Skip to content

DashLord scans

DashLord scans #363

Workflow file for this run

name: DashLord scans
on:
workflow_dispatch:
inputs:
url:
description: "Single url to scan or scan all urls"
required: false
default: ""
tool:
description: "Single tool to run or use all tools"
type: choice
default: all
options:
- all
- codescan
- dependabot
- ecoindex
- lighthouse
- sonarcloud
- trivy
- zap
- ecoindex
- dsfr
schedule:
- cron: "0 0 * * 0" # At 00:00 on Sunday
jobs:
init:
runs-on: ubuntu-latest
name: Prepare
outputs:
sites: ${{ steps.init.outputs.sites }}
config: ${{ steps.init.outputs.config }}
steps:
- uses: actions/checkout@v2
- id: init
uses: "SocialGouv/dashlord-actions/init@v1"
with:
url: ${{ github.event.inputs.url }}
tool: ${{ github.event.inputs.tool }}
env:
UPDOWNIO_API_KEY: ${{ secrets.UPDOWNIO_API_KEY }}
scans:
runs-on: ubuntu-latest
name: Scan
needs: init
continue-on-error: true
strategy:
fail-fast: false
max-parallel: 3
matrix:
sites: ${{ fromJson(needs.init.outputs.sites) }}
steps:
- uses: actions/checkout@v2
- run: |
mkdir scans
- uses: actions/cache@v2
with:
path: "**/node_modules"
key: ${{ runner.os }}-modules-${{ hashFiles('**/yarn.lock') }}
- name: get HTML
continue-on-error: true
timeout-minutes: 5
uses: "socialgouv/dashlord-actions/get-html@v1"
if: ${{ matrix.sites.tools['dsfr'] }}
with:
url: ${{ matrix.sites.url }}
output: get-html.html
- name: Détection DSFR
id: html
continue-on-error: true
timeout-minutes: 1
if: ${{ matrix.sites.tools['dsfr'] }}
run: |
(cat get-html.html | grep -q fr-header__brand) && echo '{"detected": true}' > ./scans/dsfr.json || echo '{"detected": false}' > ./scans/dsfr.json
cat ./scans/dsfr.json
- name: eco-index
continue-on-error: true
timeout-minutes: 10
uses: "socialgouv/dashlord-actions/ecoindex@v1"
if: ${{ matrix.sites.tools.ecoindex }}
with:
url: ${{ matrix.sites.url }}
output: scans/ecoindex.json
- name: Screenshot Website
if: ${{ matrix.sites.tools.screenshot }}
uses: swinton/[email protected]
continue-on-error: true
timeout-minutes: 10
with:
source: "${{ matrix.sites.url }}"
type: jpeg
destination: screenshot.jpeg
width: 1280
scaleFactor: 0.5
- name: Déclaration a11y
continue-on-error: true
timeout-minutes: 10
uses: "socialgouv/dashlord-actions/declaration-a11y@v1"
if: ${{ matrix.sites.tools['declaration-a11y'] }}
with:
url: ${{ matrix.sites.url }}
output: scans/declaration-a11y.json
- name: Wappalyzer scan
if: ${{ matrix.sites.tools.wappalyzer }}
uses: "socialgouv/wappalyzer-action@master"
continue-on-error: true
timeout-minutes: 10
with:
url: "${{ matrix.sites.url }}"
output: scans/wappalyzer.json
- name: ZAP Scan
if: ${{ matrix.sites.tools.zap }}
uses: zaproxy/[email protected]
continue-on-error: true
timeout-minutes: 10
with:
token: "" # disable issue creation
rules_file_name: "zap-rules.tsv"
docker_name: "owasp/zap2docker-stable"
target: "${{ matrix.sites.url }}"
cmd_options: "-a"
- name: Lighthouse scan
if: ${{ matrix.sites.tools.lighthouse }}
continue-on-error: true
timeout-minutes: 20
uses: SocialGouv/dashlord-actions/lhci@v1
with:
url: "${{ join(matrix.sites.subpages, ',') }}"
- name: Mozilla HTTP Observatory
if: ${{ matrix.sites.tools.http }}
continue-on-error: true
id: http
timeout-minutes: 10
uses: SocialGouv/httpobs-action@master
with:
url: "${{ matrix.sites.url }}"
output: "scans/http.json"
- name: Mozilla HTTP Observatory retry
if: steps.http.outcome=='failure'
continue-on-error: true
timeout-minutes: 10
uses: SocialGouv/httpobs-action@master
with:
url: "${{ matrix.sites.url }}"
output: "scans/http.json"
- name: Third-party scripts scan
if: ${{ matrix.sites.tools.thirdparties }}
continue-on-error: true
timeout-minutes: 10
