DashLord scans #1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: DashLord scans | |
on: | |
workflow_dispatch: | |
inputs: | |
url: | |
description: "Single url to scan or scan all urls" | |
required: false | |
default: "" | |
tool: | |
description: "Single tool to run or use all tools" | |
type: choice | |
default: all | |
options: | |
- all | |
- codescan | |
- dependabot | |
- ecoindex | |
- lighthouse | |
- sonarcloud | |
- trivy | |
- zap | |
- ecoindex | |
- dsfr | |
push: | |
branches: | |
- master | |
- main | |
paths: | |
- "dashlord.yaml" | |
- "dashlord.yml" | |
- "urls.txt" | |
schedule: | |
- cron: "0 0 * * 0" # see https://crontab.guru | |
# allow only one concurrent scan action | |
concurrency: | |
cancel-in-progress: true | |
group: scans | |
jobs: | |
init: | |
runs-on: ubuntu-latest | |
name: Prepare | |
outputs: | |
sites: ${{ steps.init.outputs.sites }} | |
config: ${{ steps.init.outputs.config }} | |
steps: | |
- uses: actions/checkout@v3 | |
- id: init | |
uses: "SocialGouv/dashlord-actions/init@v1" | |
with: | |
url: ${{ github.event.inputs.url }} | |
tool: ${{ github.event.inputs.tool }} | |
# to create missing entries in updown.io | |
- id: updown-init | |
if: ${{ matrix.sites.tools.updownio }} | |
uses: "SocialGouv/dashlord-actions/updown-init@v1" | |
env: | |
UPDOWNIO_API_KEY: ${{ secrets.UPDOWNIO_API_KEY }} | |
scans: | |
runs-on: ubuntu-latest | |
name: Scan | |
needs: init | |
continue-on-error: true | |
strategy: | |
fail-fast: false | |
max-parallel: 3 | |
matrix: | |
sites: ${{ fromJson(needs.init.outputs.sites) }} | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
ref: ${{ github.ref }} | |
- run: | | |
mkdir scans | |
- uses: actions/cache@v2 | |
with: | |
path: "**/node_modules" | |
key: ${{ runner.os }}-modules-${{ hashFiles('**/yarn.lock') }} | |
- name: dsfr | |
continue-on-error: true | |
timeout-minutes: 10 | |
uses: "socialgouv/dashlord-actions/dsfr@v1" | |
if: ${{ matrix.sites.tools.dsfr }} | |
with: | |
url: ${{ matrix.sites.url }} | |
output: scans/dsfr.json | |
- name: sonarcloud scan | |
if: ${{ matrix.sites.tools.sonarcloud }} | |
id: sonarcloud | |
continue-on-error: true | |
timeout-minutes: 10 | |
uses: SocialGouv/dashlord-actions/sonarcloud@v1 | |
with: | |
repos: ${{ join(matrix.sites.repositories) }} | |
output: "scans/sonarcloud.json" | |
- name: Third-party scripts scan | |
if: ${{ matrix.sites.tools.thirdparties }} | |
id: thirdparties | |
continue-on-error: true | |
timeout-minutes: 10 | |
uses: SocialGouv/thirdparties-action@master | |
with: | |
url: "${{ matrix.sites.url }}" | |
output: "scans/thirdparties.json" | |
- name: Déclaration a11y | |
timeout-minutes: 10 | |
uses: "socialgouv/dashlord-actions/declaration-a11y@v1" | |
if: ${{ matrix.sites.tools['declaration-a11y'] }} | |
with: | |
url: ${{ matrix.sites.url }} | |
output: scans/declaration-a11y.json | |
- name: eco-index | |
continue-on-error: true | |
timeout-minutes: 10 | |
uses: "socialgouv/dashlord-actions/ecoindex@v1" | |
if: ${{ matrix.sites.tools.ecoindex }} | |
with: | |
url: ${{ matrix.sites.url }} | |
output: scans/ecoindex.json | |
- name: Déclaration RGPD | |
timeout-minutes: 10 | |
uses: SocialGouv/dashlord-actions/declaration-rgpd@v1 | |
if: ${{ matrix.sites.tools['declaration-rgpd'] }} | |
with: | |
thirdparties: ${{ steps.thirdparties.outputs.json }} | |
url: ${{ matrix.sites.url }} | |
output: scans/declaration-rgpd.json | |
- name: Trivy | |
continue-on-error: true | |
timeout-minutes: 20 | |
if: ${{ matrix.sites.tools.trivy && matrix.sites.docker }} | |
uses: "socialgouv/dashlord-actions/trivy@v1" | |
with: | |
images: ${{ join(matrix.sites.docker) }} | |
output: scans/trivy.json | |
- name: Detect 404s | |
continue-on-error: true | |
timeout-minutes: 10 | |
uses: "socialgouv/detect-404-action@master" | |
if: ${{ matrix.sites.tools['404'] }} | |
with: | |
url: ${{ matrix.sites.url }} | |
output: scans/404.json | |
- name: Betagouv API scan | |
if: ${{ matrix.sites.tools.betagouv }} | |
continue-on-error: true | |
timeout-minutes: 10 | |
id: betagouv | |
uses: betagouv/dashlord-startup-action@main | |
with: | |
id: "${{ matrix.sites.betaId }}" | |
output: "scans/betagouv.json" | |
- name: Stats page | |
timeout-minutes: 10 | |
uses: "betagouv/check-url-action@main" | |
if: ${{ matrix.sites.tools.stats }} | |
with: | |
url: ${{ steps.betagouv.outputs.stats_url || format('{0}/stats', matrix.sites.url) }} | |
output: scans/stats.json | |
minExpectedRegex: ^stat | |
exactExpectedRegex: ^stats$ | |
- name: Screenshot Website | |
uses: swinton/[email protected] | |
if: ${{ matrix.sites.tools.screenshot }} | |
