DashLord scans #896
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: DashLord scans | |
on: | |
workflow_dispatch: | |
inputs: | |
url: | |
description: "Single url to scan or scan all urls" | |
required: false | |
default: "" | |
tool: | |
description: "Single tool to run or use all tools" | |
type: choice | |
default: all | |
options: | |
- all | |
- codescan | |
- dependabot | |
- ecoindex | |
- lighthouse | |
- sonarcloud | |
- trivy | |
- zap | |
- ecoindex | |
- dsfr | |
- declaration-a11y | |
- declaration-rgpd | |
schedule: | |
- cron: "0 0 * * 0" # At 00:00 on Sunday | |
jobs: | |
init: | |
runs-on: ubuntu-latest | |
name: Prepare | |
outputs: | |
sites: ${{ steps.init.outputs.sites }} | |
config: ${{ steps.init.outputs.config }} | |
steps: | |
- uses: actions/checkout@v2 | |
- id: init | |
uses: "SocialGouv/dashlord-actions/init@v1" | |
with: | |
url: ${{ github.event.inputs.url }} | |
tool: ${{ github.event.inputs.tool }} | |
- id: updown-init | |
uses: "SocialGouv/dashlord-actions/updown-init@v1" | |
env: | |
UPDOWNIO_API_KEY: ${{ secrets.UPDOWNIO_API_KEY }} | |
scans: | |
runs-on: ubuntu-latest | |
name: Scan | |
needs: init | |
continue-on-error: true | |
strategy: | |
fail-fast: false | |
max-parallel: 3 | |
matrix: | |
sites: ${{ fromJson(needs.init.outputs.sites) }} | |
steps: | |
- uses: actions/checkout@v4 | |
- run: | | |
mkdir scans | |
- uses: actions/cache@v2 | |
with: | |
path: "**/node_modules" | |
key: ${{ runner.os }}-modules-${{ hashFiles('**/yarn.lock') }} | |
- name: dsfr | |
continue-on-error: true | |
timeout-minutes: 10 | |
uses: "socialgouv/dashlord-actions/dsfr@v1" | |
if: ${{ matrix.sites.tools.dsfr }} | |
with: | |
url: ${{ matrix.sites.url }} | |
output: scans/dsfr.json | |
- name: eco-index | |
continue-on-error: true | |
timeout-minutes: 10 | |
uses: "socialgouv/dashlord-actions/ecoindex@v1" | |
if: ${{ matrix.sites.tools.ecoindex }} | |
with: | |
url: ${{ matrix.sites.url }} | |
output: scans/ecoindex.json | |
- name: Screenshot Website | |
if: ${{ matrix.sites.tools.screenshot }} | |
uses: swinton/screenshot-website@v1.x | |
continue-on-error: true | |
timeout-minutes: 10 | |
with: | |
source: "${{ matrix.sites.url }}" | |
type: jpeg | |
destination: screenshot.jpeg | |
width: 1280 | |
scaleFactor: 0.5 | |
- name: Déclaration a11y | |
continue-on-error: true | |
timeout-minutes: 10 | |
uses: "socialgouv/dashlord-actions/declaration-a11y@v1" | |
if: ${{ matrix.sites.tools['declaration-a11y'] }} | |
with: | |
url: ${{ matrix.sites.url }} | |
output: scans/declaration-a11y.json | |
- name: Wappalyzer scan | |
if: ${{ matrix.sites.tools.wappalyzer }} | |
uses: "socialgouv/wappalyzer-action@master" | |
continue-on-error: true | |
timeout-minutes: 10 | |
with: | |
url: "${{ matrix.sites.url }}" | |
output: scans/wappalyzer.json | |
- name: ZAP Scan | |
if: ${{ matrix.sites.tools.zap }} | |
uses: zaproxy/action-baseline@v0.4.0 | |
continue-on-error: true | |
timeout-minutes: 10 | |
with: | |
token: "" # disable issue creation | |
rules_file_name: "zap-rules.tsv" | |
docker_name: "owasp/zap2docker-stable" | |
target: "${{ matrix.sites.url }}" | |
cmd_options: "-a" | |
- name: Lighthouse scan | |
if: ${{ matrix.sites.tools.lighthouse }} | |
continue-on-error: true | |
timeout-minutes: 20 | |
uses: SocialGouv/dashlord-actions/lhci@v1 | |
with: | |
url: "${{ join(matrix.sites.subpages, ',') }}" | |
- name: Mozilla HTTP Observatory | |
if: ${{ matrix.sites.tools.http }} | |
continue-on-error: true | |
id: http | |
timeout-minutes: 10 | |
uses: SocialGouv/httpobs-action@master | |
with: | |
url: "${{ matrix.sites.url }}" | |
output: "scans/http.json" | |
- name: Mozilla HTTP Observatory retry | |
if: steps.http.outcome=='failure' | |
continue-on-error: true | |
timeout-minutes: 10 | |
uses: SocialGouv/httpobs-action@master | |
with: | |
url: "${{ matrix.sites.url }}" | |
output: "scans/http.json" | |
- name: Third-party scripts scan | |
if: ${{ matrix.sites.tools.thirdparties }} | |
continue-on-error: true | |
timeout-minutes: 10 | |
uses: SocialGouv/thirdparties-action@master | |
