Skip to content

scan

scan #2

Workflow file for this run

name: DashLord scans
on:
workflow_dispatch:
inputs:
url:
description: "Single url to scan or scan all urls"
required: false
default: ""
tool:
description: "Single tool to run or use all tools"
type: choice
default: all
options:
- all
- codescan
- dependabot
- ecoindex
- lighthouse
- sonarcloud
- trivy
- zap
push:
branches:
- master
- main
paths:
- "dashlord.yaml"
- "dashlord.yml"
- "urls.txt"
schedule:
- cron: "0 0 * * 0" # see https://crontab.guru
# allow only one concurrent scan action
concurrency:
cancel-in-progress: true
group: scans
jobs:
init:
runs-on: ubuntu-latest
name: Prepare
outputs:
sites: ${{ steps.init.outputs.sites }}
config: ${{ steps.init.outputs.config }}
steps:
- uses: actions/checkout@v3
- id: init
uses: "edelagnier/dashlord-actions/init@v1"
with:
url: ${{ github.event.inputs.url }}
tool: ${{ github.event.inputs.tool }}
scans:
runs-on: ubuntu-latest
name: Scan
needs: init
continue-on-error: true
strategy:
fail-fast: false
max-parallel: 3
matrix:
sites: ${{ fromJson(needs.init.outputs.sites) }}
steps:
- uses: actions/checkout@v3
with:
ref: ${{ github.ref }}
- run: |
mkdir scans
- uses: actions/cache@v2
with:
path: "**/node_modules"
key: ${{ runner.os }}-modules-${{ hashFiles('**/yarn.lock') }}
- name: sonarcloud scan
if: ${{ matrix.sites.tools.sonarcloud }}
id: sonarcloud
continue-on-error: true
timeout-minutes: 10
uses: edelagnier/dashlord-actions/sonarcloud@v1
with:
repos: ${{ join(matrix.sites.repositories) }}
output: "scans/sonarcloud.json"
- name: Third-party scripts scan
if: ${{ matrix.sites.tools.thirdparties }}
id: thirdparties
continue-on-error: true
timeout-minutes: 10
uses: SocialGouv/thirdparties-action@master
with:
url: "${{ matrix.sites.url }}"
output: "scans/thirdparties.json"
- name: Déclaration a11y
timeout-minutes: 10
uses: "edelagnier/dashlord-actions/declaration-a11y@v1"
if: ${{ matrix.sites.tools['declaration-a11y'] }}
with:
url: ${{ matrix.sites.url }}
output: scans/declaration-a11y.json
- name: eco-index
continue-on-error: true
timeout-minutes: 10
uses: "edelagnier/dashlord-actions/ecoindex@v1"
if: ${{ matrix.sites.tools.ecoindex }}
with:
url: ${{ matrix.sites.url }}
output: scans/ecoindex.json
- name: Déclaration RGPD
timeout-minutes: 10
uses: edelagnier/dashlord-actions/declaration-rgpd@v1
if: ${{ matrix.sites.tools['declaration-rgpd'] }}
with:
thirdparties: ${{ steps.thirdparties.outputs.json }}
url: ${{ matrix.sites.url }}
output: scans/declaration-rgpd.json
- name: Trivy
continue-on-error: true
timeout-minutes: 20
if: ${{ matrix.sites.tools.trivy && matrix.sites.docker }}
uses: "edelagnier/dashlord-actions/trivy@v1"
with:
images: ${{ join(matrix.sites.docker) }}
output: scans/trivy.json
- name: Detect 404s
continue-on-error: true
timeout-minutes: 10
uses: "socialgouv/detect-404-action@master"
if: ${{ matrix.sites.tools['404'] }}
with:
url: ${{ matrix.sites.url }}
output: scans/404.json
- name: Betagouv API scan
if: ${{ matrix.sites.tools.betagouv }}
continue-on-error: true
timeout-minutes: 10
id: betagouv
uses: betagouv/dashlord-startup-action@main
with:
id: "${{ matrix.sites.betaId }}"
output: "scans/betagouv.json"
- name: Stats page
timeout-minutes: 10
uses: "betagouv/check-url-action@main"
if: ${{ matrix.sites.tools.stats }}
with:
url: ${{ steps.betagouv.outputs.stats_url || format('{0}/stats', matrix.sites.url) }}
output: scans/stats.json
minExpectedRegex: ^stat
exactExpectedRegex: ^stats$
- name: Screenshot Website
uses: swinton/[email protected]
if: ${{ matrix.sites.tools.screenshot }}
timeout-minutes: 5
continue-on-error: true
with:
source: "${{ matrix.sites.url }}"
type: jpeg
destination: screenshot.jpeg
width: 1280
scaleFactor: 0.5
- name: Wappalyzer scan
if: ${{ matrix.sites.tools.wappalyzer }}
uses: "socialgouv/wappalyzer-action@master"
