generated from SocialGouv/dashlord
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
0 parents
commit 234191e
Showing
75 changed files
with
131,165 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,48 @@ | ||
| name: DashLord report | ||
|
|
||
| on: | ||
| workflow_dispatch: | ||
| workflow_run: | ||
| workflows: ["DashLord scans"] | ||
| branches: [main] | ||
| types: | ||
| - completed | ||
|
|
||
| # allow only one concurrent report action | ||
| concurrency: | ||
| cancel-in-progress: true | ||
| group: report | ||
|
|
||
| jobs: | ||
| website: | ||
| runs-on: ubuntu-latest | ||
| name: Website | ||
| steps: | ||
| - uses: actions/checkout@v2 | ||
| with: | ||
| fetch-depth: 0 | ||
|
|
||
| - uses: actions/cache@v2 | ||
| with: | ||
| path: "**/node_modules" | ||
| key: ${{ runner.os }}-modules-${{ hashFiles('**/yarn.lock') }} | ||
|
|
||
| # build the report | ||
| - id: dashlord-report | ||
| uses: SocialGouv/dashlord-actions/report@v1 | ||
| with: | ||
| base-path: /dashlord # adapt to your repo name | ||
|
|
||
| # save full report for history | ||
| - uses: EndBug/add-and-commit@v7 | ||
| with: | ||
| add: '["report.json"]' | ||
| default_author: "github_actions" | ||
| message: "chore: report update" | ||
|
|
||
| # deploy build to gh-pages | ||
| - name: Deploy 🚀 | ||
| uses: JamesIves/[email protected] | ||
| with: | ||
| branch: gh-pages | ||
| folder: build |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,312 @@ | ||
| name: DashLord scans | ||
|
|
||
| on: | ||
| workflow_dispatch: | ||
| inputs: | ||
| url: | ||
| description: "Single url to scan or scan all urls" | ||
| required: false | ||
| default: "" | ||
| tool: | ||
| description: "Single tool to run or use all tools" | ||
| type: choice | ||
| default: all | ||
| options: | ||
| - all | ||
| - codescan | ||
| - dependabot | ||
| - ecoindex | ||
| - lighthouse | ||
| - sonarcloud | ||
| - trivy | ||
| - zap | ||
| push: | ||
| branches: | ||
| - master | ||
| - main | ||
| paths: | ||
| - "dashlord.yaml" | ||
| - "dashlord.yml" | ||
| - "urls.txt" | ||
| schedule: | ||
| - cron: "0 0 * * 0" # see https://crontab.guru | ||
|
|
||
| # allow only one concurrent scan action | ||
| concurrency: | ||
| cancel-in-progress: true | ||
| group: scans | ||
|
|
||
| jobs: | ||
| init: | ||
| runs-on: ubuntu-latest | ||
| name: Prepare | ||
| outputs: | ||
| sites: ${{ steps.init.outputs.sites }} | ||
| config: ${{ steps.init.outputs.config }} | ||
| steps: | ||
| - uses: actions/checkout@v3 | ||
| - id: init | ||
| uses: "SocialGouv/dashlord-actions/init@v1" | ||
| with: | ||
| url: ${{ github.event.inputs.url }} | ||
| tool: ${{ github.event.inputs.tool }} | ||
|
|
||
| scans: | ||
| runs-on: ubuntu-latest | ||
| name: Scan | ||
| needs: init | ||
| continue-on-error: true | ||
| strategy: | ||
| fail-fast: false | ||
| max-parallel: 3 | ||
| matrix: | ||
| sites: ${{ fromJson(needs.init.outputs.sites) }} | ||
| steps: | ||
| - uses: actions/checkout@v3 | ||
| with: | ||
| ref: ${{ github.ref }} | ||
|
|
||
| - run: | | ||
| mkdir scans | ||
| - uses: actions/cache@v2 | ||
| with: | ||
| path: "**/node_modules" | ||
| key: ${{ runner.os }}-modules-${{ hashFiles('**/yarn.lock') }} | ||
|
|
||
| - name: sonarcloud scan | ||
| if: ${{ matrix.sites.tools.sonarcloud }} | ||
| id: sonarcloud | ||
| continue-on-error: true | ||
| timeout-minutes: 10 | ||
| uses: SocialGouv/dashlord-actions/sonarcloud@v1 | ||
| with: | ||
| repos: ${{ join(matrix.sites.repositories) }} | ||
| output: "scans/sonarcloud.json" | ||
|
|
||
| - name: Third-party scripts scan | ||
| if: ${{ matrix.sites.tools.thirdparties }} | ||
| id: thirdparties | ||
| continue-on-error: true | ||
| timeout-minutes: 10 | ||