id: thirdparties | |
with: | |
url: "${{ matrix.sites.url }}" | |
output: "scans/thirdparties.json" | |
- name: Déclaration RGPD | |
continue-on-error: true | |
uses: SocialGouv/dashlord-actions/declaration-rgpd@v1 | |
if: ${{ matrix.sites.tools['declaration-rgpd'] }} | |
with: | |
thirdparties: ${{ steps.thirdparties.outputs.json }} | |
url: ${{ matrix.sites.url }} | |
output: scans/declaration-rgpd.json | |
# testssl.sh action needs an hostname to save its output so we build it here | |
- name: Extract hostname | |
id: hostname | |
run: | | |
HOSTNAME=$(echo "${{ matrix.sites.url }}" | sed -e 's/[^/]*\/\/\([^@]*@\)\?\([^:/]*\).*/\2/') | |
echo "::set-output name=value::$HOSTNAME" | |
- name: testssl.sh scan | |
if: ${{ matrix.sites.tools.testssl }} | |
continue-on-error: true | |
timeout-minutes: 10 | |
uses: "mbogh/test-ssl-action@v1.1" | |
with: | |
host: ${{ steps.hostname.outputs.value }} | |
output: scans | |
grade: "F" | |
options: "--fast" | |
- name: nmap vulnerabilities scan | |
if: ${{ matrix.sites.tools.nmap }} | |
continue-on-error: true | |
timeout-minutes: 10 | |
uses: "MTES-MCT/nmap-action@main" | |
with: | |
host: ${{ steps.hostname.outputs.value }} | |
outputDir: "scans" | |
outputFile: "nmapvuln.json" | |
withVulnerabilities: true | |
raw: false | |
- name: Nuclei scan | |
if: ${{ matrix.sites.tools.nuclei }} | |
continue-on-error: true | |
timeout-minutes: 10 | |
uses: "SocialGouv/dashlord-nuclei-action@master" | |
with: | |
url: ${{ matrix.sites.url }} | |
output: "scans/nuclei.log" | |
- name: Updown.io checks | |
if: ${{ matrix.sites.tools.updownio }} | |
continue-on-error: true | |
timeout-minutes: 10 | |
uses: "MTES-MCT/updownio-action@main" | |
with: | |
apiKey: ${{ secrets.UPDOWNIO_API_KEY }} | |
url: ${{ matrix.sites.url }} | |
output: scans/updownio.json | |
- name: Betagouv API scan | |
if: ${{ matrix.sites.tools.betagouv }} | |
continue-on-error: true | |
timeout-minutes: 10 | |
id: betagouv | |
uses: betagouv/dashlord-startup-action@main | |
with: | |
id: "${{ matrix.sites.betaId }}" | |
output: "scans/betagouv.json" | |
- name: Stats page | |
continue-on-error: true | |
timeout-minutes: 10 | |
uses: "SocialGouv/dashlord-actions/check-url@v1" | |
if: ${{ matrix.sites.tools.stats }} | |
with: | |
url: ${{ steps.betagouv.outputs.stats_url }} | |
output: scans/stats.json | |
- name: Budget page | |
continue-on-error: true | |
timeout-minutes: 10 | |
uses: "SocialGouv/dashlord-actions/check-url@v1" | |
if: ${{ matrix.sites.tools.budget_page }} | |
with: | |
url: ${{ steps.betagouv.outputs.budget_url }} | |
output: scans/budget_page.json | |
- name: Open Github repository | |
continue-on-error: true | |
timeout-minutes: 10 | |
uses: "SocialGouv/dashlord-actions/check-url@v1" | |
if: ${{ matrix.sites.tools.betagouv }} | |
with: | |
url: ${{ steps.betagouv.outputs.github_repository }} | |
output: scans/github_repository.json | |
- name: Dependabot vulnerabilities alerts | |
continue-on-error: true | |
timeout-minutes: 10 | |
if: ${{ matrix.sites.tools.dependabot && matrix.sites.repositories }} | |
uses: "MTES-MCT/dependabotalerts-action@main" | |
with: | |
token: ${{ secrets.DEPENDABOTALERTS_TOKEN }} | |
repositories: ${{ join(matrix.sites.repositories) }} | |
output: scans/dependabotalerts.json | |
- name: Code quality alerts | |
if: ${{ matrix.sites.tools.codescan && matrix.sites.repositories }} | |
continue-on-error: true | |
timeout-minutes: 10 | |
uses: "MTES-MCT/codescanalerts-action@main" | |
with: | |
token: ${{ secrets.CODESCANALERTS_TOKEN }} | |
repositories: ${{ join(matrix.sites.repositories) }} | |
output: scans/codescanalerts.json | |
- uses: SocialGouv/dashlord-actions/save@v1 | |
with: | |
url: ${{ matrix.sites.url }} | |
# only clean up previous stats when all tools runned | |
cleanup: ${{ github.event.inputs.tool == 'all' && true || false }} | |
- uses: EndBug/add-and-commit@v9 | |
with: | |
add: "results" | |
author_name: "DashlordBetaGouvBot" | |
author_email: "DashlordBetaGouvBot@incubateur.net" | |
message: "update: ${{ matrix.sites.url }}" | |
pull: "--rebase --autostash" |