timeout-minutes: 10
continue-on-error: true
with:
url: "${{ matrix.sites.url }}"
output: scans/wappalyzer.json
- name: ZAP Scan
if: ${{ matrix.sites.tools.zap }}
uses: zaproxy/[email protected]
timeout-minutes: 10
with:
token: "" # disable issue creation
rules_file_name: "zap-rules.tsv"
docker_name: "owasp/zap2docker-stable"
target: "${{ matrix.sites.url }}"
cmd_options: "-a"
allow_issue_writing: false
# https://github.com/treosh/lighthouse-ci-action#inputs
- name: Lighthouse scan
if: ${{ matrix.sites.tools.lighthouse }}
timeout-minutes: 10
uses: edelagnier/dashlord-actions/lhci@v1
with:
url: "${{ join(matrix.sites.subpages, ',') }}"
- name: Mozilla HTTP Observatory
if: ${{ matrix.sites.tools.http }}
timeout-minutes: 10
id: http
continue-on-error: true
uses: SocialGouv/httpobs-action@master
with:
url: "${{ matrix.sites.url }}"
output: "scans/http.json"
- name: Mozilla HTTP Observatory retry
if: steps.http.outcome=='failure'
continue-on-error: true
timeout-minutes: 10
uses: SocialGouv/httpobs-action@master
with:
url: "${{ matrix.sites.url }}"
output: "scans/http.json"
# testssl.sh action needs an hostname to save its output so we build it here
- name: Extract hostname
id: hostname
run: |
HOSTNAME=$(echo "${{ matrix.sites.url }}" | sed -e 's/[^/]*\/\/\([^@]*@\)\?\([^:/]*\).*/\2/')
echo "::set-output name=value::$HOSTNAME"
- name: testssl.sh scan
if: ${{ matrix.sites.tools.testssl }}
timeout-minutes: 10
continue-on-error: true
uses: "mbogh/[email protected]"
with:
host: ${{ steps.hostname.outputs.value }}
output: scans
grade: "F"
options: "--fast"
- name: Nuclei scan
if: ${{ matrix.sites.tools.nuclei }}
timeout-minutes: 10
continue-on-error: true
uses: "SocialGouv/dashlord-nuclei-action@master"
with:
url: ${{ matrix.sites.url }}
output: "scans/nuclei.log"
- name: Updown.io checks
if: ${{ matrix.sites.tools.updownio }}
continue-on-error: true
uses: "MTES-MCT/updownio-action@main"
with:
apiKey: ${{ secrets.UPDOWNIO_API_KEY }}
url: ${{ matrix.sites.url }}
output: scans/updownio.json
- name: Dependabot vulnerabilities alerts
if: ${{ matrix.sites.tools.dependabot && matrix.sites.repositories }}
continue-on-error: true
uses: "MTES-MCT/dependabotalerts-action@main"
with:
token: ${{ secrets.DEPENDABOTALERTS_TOKEN }}
repositories: ${{ join(matrix.sites.repositories) }}
output: scans/dependabotalerts.json
- name: Code quality alerts
if: ${{ matrix.sites.tools.codescan && matrix.sites.repositories }}
continue-on-error: true
uses: "MTES-MCT/codescanalerts-action@main"
with:
token: ${{ secrets.CODESCANALERTS_TOKEN }}
repositories: ${{ join(matrix.sites.repositories) }}
output: scans/codescanalerts.json
- uses: edelagnier/dashlord-actions/save@v1
with:
url: ${{ matrix.sites.url }}
# only clean up previous stats when all tools runned
cleanup: ${{ github.event.inputs.tool == 'all' && true || false }}
- name: "Commit"
id: commit1
continue-on-error: true
run: |
git config --global user.email 41898282+github-actions[bot]@users.noreply.github.com
git config --global user.name GitHub
git add "results"
git commit -m "update: ${{ matrix.sites.url }}"
git pull --rebase --no-ff origin ${{ github.ref }}
git push
- name: "Commit retry"
if: steps.commit1.outcome=='failure'
id: commit2
continue-on-error: true
run: |
git config --global user.email 41898282+github-actions[bot]@users.noreply.github.com
git config --global user.name GitHub
git add "results"
git commit -m "update: ${{ matrix.sites.url }}"
git pull --rebase --no-ff origin ${{ github.ref }}
git push
- name: "Commit retry 2"
if: steps.commit2.outcome=='failure'
run: |
git config --global user.email 41898282+github-actions[bot]@users.noreply.github.com
git config --global user.name GitHub
git add "results"
git commit -m "update: ${{ matrix.sites.url }}"
git pull --rebase --no-ff origin ${{ github.ref }}
git push