| uses: SocialGouv/thirdparties-action@master | ||
| with: | ||
| url: "${{ matrix.sites.url }}" | ||
| output: "scans/thirdparties.json" | ||
|
|
||
| - name: Déclaration a11y | ||
| timeout-minutes: 10 | ||
| uses: "socialgouv/dashlord-actions/declaration-a11y@v1" | ||
| if: ${{ matrix.sites.tools['declaration-a11y'] }} | ||
| with: | ||
| url: ${{ matrix.sites.url }} | ||
| output: scans/declaration-a11y.json | ||
|
|
||
| - name: eco-index | ||
| continue-on-error: true | ||
| timeout-minutes: 10 | ||
| uses: "socialgouv/dashlord-actions/ecoindex@v1" | ||
| if: ${{ matrix.sites.tools.ecoindex }} | ||
| with: | ||
| url: ${{ matrix.sites.url }} | ||
| output: scans/ecoindex.json | ||
|
|
||
| - name: Déclaration RGPD | ||
| timeout-minutes: 10 | ||
| uses: SocialGouv/dashlord-actions/declaration-rgpd@v1 | ||
| if: ${{ matrix.sites.tools['declaration-rgpd'] }} | ||
| with: | ||
| thirdparties: ${{ steps.thirdparties.outputs.json }} | ||
| url: ${{ matrix.sites.url }} | ||
| output: scans/declaration-rgpd.json | ||
|
|
||
| - name: Trivy | ||
| continue-on-error: true | ||
| timeout-minutes: 20 | ||
| if: ${{ matrix.sites.tools.trivy && matrix.sites.docker }} | ||
| uses: "socialgouv/dashlord-actions/trivy@v1" | ||
| with: | ||
| images: ${{ join(matrix.sites.docker) }} | ||
| output: scans/trivy.json | ||
|
|
||
| - name: Detect 404s | ||
| continue-on-error: true | ||
| timeout-minutes: 10 | ||
| uses: "socialgouv/detect-404-action@master" | ||
| if: ${{ matrix.sites.tools['404'] }} | ||
| with: | ||
| url: ${{ matrix.sites.url }} | ||
| output: scans/404.json | ||
|
|
||
| - name: Betagouv API scan | ||
| if: ${{ matrix.sites.tools.betagouv }} | ||
| continue-on-error: true | ||
| timeout-minutes: 10 | ||
| id: betagouv | ||
| uses: betagouv/dashlord-startup-action@main | ||
| with: | ||
| id: "${{ matrix.sites.betaId }}" | ||
| output: "scans/betagouv.json" | ||
|
|
||
| - name: Stats page | ||
| timeout-minutes: 10 | ||
| uses: "betagouv/check-url-action@main" | ||
| if: ${{ matrix.sites.tools.stats }} | ||
| with: | ||
| url: ${{ steps.betagouv.outputs.stats_url || format('{0}/stats', matrix.sites.url) }} | ||
| output: scans/stats.json | ||
| minExpectedRegex: ^stat | ||
| exactExpectedRegex: ^stats$ | ||
|
|
||
| - name: Screenshot Website | ||
| uses: swinton/[email protected] | ||
| if: ${{ matrix.sites.tools.screenshot }} | ||
| timeout-minutes: 5 | ||
| continue-on-error: true | ||
| with: | ||
| source: "${{ matrix.sites.url }}" | ||
| type: jpeg | ||
| destination: screenshot.jpeg | ||
| width: 1280 | ||
| scaleFactor: 0.5 | ||
|
|
||
| - name: Wappalyzer scan | ||
| if: ${{ matrix.sites.tools.wappalyzer }} | ||
| uses: "socialgouv/wappalyzer-action@master" | ||
| timeout-minutes: 10 | ||
| continue-on-error: true | ||
| with: | ||
| url: "${{ matrix.sites.url }}" | ||
| output: scans/wappalyzer.json | ||
|
|
||
| - name: ZAP Scan | ||
| if: ${{ matrix.sites.tools.zap }} | ||
| uses: zaproxy/[email protected] | ||
| timeout-minutes: 10 | ||
| with: | ||
| token: "" # disable issue creation | ||
| rules_file_name: "zap-rules.tsv" | ||
| docker_name: "owasp/zap2docker-stable" | ||
| target: "${{ matrix.sites.url }}" | ||
| cmd_options: "-a" | ||
| allow_issue_writing: false | ||
|
|
||
| # https://github.com/treosh/lighthouse-ci-action#inputs | ||
| - name: Lighthouse scan | ||
| if: ${{ matrix.sites.tools.lighthouse }} | ||
| timeout-minutes: 10 | ||
| uses: socialgouv/dashlord-actions/lhci@v1 | ||
| with: | ||
| url: "${{ join(matrix.sites.subpages, ',') }}" | ||
|
|
||
| - name: Mozilla HTTP Observatory | ||
| if: ${{ matrix.sites.tools.http }} | ||
| timeout-minutes: 10 | ||
| id: http | ||
| continue-on-error: true | ||
| uses: SocialGouv/httpobs-action@master | ||
