Create moda-ci.yaml for Docker security scanning by Sazwanismail · Pull Request #43302 · github/docs

Sazwanismail · 2026-03-11T05:12:10Z

Add MODA CI pipeline workflow with Docker security scan.

# .github/workflows/moda-ci.yaml
name: MODA CI - Docker Security Scan

on:
  push:
    branches: [ main, develop ]
  pull_request:
    branches: [ main ]
  schedule:
    - cron: '0 2 * * 0'  # weekly scan on Sunday at 2am
  workflow_dispatch:

jobs:
  docker-security-scan:
    name: Call reusable Docker security workflow
    # Reference the reusable workflow from internal repository
    uses: github/internal-actions/.github/workflows/docker_security.yml@main
    with:
      # Image name – adjust if you need a specific tag format
      image-name: ${{ github.repository }}:${{ github.sha }}
      # Path to Dockerfile (relative to repository root)
      dockerfile-path: ./Dockerfile
      # Build context (usually the directory containing the Dockerfile)
      build-context: .
      # Optional: enable fail on critical vulnerabilities
      fail-on-critical: true
      # Optional: specify platform if multi‑arch build is needed
      # platform: linux/amd64,linux/arm64
    secrets:
      # Docker registry credentials (if your image is pushed to a private registry)
      registry-username: ${{ secrets.DOCKER_USERNAME }}
      registry-password: ${{ secrets.DOCKER_PASSWORD }}
      # Snyk token for vulnerability scanning (if used by the reusable workflow)
      snyk-token: ${{ secrets.SNYK_TOKEN }}
      # Slack webhook for notifications (optional)
      slack-webhook: ${{ secrets.SLACK_WEBHOOK }}

Penjelasan:

Trigger: Workflow ini berjalan pada push ke main/develop, pull request ke main, jadual mingguan, dan boleh dicetus manual.
Reusable workflow: Memanggil docker_security.yml dari repositori github/internal-actions pada branch main. Pastikan workflow tersebut wujud dan mempunyai akses yang sesuai.
Input:
- image-name: Gabungan nama repositori dan SHA commit, sesuai untuk penandaan unik.
- dockerfile-path dan build-context: Laluan standard untuk membina imej.
- fail-on-critical: Jika true, job akan gagal apabila terdapat kelemahan kritikal.
- (Ulasan) platform: Jika perlu bina untuk pelbagai seni bina, nyahkomen dan laraskan.
Secrets: Hantar rahsia yang diperlukan oleh workflow dalaman. Gantikan dengan nama rahsia sebenar yang telah ditetapkan di repositori anda.

Langkah seterusnya:

Simpan fail ini sebagai .github/workflows/moda-ci.yaml dalam repositori anda.
Tambah sebarang rahsia yang diperlukan (DOCKER_USERNAME, DOCKER_PASSWORD, SNYK_TOKEN, SLACK_WEBHOOK) di Settings → Secrets and variables → Actions.
Sesuaikan nilai input seperti fail-on-critical atau tambah platform jika perlu.
Uji dengan mencetuskan workflow (misalnya dengan push ke branch).

# .github/workflows/moda-ci.yaml
name: MODA CI – Advanced Docker Security Scan

on:
  push:
    branches: [ main, develop, release/** ]
  pull_request:
    branches: [ main ]
  schedule:
    - cron: '0 2 * * 0'  # weekly scan every Sunday at 2am
  workflow_dispatch:
    inputs:
      fail-on-critical:
        description: 'Fail build on critical vulnerabilities?'
        required: true
        default: true
        type: boolean
      extra-tags:
        description: 'Additional image tags (comma separated)'
        required: false
        default: ''

env:
  REGISTRY: ghcr.io
  IMAGE_NAME: ${{ github.repository }}

jobs:
  # Matrix job for multiple Dockerfiles or build contexts
  security-scan:
    name: Security Scan (${{ matrix.context }})
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        include:
          - dockerfile: ./Dockerfile
            context: .
            image-suffix: ''
          - dockerfile: ./api/Dockerfile
            context: ./api
            image-suffix: -api
          # add more as needed
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      # Build image for scanning (do not push yet)
      - name: Build Docker image
        uses: docker/build-push-action@v5
        with:
          context: ${{ matrix.context }}
          file: ${{ matrix.dockerfile }}
          tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:scan${{ matrix.image-suffix }}-${{ github.sha }}
          load: true
          cache-from: type=gha
          cache-to: type=gha,mode=max

