diff --git a/.github/.DS_Store b/.github/.DS_Store new file mode 100644 index 0000000..05428f3 Binary files /dev/null and b/.github/.DS_Store differ diff --git a/.github/workflows/trivy-scanning.yml b/.github/workflows/trivy-scanning.yml index 11897aa..bdd67ef 100644 --- a/.github/workflows/trivy-scanning.yml +++ b/.github/workflows/trivy-scanning.yml @@ -14,36 +14,55 @@ jobs: - name: Build images for nginx, web and db run: | - docker build -t docker.io/xnat-docker-compose/xnat_docker_compose_xnat-nginx:${{ github.sha }} nginx/ - docker build -t docker.io/xnat-docker-compose/xnat_docker_compose_xnat-web:${{ github.sha }} tomcat/ - docker build -t docker.io/xnat-docker-compose/xnat_docker_compose_xnat-db:${{ github.sha }} postgres/ + XNAT_NGINX_IMAGE=docker.io/xnat-docker-compose/xnat_docker_compose_xnat-nginx:${{ github.sha }} docker-compose build xnat-nginx + XNAT_WEB_IMAGE=docker.io/xnat-docker-compose/xnat_docker_compose_xnat-web:${{ github.sha }} docker-compose build xnat-web + XNAT_DB_IMAGE=docker.io/xnat-docker-compose/xnat_docker_compose_xnat-db:${{ github.sha }} docker-compose build xnat-db + + - name: Create folder for the scanner results + run: mkdir results - name: Run Trivy vulnerability scanner on nginx uses: aquasecurity/trivy-action@master with: image-ref: 'docker.io/xnat-docker-compose/xnat_docker_compose_xnat-nginx:${{ github.sha }}' - format: 'table' - exit-code: '1' + # format: 'table' + # exit-code: '1' + format: 'template' + template: '@/contrib/sarif.tpl' + output: './results/trivy-results-nginx.sarif' ignore-unfixed: true vuln-type: 'os,library' severity: 'CRITICAL,HIGH' - continue-on-error: true + # continue-on-error: true + - name: Run Trivy vulnerability scanner on web uses: aquasecurity/trivy-action@master with: image-ref: 'docker.io/xnat-docker-compose/xnat_docker_compose_xnat-web:${{ github.sha }}' - format: 'table' - exit-code: '1' + # format: 'table' + # exit-code: '1' + format: 'template' + template: '@/contrib/sarif.tpl' + output: './results/trivy-results-web.sarif' ignore-unfixed: true vuln-type: 'os,library' severity: 'CRITICAL,HIGH' - continue-on-error: true + # continue-on-error: true + - name: Run Trivy vulnerability scanner on postgres uses: aquasecurity/trivy-action@master with: image-ref: 'docker.io/xnat-docker-compose/xnat_docker_compose_xnat-db:${{ github.sha }}' - format: 'table' - exit-code: '1' + # format: 'table' + # exit-code: '1' + format: 'template' + template: '@/contrib/sarif.tpl' + output: './results/trivy-results-db.sarif' ignore-unfixed: true vuln-type: 'os,library' severity: 'CRITICAL,HIGH' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: './results' diff --git a/docker-compose.yml b/docker-compose.yml index 1323730..68fe9f2 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,6 +1,7 @@ version: '3.7' services: xnat-web: + image: ${XNAT_WEB_IMAGE:-xnat_docker_compose_xnat-web:latest} build: context: ./xnat args: @@ -35,6 +36,7 @@ services: - XNAT_HOME=${XNAT_HOME} xnat-db: + image: ${XNAT_DB_IMAGE:-xnat_docker_compose_xnat-db:latest} build: context: ./postgres args: @@ -47,6 +49,7 @@ services: POSTGRES_PASSWORD: ${XNAT_DATASOURCE_ADMIN_PASSWORD} xnat-nginx: + image: ${XNAT_NGINX_IMAGE:-xnat_docker_compose_xnat-nginx:latest} build: ./nginx ports: - "80:80" @@ -54,4 +57,3 @@ services: - "80" links: - xnat-web -