| with: | ||
| url: "${{ matrix.sites.url }}" | ||
| output: "scans/http.json" | ||
|
|
||
| - name: Mozilla HTTP Observatory retry | ||
| if: steps.http.outcome=='failure' | ||
| continue-on-error: true | ||
| timeout-minutes: 10 | ||
| uses: SocialGouv/httpobs-action@master | ||
| with: | ||
| url: "${{ matrix.sites.url }}" | ||
| output: "scans/http.json" | ||
|
|
||
| # testssl.sh action needs an hostname to save its output so we build it here | ||
| - name: Extract hostname | ||
| id: hostname | ||
| run: | | ||
| HOSTNAME=$(echo "${{ matrix.sites.url }}" | sed -e 's/[^/]*\/\/\([^@]*@\)\?\([^:/]*\).*/\2/') | ||
| echo "::set-output name=value::$HOSTNAME" | ||
| - name: testssl.sh scan | ||
| if: ${{ matrix.sites.tools.testssl }} | ||
| timeout-minutes: 10 | ||
| continue-on-error: true | ||
| uses: "mbogh/[email protected]" | ||
| with: | ||
| host: ${{ steps.hostname.outputs.value }} | ||
| output: scans | ||
| grade: "F" | ||
| options: "--fast" | ||
|
|
||
| - name: Nuclei scan | ||
| if: ${{ matrix.sites.tools.nuclei }} | ||
| timeout-minutes: 10 | ||
| continue-on-error: true | ||
| uses: "SocialGouv/dashlord-nuclei-action@master" | ||
| with: | ||
| url: ${{ matrix.sites.url }} | ||
| output: "scans/nuclei.log" | ||
|
|
||
| - name: Updown.io checks | ||
| if: ${{ matrix.sites.tools.updownio }} | ||
| continue-on-error: true | ||
| uses: "MTES-MCT/updownio-action@main" | ||
| with: | ||
| apiKey: ${{ secrets.UPDOWNIO_API_KEY }} | ||
| url: ${{ matrix.sites.url }} | ||
| output: scans/updownio.json | ||
|
|
||
| - name: Dependabot vulnerabilities alerts | ||
| if: ${{ matrix.sites.tools.dependabot && matrix.sites.repositories }} | ||
| continue-on-error: true | ||
| uses: "MTES-MCT/dependabotalerts-action@main" | ||
| with: | ||
| token: ${{ secrets.DEPENDABOTALERTS_TOKEN }} | ||
| repositories: ${{ join(matrix.sites.repositories) }} | ||
| output: scans/dependabotalerts.json | ||
|
|
||
| - name: Code quality alerts | ||
| if: ${{ matrix.sites.tools.codescan && matrix.sites.repositories }} | ||
| continue-on-error: true | ||
| uses: "MTES-MCT/codescanalerts-action@main" | ||
| with: | ||
| token: ${{ secrets.CODESCANALERTS_TOKEN }} | ||
| repositories: ${{ join(matrix.sites.repositories) }} | ||
| output: scans/codescanalerts.json | ||
|
|
||
| - uses: SocialGouv/dashlord-actions/save@v1 | ||
| with: | ||
| url: ${{ matrix.sites.url }} | ||
| # only clean up previous stats when all tools runned | ||
| cleanup: ${{ github.event.inputs.tool == 'all' && true || false }} | ||
|
|
||
| - name: "Commit" | ||
| id: commit1 | ||
| continue-on-error: true | ||
| run: | | ||
| git config --global user.email 41898282+github-actions[bot]@users.noreply.github.com | ||
| git config --global user.name GitHub | ||
| git add "results" | ||
| git commit -m "update: ${{ matrix.sites.url }}" | ||
| git pull --rebase --no-ff origin ${{ github.ref }} | ||
| git push | ||
| - name: "Commit retry" | ||
| if: steps.commit1.outcome=='failure' | ||
| id: commit2 | ||
| continue-on-error: true | ||
| run: | | ||
| git config --global user.email 41898282+github-actions[bot]@users.noreply.github.com | ||
| git config --global user.name GitHub | ||
| git add "results" | ||
| git commit -m "update: ${{ matrix.sites.url }}" | ||
| git pull --rebase --no-ff origin ${{ github.ref }} | ||
| git push | ||
| - name: "Commit retry 2" | ||
| if: steps.commit2.outcome=='failure' | ||
| run: | | ||
| git config --global user.email 41898282+github-actions[bot]@users.noreply.github.com | ||
| git config --global user.name GitHub | ||
| git add "results" | ||
| git commit -m "update: ${{ matrix.sites.url }}" | ||
| git pull --rebase --no-ff origin ${{ github.ref }} | ||
| git push |
Oops, something went wrong.