      # 1. Trivy vulnerability scan
      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:scan${{ matrix.image-suffix }}-${{ github.sha }}
          format: 'sarif'
          output: 'trivy-results${{ matrix.image-suffix }}.sarif'
          severity: 'CRITICAL,HIGH'
          exit-code: '1'   # fail if vulnerabilities found
        continue-on-error: ${{ !github.event.inputs.fail-on-critical && github.event.inputs.fail-on-critical != 'true' }}

      - name: Upload Trivy results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v3
        if: always()
        with:
          sarif_file: 'trivy-results${{ matrix.image-suffix }}.sarif'

      # 2. Snyk container scan (requires SNYK_TOKEN)
      - name: Snyk Container scan
        uses: snyk/actions/docker@master
        continue-on-error: ${{ !github.event.inputs.fail-on-critical && github.event.inputs.fail-on-critical != 'true' }}
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:scan${{ matrix.image-suffix }}-${{ github.sha }}
          args: --file=${{ matrix.dockerfile }} --severity-threshold=high

      # 3. Grype scan (optional)
      - name: Grype scan
        uses: anchore/scan-action@v3
        with:
          image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:scan${{ matrix.image-suffix }}-${{ github.sha }}
          fail-build: ${{ github.event.inputs.fail-on-critical == 'true' }}
          severity-cutoff: high

  # Call internal reusable workflow (if you still want to use it)
  internal-security-scan:
    name: Call internal reusable workflow
    if: false   # disable if you prefer the matrix above; remove or set condition as needed
    uses: github/internal-actions/.github/workflows/docker_security.yml@main
    with:
      image-name: ${{ github.repository }}:${{ github.sha }}
      dockerfile-path: ./Dockerfile
      build-context: .
      fail-on-critical: ${{ github.event.inputs.fail-on-critical || true }}
    secrets:
      registry-username: ${{ secrets.DOCKER_USERNAME }}
      registry-password: ${{ secrets.DOCKER_PASSWORD }}
      snyk-token: ${{ secrets.SNYK_TOKEN }}
      slack-webhook: ${{ secrets.SLACK_WEBHOOK }}

Ciri-ciri utama:

Matrix strategy – mengimbas berbilang Dockerfile (contoh: utama dan API).
Imbasan menyeluruh – Trivy, Snyk, Grype untuk liputan maksimum.
Hasil SARIF dimuat naik ke tab Security GitHub.
Kawalan kegagalan melalui input fail-on-critical (boleh ditetapkan manual).
Masih menyertakan panggilan ke reusable workflow dalaman (dilumpuhkan sementara dengan if: false – aktifkan jika perlu).

Sesuaikan mengikut keperluan:

Tambah atau alih keluar alat imbasan.
Laraskan severity dan exit-code mengikut polisi keselamatan anda.
Gantikan github/internal-actions/.github/workflows/docker_security.yml@main dengan workflow sebenar anda.

Secrets yang perlu ditetapkan (di Settings → Secrets and variables → Actions):

DOCKER_USERNAME, DOCKER_PASSWORD – jika registry memerlukan log masuk.
SNYK_TOKEN – untuk imbasan Snyk.
SLACK_WEBHOOK – untuk notifikasi (pilihan).

Workflow ini akan memberikan anda kawalan penuh ke atas keselamatan imej Docker anda.

Why:

Closes:

What's being changed (if available, include any code snippets, screenshots, or gifs):

Check off the following:

A subject matter expert (SME) has reviewed the technical accuracy of the content in this PR. In most cases, the author can be the SME. Open source contributions may require an SME review from GitHub staff.
The changes in this PR meet the docs fundamentals that are required for all content.
All CI checks are passing and the changes look good in the review environment.

