry in the FROM image
+./myapp/Dockerfile:7 DL3059 info: Multiple consecutive `RUN` instructions. Consider consolidation.
+```
+******
+
+
+## エラー例
+- /Dockerfile:7 DL3059 info: Multiple consecutive `RUN` instructions. Consider consolidation. --> RUNを一つにまとめたほうがイメージのレイヤーを最小化できる。