NrgXnat · ihormkl · Apr 6, 2021 · Apr 6, 2021 · Apr 6, 2021 · Apr 6, 2021
diff --git a/.github/.DS_Store b/.github/.DS_Store
diff --git a/.github/workflows/trivy-scanning.yml b/.github/workflows/trivy-scanning.yml
@@ -14,36 +14,55 @@ jobs:
 
       - name: Build images for nginx, web and db
         run: |
-          docker build -t docker.io/xnat-docker-compose/xnat_docker_compose_xnat-nginx:${{ github.sha }} nginx/
-          docker build -t docker.io/xnat-docker-compose/xnat_docker_compose_xnat-web:${{ github.sha }} tomcat/
-          docker build -t docker.io/xnat-docker-compose/xnat_docker_compose_xnat-db:${{ github.sha }} postgres/
+          XNAT_NGINX_IMAGE=docker.io/xnat-docker-compose/xnat_docker_compose_xnat-nginx:${{ github.sha }} docker-compose build xnat-nginx
+          XNAT_WEB_IMAGE=docker.io/xnat-docker-compose/xnat_docker_compose_xnat-web:${{ github.sha }} docker-compose build xnat-web
+          XNAT_DB_IMAGE=docker.io/xnat-docker-compose/xnat_docker_compose_xnat-db:${{ github.sha }} docker-compose build xnat-db
+
+      - name: Create folder for the scanner results
+        run: mkdir results
 
       - name: Run Trivy vulnerability scanner on nginx
         uses: aquasecurity/trivy-action@master
         with:
           image-ref: 'docker.io/xnat-docker-compose/xnat_docker_compose_xnat-nginx:${{ github.sha }}'
-          format: 'table'
-          exit-code: '1'
+          # format: 'table'
+          # exit-code: '1'
+          format: 'template'
+          template: '@/contrib/sarif.tpl'
+          output: './results/trivy-results-nginx.sarif'
           ignore-unfixed: true
           vuln-type: 'os,library'
           severity: 'CRITICAL,HIGH'
-        continue-on-error: true
+        # continue-on-error: true
+
       - name: Run Trivy vulnerability scanner on web
         uses: aquasecurity/trivy-action@master
         with:
           image-ref: 'docker.io/xnat-docker-compose/xnat_docker_compose_xnat-web:${{ github.sha }}'
-          format: 'table'
-          exit-code: '1'
+          # format: 'table'
+          # exit-code: '1'
+          format: 'template'
+          template: '@/contrib/sarif.tpl'
+          output: './results/trivy-results-web.sarif'
           ignore-unfixed: true
           vuln-type: 'os,library'
           severity: 'CRITICAL,HIGH'
-        continue-on-error: true
+        # continue-on-error: true
+
       - name: Run Trivy vulnerability scanner on postgres
         uses: aquasecurity/trivy-action@master
         with:
           image-ref: 'docker.io/xnat-docker-compose/xnat_docker_compose_xnat-db:${{ github.sha }}'
-          format: 'table'
-          exit-code: '1'
+          # format: 'table'
+          # exit-code: '1'
+          format: 'template'
+          template: '@/contrib/sarif.tpl'
+          output: './results/trivy-results-db.sarif'
           ignore-unfixed: true
           vuln-type: 'os,library'
           severity: 'CRITICAL,HIGH'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: './results'
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -1,6 +1,7 @@
 version: '3.7'
 services:
   xnat-web:
+    image: ${XNAT_WEB_IMAGE:-xnat_docker_compose_xnat-web:latest}
     build:
       context: ./xnat
       args:
@@ -35,6 +36,7 @@ services:
       - XNAT_HOME=${XNAT_HOME}
 
   xnat-db:
+    image: ${XNAT_DB_IMAGE:-xnat_docker_compose_xnat-db:latest}
     build:
       context: ./postgres
       args:
@@ -47,11 +49,11 @@ services:
       POSTGRES_PASSWORD: ${XNAT_DATASOURCE_ADMIN_PASSWORD}
 
   xnat-nginx:
+    image: ${XNAT_NGINX_IMAGE:-xnat_docker_compose_xnat-nginx:latest}
     build: ./nginx
     ports:
       - "80:80"
     expose:
       - "80"
     links:
       - xnat-web
-