uses: SocialGouv/thirdparties-action@master
id: thirdparties
with:
url: "${{ matrix.sites.url }}"
output: "scans/thirdparties.json"
- name: Déclaration RGPD
continue-on-error: true
uses: SocialGouv/dashlord-actions/declaration-rgpd@v1
if: ${{ matrix.sites.tools['declaration-rgpd'] }}
with:
thirdparties: ${{ steps.thirdparties.outputs.json }}
url: ${{ matrix.sites.url }}
output: scans/declaration-rgpd.json
# testssl.sh action needs an hostname to save its output so we build it here
- name: Extract hostname
id: hostname
run: |
HOSTNAME=$(echo "${{ matrix.sites.url }}" | sed -e 's/[^/]*\/\/\([^@]*@\)\?\([^:/]*\).*/\2/')
echo "::set-output name=value::$HOSTNAME"
- name: testssl.sh scan
if: ${{ matrix.sites.tools.testssl }}
continue-on-error: true
timeout-minutes: 10
uses: "mbogh/[email protected]"
with:
host: ${{ steps.hostname.outputs.value }}
output: scans
grade: "F"
options: "--fast"
- name: nmap vulnerabilities scan
if: ${{ matrix.sites.tools.nmap }}
continue-on-error: true
timeout-minutes: 10
uses: "MTES-MCT/nmap-action@main"
with:
host: ${{ steps.hostname.outputs.value }}
outputDir: "scans"
outputFile: "nmapvuln.json"
withVulnerabilities: true
raw: false
- name: Nuclei scan
if: ${{ matrix.sites.tools.nuclei }}
continue-on-error: true
timeout-minutes: 10
uses: "SocialGouv/dashlord-nuclei-action@master"
with:
url: ${{ matrix.sites.url }}
output: "scans/nuclei.log"
- name: Updown.io checks
if: ${{ matrix.sites.tools.updownio }}
continue-on-error: true
timeout-minutes: 10
uses: "MTES-MCT/updownio-action@main"
with:
apiKey: ${{ secrets.UPDOWNIO_API_KEY }}
url: ${{ matrix.sites.url }}
output: scans/updownio.json
- name: Betagouv API scan
if: ${{ matrix.sites.tools.betagouv }}
continue-on-error: true
timeout-minutes: 10
id: betagouv
uses: betagouv/dashlord-startup-action@main
with:
id: "${{ matrix.sites.betaId }}"
output: "scans/betagouv.json"
- name: Stats page
continue-on-error: true
timeout-minutes: 10
uses: "betagouv/check-url-action@main"
if: ${{ matrix.sites.tools.stats }}
with:
url: ${{ steps.betagouv.outputs.stats_url }}
output: scans/stats.json
minExpectedRegex: ^stat
exactExpectedRegex: ^stats$
- name: Budget page
continue-on-error: true
timeout-minutes: 10
uses: "betagouv/check-url-action@main"
if: ${{ matrix.sites.tools.budget_page }}
with:
url: ${{ steps.betagouv.outputs.budget_url }}
output: scans/budget_page.json
- name: Open Github repository
continue-on-error: true
timeout-minutes: 10
uses: "betagouv/check-url-action@main"
if: ${{ matrix.sites.tools.betagouv }}
with:
url: ${{ steps.betagouv.outputs.github_repository }}
output: scans/github_repository.json
- name: Dependabot vulnerabilities alerts
continue-on-error: true
timeout-minutes: 10
if: ${{ matrix.sites.tools.dependabot && matrix.sites.repositories }}
uses: "MTES-MCT/dependabotalerts-action@main"
with:
token: ${{ secrets.DEPENDABOTALERTS_TOKEN }}
repositories: ${{ join(matrix.sites.repositories) }}
output: scans/dependabotalerts.json
- name: Code quality alerts
if: ${{ matrix.sites.tools.codescan && matrix.sites.repositories }}
continue-on-error: true
timeout-minutes: 10
uses: "MTES-MCT/codescanalerts-action@main"
with:
token: ${{ secrets.CODESCANALERTS_TOKEN }}
repositories: ${{ join(matrix.sites.repositories) }}
output: scans/codescanalerts.json
- uses: SocialGouv/dashlord-actions/save@v1
with:
url: ${{ matrix.sites.url }}
# only clean up previous stats when all tools runned
cleanup: ${{ github.event.inputs.tool == 'all' && true || false }}
- uses: EndBug/add-and-commit@v7
with:
add: '["results"]'
author_name: "DashlordBetaGouvBot "
author_email: "[email protected]"
message: "update: ${{ matrix.sites.url }}"