DashLord scans #367
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: DashLord scans | |
on: | |
workflow_dispatch: | |
inputs: | |
url: | |
description: "Single url to scan or scan all urls" | |
required: false | |
default: "" | |
tool: | |
description: "Single tool to run or use all tools" | |
type: choice | |
default: all | |
options: | |
- all | |
- codescan | |
- dependabot | |
- ecoindex | |
- lighthouse | |
- sonarcloud | |
- trivy | |
- zap | |
- ecoindex | |
- dsfr | |
schedule: | |
- cron: "0 0 * * 0" # At 00:00 on Sunday | |
jobs: | |
init: | |
runs-on: ubuntu-latest | |
name: Prepare | |
outputs: | |
sites: ${{ steps.init.outputs.sites }} | |
config: ${{ steps.init.outputs.config }} | |
steps: | |
- uses: actions/checkout@v2 | |
- id: init | |
uses: "SocialGouv/dashlord-actions/init@v1" | |
with: | |
url: ${{ github.event.inputs.url }} | |
tool: ${{ github.event.inputs.tool }} | |
env: | |
UPDOWNIO_API_KEY: ${{ secrets.UPDOWNIO_API_KEY }} | |
scans: | |
runs-on: ubuntu-latest | |
name: Scan | |
needs: init | |
continue-on-error: true | |
strategy: | |
fail-fast: false | |
max-parallel: 3 | |
matrix: | |
sites: ${{ fromJson(needs.init.outputs.sites) }} | |
steps: | |
- uses: actions/checkout@v2 | |
- run: | | |
mkdir scans | |
- uses: actions/cache@v2 | |
with: | |
path: "**/node_modules" | |
key: ${{ runner.os }}-modules-${{ hashFiles('**/yarn.lock') }} | |
- name: dsfr | |
continue-on-error: true | |
timeout-minutes: 10 | |
uses: "socialgouv/dashlord-actions/dsfr@v1" | |
if: ${{ matrix.sites.tools.dsfr }} | |
with: | |
url: ${{ matrix.sites.url }} | |
output: scans/dsfr.json | |
- name: eco-index | |
continue-on-error: true | |
timeout-minutes: 10 | |
uses: "socialgouv/dashlord-actions/ecoindex@v1" | |
if: ${{ matrix.sites.tools.ecoindex }} | |
with: | |
url: ${{ matrix.sites.url }} | |
output: scans/ecoindex.json | |
- name: Screenshot Website | |
if: ${{ matrix.sites.tools.screenshot }} | |
uses: swinton/[email protected] | |
continue-on-error: true | |
timeout-minutes: 10 | |
with: | |
source: "${{ matrix.sites.url }}" | |
type: jpeg | |
destination: screenshot.jpeg | |
width: 1280 | |
scaleFactor: 0.5 | |
- name: Déclaration a11y | |
continue-on-error: true | |
timeout-minutes: 10 | |
uses: "socialgouv/dashlord-actions/declaration-a11y@v1" | |
if: ${{ matrix.sites.tools['declaration-a11y'] }} | |
with: | |
url: ${{ matrix.sites.url }} | |
output: scans/declaration-a11y.json | |
- name: Wappalyzer scan | |
if: ${{ matrix.sites.tools.wappalyzer }} | |
uses: "socialgouv/wappalyzer-action@master" | |
continue-on-error: true | |
timeout-minutes: 10 | |
with: | |
url: "${{ matrix.sites.url }}" | |
output: scans/wappalyzer.json | |
- name: ZAP Scan | |
if: ${{ matrix.sites.tools.zap }} | |
uses: zaproxy/[email protected] | |
continue-on-error: true | |
timeout-minutes: 10 | |
with: | |
token: "" # disable issue creation | |
rules_file_name: "zap-rules.tsv" | |
docker_name: "owasp/zap2docker-stable" | |
target: "${{ matrix.sites.url }}" | |
cmd_options: "-a" | |
- name: Lighthouse scan | |
if: ${{ matrix.sites.tools.lighthouse }} | |
continue-on-error: true | |
timeout-minutes: 20 | |
uses: SocialGouv/dashlord-actions/lhci@v1 | |
with: | |
url: "${{ join(matrix.sites.subpages, ',') }}" | |
- name: Mozilla HTTP Observatory | |
if: ${{ matrix.sites.tools.http }} | |
continue-on-error: true | |
id: http | |
timeout-minutes: 10 | |
uses: SocialGouv/httpobs-action@master | |
with: | |
url: "${{ matrix.sites.url }}" | |
output: "scans/http.json" | |
- name: Mozilla HTTP Observatory retry | |
if: steps.http.outcome=='failure' | |
continue-on-error: true | |
timeout-minutes: 10 | |
uses: SocialGouv/httpobs-action@master | |
with: | |
url: "${{ matrix.sites.url }}" | |
output: "scans/http.json" | |
- name: Third-party scripts scan | |
if: ${{ matrix.sites.tools.thirdparties }} | |
continue-on-error: true | |
timeout-minutes: 10 | |
uses: SocialGouv/thirdparties-action@master | |
id: thirdparties | |
with: | |
url: "${{ matrix.sites.url }}" | |