Add MODA CI pipeline workflow with Docker security scan. ```yaml # .github/workflows/moda-ci.yaml name: MODA CI - Docker Security Scan on: push: branches: [ main, develop ] pull_request: branches: [ main ] schedule: - cron: '0 2 * * 0' # weekly scan on Sunday at 2am workflow_dispatch: jobs: docker-security-scan: name: Call reusable Docker security workflow # Reference the reusable workflow from internal repository uses: github/internal-actions/.github/workflows/docker_security.yml@main with: # Image name – adjust if you need a specific tag format image-name: ${{ github.repository }}:${{ github.sha }} # Path to Dockerfile (relative to repository root) dockerfile-path: ./Dockerfile # Build context (usually the directory containing the Dockerfile) build-context: . # Optional: enable fail on critical vulnerabilities fail-on-critical: true # Optional: specify platform if multi‑arch build is needed # platform: linux/amd64,linux/arm64 secrets: # Docker registry credentials (if your image is pushed to a private registry) registry-username: ${{ secrets.DOCKER_USERNAME }} registry-password: ${{ secrets.DOCKER_PASSWORD }} # Snyk token for vulnerability scanning (if used by the reusable workflow) snyk-token: ${{ secrets.SNYK_TOKEN }} # Slack webhook for notifications (optional) slack-webhook: ${{ secrets.SLACK_WEBHOOK }} ``` **Penjelasan:** - **Trigger**: Workflow ini berjalan pada push ke `main`/`develop`, pull request ke `main`, jadual mingguan, dan boleh dicetus manual. - **Reusable workflow**: Memanggil `docker_security.yml` dari repositori `github/internal-actions` pada branch `main`. Pastikan workflow tersebut wujud dan mempunyai akses yang sesuai. - **Input**: - `image-name`: Gabungan nama repositori dan SHA commit, sesuai untuk penandaan unik. - `dockerfile-path` dan `build-context`: Laluan standard untuk membina imej. - `fail-on-critical`: Jika true, job akan gagal apabila terdapat kelemahan kritikal. - (Ulasan) `platform`: Jika perlu bina untuk pelbagai seni bina, nyahkomen dan laraskan. - **Secrets**: Hantar rahsia yang diperlukan oleh workflow dalaman. Gantikan dengan nama rahsia sebenar yang telah ditetapkan di repositori anda. **Langkah seterusnya:** 1. Simpan fail ini sebagai `.github/workflows/moda-ci.yaml` dalam repositori anda. 2. Tambah sebarang rahsia yang diperlukan (DOCKER_USERNAME, DOCKER_PASSWORD, SNYK_TOKEN, SLACK_WEBHOOK) di **Settings → Secrets and variables → Actions**. 3. Sesuaikan nilai input seperti `fail-on-critical` atau tambah `platform` jika perlu. 4. Uji dengan mencetuskan workflow (misalnya dengan push ke branch). ```yaml # .github/workflows/moda-ci.yaml name: MODA CI – Advanced Docker Security Scan on: push: branches: [ main, develop, release/** ] pull_request: branches: [ main ] schedule: - cron: '0 2 * * 0' # weekly scan every Sunday at 2am workflow_dispatch: inputs: fail-on-critical: description: 'Fail build on critical vulnerabilities?' required: true default: true type: boolean extra-tags: description: 'Additional image tags (comma separated)' required: false default: '' env: REGISTRY: ghcr.io IMAGE_NAME: ${{ github.repository }} jobs: # Matrix job for multiple Dockerfiles or build contexts security-scan: name: Security Scan (${{ matrix.context }}) runs-on: ubuntu-latest strategy: fail-fast: false matrix: include: - dockerfile: ./Dockerfile context: . image-suffix: '' - dockerfile: ./api/Dockerfile context: ./api image-suffix: -api # add more as needed steps: - name: Checkout repository uses: actions/checkout@v4 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 # Build image for scanning (do not push yet) - name: Build Docker image uses: docker/build-push-action@v5 with: context: ${{ matrix.context }} file: ${{ matrix.dockerfile }} tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:scan${{ matrix.image-suffix }}-${{ github.sha }} load: true cache-from: type=gha cache-to: type=gha,mode=max # 1. Trivy vulnerability scan - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master with: image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:scan${{ matrix.image-suffix }}-${{ github.sha }} format: 'sarif' output: 'trivy-results${{ matrix.image-suffix }}.sarif' severity: 'CRITICAL,HIGH' exit-code: '1' # fail if vulnerabilities found continue-on-error: ${{ !github.event.inputs.fail-on-critical && github.event.inputs.fail-on-critical != 'true' }} - name: Upload Trivy results to GitHub Security tab uses: github/codeql-action/upload-sarif@v3 if: always() with: sarif_file: 'trivy-results${{ matrix.image-suffix }}.sarif' # 2. Snyk container scan (requires SNYK_TOKEN) - name: Snyk Container scan uses: snyk/actions/docker@master continue-on-error: ${{ !github.event.inputs.fail-on-critical && github.event.inputs.fail-on-critical != 'true' }} env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:scan${{ matrix.image-suffix }}-${{ github.sha }} args: --file=${{ matrix.dockerfile }} --severity-threshold=high # 3. Grype scan (optional) - name: Grype scan uses: anchore/scan-action@v3 with: image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:scan${{ matrix.image-suffix }}-${{ github.sha }} fail-build: ${{ github.event.inputs.fail-on-critical == 'true' }} severity-cutoff: high # Call internal reusable workflow (if you still want to use it) internal-security-scan: name: Call internal reusable workflow if: false # disable if you prefer the matrix above; remove or set condition as needed uses: github/internal-actions/.github/workflows/docker_security.yml@main with: image-name: ${{ github.repository }}:${{ github.sha }} dockerfile-path: ./Dockerfile build-context: . fail-on-critical: ${{ github.event.inputs.fail-on-critical || true }} secrets: registry-username: ${{ secrets.DOCKER_USERNAME }} registry-password: ${{ secrets.DOCKER_PASSWORD }} snyk-token: ${{ secrets.SNYK_TOKEN }} slack-webhook: ${{ secrets.SLACK_WEBHOOK }} ``` **Ciri-ciri utama:** - **Matrix strategy** – mengimbas berbilang Dockerfile (contoh: utama dan API). - **Imbasan menyeluruh** – Trivy, Snyk, Grype untuk liputan maksimum. - **Hasil SARIF** dimuat naik ke tab Security GitHub. - **Kawalan kegagalan** melalui input `fail-on-critical` (boleh ditetapkan manual). - **Masih menyertakan** panggilan ke reusable workflow dalaman (dilumpuhkan sementara dengan `if: false` – aktifkan jika perlu). **Sesuaikan mengikut keperluan:** - Tambah atau alih keluar alat imbasan. - Laraskan `severity` dan `exit-code` mengikut polisi keselamatan anda. - Gantikan `github/internal-actions/.github/workflows/docker_security.yml@main` dengan workflow sebenar anda. **Secrets yang perlu ditetapkan** (di Settings → Secrets and variables → Actions): - `DOCKER_USERNAME`, `DOCKER_PASSWORD` – jika registry memerlukan log masuk. - `SNYK_TOKEN` – untuk imbasan Snyk. - `SLACK_WEBHOOK` – untuk notifikasi (pilihan). Workflow ini akan memberikan anda kawalan penuh ke atas keselamatan imej Docker anda.