timeout-minutes: 5 | |
continue-on-error: true | |
with: | |
source: "${{ matrix.sites.url }}" | |
type: jpeg | |
destination: screenshot.jpeg | |
width: 1280 | |
scaleFactor: 0.5 | |
- name: Wappalyzer scan | |
if: ${{ matrix.sites.tools.wappalyzer }} | |
uses: "socialgouv/wappalyzer-action@master" | |
timeout-minutes: 10 | |
continue-on-error: true | |
with: | |
url: "${{ matrix.sites.url }}" | |
output: scans/wappalyzer.json | |
- name: ZAP Scan | |
if: ${{ matrix.sites.tools.zap }} | |
uses: zaproxy/[email protected] | |
timeout-minutes: 10 | |
with: | |
token: "" # disable issue creation | |
rules_file_name: "zap-rules.tsv" | |
docker_name: "owasp/zap2docker-stable" | |
target: "${{ matrix.sites.url }}" | |
cmd_options: "-a" | |
allow_issue_writing: false | |
# https://github.com/treosh/lighthouse-ci-action#inputs | |
- name: Lighthouse scan | |
if: ${{ matrix.sites.tools.lighthouse }} | |
timeout-minutes: 10 | |
uses: socialgouv/dashlord-actions/lhci@v1 | |
with: | |
url: "${{ join(matrix.sites.subpages, ',') }}" | |
- name: Mozilla HTTP Observatory | |
if: ${{ matrix.sites.tools.http }} | |
timeout-minutes: 10 | |
id: http | |
continue-on-error: true | |
uses: SocialGouv/httpobs-action@master | |
with: | |
url: "${{ matrix.sites.url }}" | |
output: "scans/http.json" | |
- name: Mozilla HTTP Observatory retry | |
if: steps.http.outcome=='failure' | |
continue-on-error: true | |
timeout-minutes: 10 | |
uses: SocialGouv/httpobs-action@master | |
with: | |
url: "${{ matrix.sites.url }}" | |
output: "scans/http.json" | |
# testssl.sh action needs an hostname to save its output so we build it here | |
- name: Extract hostname | |
id: hostname | |
run: | | |
HOSTNAME=$(echo "${{ matrix.sites.url }}" | sed -e 's/[^/]*\/\/\([^@]*@\)\?\([^:/]*\).*/\2/') | |
echo "::set-output name=value::$HOSTNAME" | |
- name: testssl.sh scan | |
if: ${{ matrix.sites.tools.testssl }} | |
timeout-minutes: 10 | |
continue-on-error: true | |
uses: "mbogh/[email protected]" | |
with: | |
host: ${{ steps.hostname.outputs.value }} | |
output: scans | |
grade: "F" | |
options: "--fast" | |
- name: Nuclei scan | |
if: ${{ matrix.sites.tools.nuclei }} | |
timeout-minutes: 10 | |
continue-on-error: true | |
uses: "SocialGouv/dashlord-nuclei-action@master" | |
with: | |
url: ${{ matrix.sites.url }} | |
output: "scans/nuclei.log" | |
- name: Updown.io checks | |
if: ${{ matrix.sites.tools.updownio }} | |
continue-on-error: true | |
uses: "MTES-MCT/updownio-action@main" | |
with: | |
apiKey: ${{ secrets.UPDOWNIO_API_KEY }} | |
url: ${{ matrix.sites.url }} | |
output: scans/updownio.json | |
- name: Dependabot vulnerabilities alerts | |
if: ${{ matrix.sites.tools.dependabot && matrix.sites.repositories }} | |
continue-on-error: true | |
uses: "MTES-MCT/dependabotalerts-action@main" | |
with: | |
token: ${{ secrets.DEPENDABOTALERTS_TOKEN }} | |
repositories: ${{ join(matrix.sites.repositories) }} | |
output: scans/dependabotalerts.json | |
- name: Code quality alerts | |
if: ${{ matrix.sites.tools.codescan && matrix.sites.repositories }} | |
continue-on-error: true | |
uses: "MTES-MCT/codescanalerts-action@main" | |
with: | |
token: ${{ secrets.CODESCANALERTS_TOKEN }} | |
repositories: ${{ join(matrix.sites.repositories) }} | |
output: scans/codescanalerts.json | |
- uses: SocialGouv/dashlord-actions/save@v1 | |
with: | |
url: ${{ matrix.sites.url }} | |
# only clean up previous stats when all tools runned | |
cleanup: ${{ github.event.inputs.tool == 'all' && true || false }} | |
- name: "Commit" | |
id: commit1 | |
continue-on-error: true | |
run: | | |
git config --global user.email 41898282+github-actions[bot]@users.noreply.github.com | |
git config --global user.name GitHub | |
git add "results" | |
git commit -m "update: ${{ matrix.sites.url }}" | |
git pull --rebase --no-ff origin ${{ github.ref }} | |
git push | |
- name: "Commit retry" | |
if: steps.commit1.outcome=='failure' | |
id: commit2 | |
continue-on-error: true | |
run: | | |
git config --global user.email 41898282+github-actions[bot]@users.noreply.github.com | |
git config --global user.name GitHub | |
git add "results" | |
git commit -m "update: ${{ matrix.sites.url }}" | |
git pull --rebase --no-ff origin ${{ github.ref }} | |
git push | |
- name: "Commit retry 2" | |
if: steps.commit2.outcome=='failure' | |
run: | | |
git config --global user.email 41898282+github-actions[bot]@users.noreply.github.com | |
git config --global user.name GitHub | |
git add "results" | |
git commit -m "update: ${{ matrix.sites.url }}" | |
git pull --rebase --no-ff origin ${{ github.ref }} | |
git push |