output: "scans/thirdparties.json" | |
- name: Déclaration RGPD | |
continue-on-error: true | |
uses: SocialGouv/dashlord-actions/declaration-rgpd@v1 | |
if: ${{ matrix.sites.tools['declaration-rgpd'] }} | |
with: | |
thirdparties: ${{ steps.thirdparties.outputs.json }} | |
url: ${{ matrix.sites.url }} | |
output: scans/declaration-rgpd.json | |
# testssl.sh action needs an hostname to save its output so we build it here | |
- name: Extract hostname | |
id: hostname | |
run: | | |
HOSTNAME=$(echo "${{ matrix.sites.url }}" | sed -e 's/[^/]*\/\/\([^@]*@\)\?\([^:/]*\).*/\2/') | |
echo "::set-output name=value::$HOSTNAME" | |
- name: testssl.sh scan | |
if: ${{ matrix.sites.tools.testssl }} | |
continue-on-error: true | |
timeout-minutes: 10 | |
uses: "mbogh/[email protected]" | |
with: | |
host: ${{ steps.hostname.outputs.value }} | |
output: scans | |
grade: "F" | |
options: "--fast" | |
- name: nmap vulnerabilities scan | |
if: ${{ matrix.sites.tools.nmap }} | |
continue-on-error: true | |
timeout-minutes: 10 | |
uses: "MTES-MCT/nmap-action@main" | |
with: | |
host: ${{ steps.hostname.outputs.value }} | |
outputDir: "scans" | |
outputFile: "nmapvuln.json" | |
withVulnerabilities: true | |
raw: false | |
- name: Nuclei scan | |
if: ${{ matrix.sites.tools.nuclei }} | |
continue-on-error: true | |
timeout-minutes: 10 | |
uses: "SocialGouv/dashlord-nuclei-action@master" | |
with: | |
url: ${{ matrix.sites.url }} | |
output: "scans/nuclei.log" | |
- name: Updown.io checks | |
if: ${{ matrix.sites.tools.updownio }} | |
continue-on-error: true | |
timeout-minutes: 10 | |
uses: "MTES-MCT/updownio-action@main" | |
with: | |
apiKey: ${{ secrets.UPDOWNIO_API_KEY }} | |
url: ${{ matrix.sites.url }} | |
output: scans/updownio.json | |
- name: Betagouv API scan | |
if: ${{ matrix.sites.tools.betagouv }} | |
continue-on-error: true | |
timeout-minutes: 10 | |
id: betagouv | |
uses: betagouv/dashlord-startup-action@main | |
with: | |
id: "${{ matrix.sites.betaId }}" | |
output: "scans/betagouv.json" | |
- name: Stats page | |
continue-on-error: true | |
timeout-minutes: 10 | |
uses: "betagouv/check-url-action@main" | |
if: ${{ matrix.sites.tools.stats }} | |
with: | |
url: ${{ steps.betagouv.outputs.stats_url }} | |
output: scans/stats.json | |
minExpectedRegex: ^stat | |
exactExpectedRegex: ^stats$ | |
- name: Budget page | |
continue-on-error: true | |
timeout-minutes: 10 | |
uses: "betagouv/check-url-action@main" | |
if: ${{ matrix.sites.tools.budget_page }} | |
with: | |
url: ${{ steps.betagouv.outputs.budget_url }} | |
output: scans/budget_page.json | |
- name: Open Github repository | |
continue-on-error: true | |
timeout-minutes: 10 | |
uses: "betagouv/check-url-action@main" | |
if: ${{ matrix.sites.tools.betagouv }} | |
with: | |
url: ${{ steps.betagouv.outputs.github_repository }} | |
output: scans/github_repository.json | |
- name: Dependabot vulnerabilities alerts | |
continue-on-error: true | |
timeout-minutes: 10 | |
if: ${{ matrix.sites.tools.dependabot && matrix.sites.repositories }} | |
uses: "MTES-MCT/dependabotalerts-action@main" | |
with: | |
token: ${{ secrets.DEPENDABOTALERTS_TOKEN }} | |
repositories: ${{ join(matrix.sites.repositories) }} | |
output: scans/dependabotalerts.json | |
- name: Code quality alerts | |
if: ${{ matrix.sites.tools.codescan && matrix.sites.repositories }} | |
continue-on-error: true | |
timeout-minutes: 10 | |
uses: "MTES-MCT/codescanalerts-action@main" | |
with: | |
token: ${{ secrets.CODESCANALERTS_TOKEN }} | |
repositories: ${{ join(matrix.sites.repositories) }} | |
output: scans/codescanalerts.json | |
- uses: SocialGouv/dashlord-actions/save@v1 | |
with: | |
url: ${{ matrix.sites.url }} | |
# only clean up previous stats when all tools runned | |
cleanup: ${{ github.event.inputs.tool == 'all' && true || false }} | |
- uses: EndBug/add-and-commit@v9 | |
with: | |
add: "results" | |
author_name: "DashlordBetaGouvBot " | |
author_email: "[email protected]" | |
message: "update: ${{ matrix.sites.url }}" | |
fetch: false |