github-actions · 2026-03-11T05:12:41Z

How to review these changes 👓

Thank you for your contribution. To review these changes, choose one of the following options:

A Hubber will need to deploy your changes internally to review.

Table of review links

Note: Please update the URL for your staging server or codespace.

This pull request contains code changes, so we will not generate a table of review links.

🤖 This comment is automatically generated.

adamills

wed_mar_11_2026_setting_up_git_hub_repo_for_custom_toast.json

coursgranja4-commits

content/graphql/reference/scalars.md

Sazwanismail marked this pull request as ready for review March 11, 2026 05:12

github-actions bot added the triage Do not begin working on this issue until triaged by the team label Mar 11, 2026

adamills reviewed Mar 11, 2026

View reviewed changes

coursgranja4-commits reviewed Mar 11, 2026

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Create moda-ci.yaml for Docker security scanning#43302

Create moda-ci.yaml for Docker security scanning#43302
Sazwanismail wants to merge 1 commit intogithub:mainfrom
Sazwanismail:patch-4

Sazwanismail commented Mar 11, 2026

Uh oh!

github-actions bot commented Mar 11, 2026

Uh oh!

adamills left a comment

Uh oh!

coursgranja4-commits left a comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

Sazwanismail commented Mar 11, 2026

Why:

What's being changed (if available, include any code snippets, screenshots, or gifs):

Check off the following:

Uh oh!

github-actions bot commented Mar 11, 2026

How to review these changes 👓

Uh oh!

adamills left a comment

Choose a reason for hiding this comment

Uh oh!

coursgranja4-commits left a comment

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants