DashLord scans #236
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: DashLord scans | |
on: | |
workflow_dispatch: | |
inputs: | |
url: | |
description: "Single url to scan or scan all urls" | |
required: false | |
default: "" | |
schedule: | |
- cron: "0 1 */5 * *" # see https://crontab.guru | |
push: | |
branches: | |
- master | |
- main | |
paths: | |
- 'dashlord.yaml' | |
- 'dashlord.yml' | |
- 'urls.txt' | |
# allow only one concurrent scan action | |
concurrency: | |
cancel-in-progress: true | |
group: scans | |
jobs: | |
init: | |
runs-on: ubuntu-latest | |
name: Prepare | |
outputs: | |
sites: ${{ steps.init.outputs.sites }} | |
config: ${{ steps.init.outputs.config }} | |
steps: | |
- uses: actions/checkout@v2 | |
- id: init | |
uses: "SocialGouv/dashlord-actions/init@main" | |
with: | |
url: ${{ github.event.inputs.url }} | |
scans: | |
runs-on: ubuntu-latest | |
name: Scan | |
needs: init | |
continue-on-error: true | |
strategy: | |
fail-fast: false | |
max-parallel: 3 | |
matrix: | |
sites: ${{ fromJson(needs.init.outputs.sites) }} | |
steps: | |
- uses: actions/checkout@v2 | |
- run: | | |
mkdir scans | |
- uses: actions/cache@v2 | |
with: | |
path: "**/node_modules" | |
key: ${{ runner.os }}-modules-${{ hashFiles('**/yarn.lock') }} | |
- name: Déclaration a11y | |
continue-on-error: true | |
uses: "socialgouv/dashlord-actions/declaration-a11y@v1" | |
if: ${{ matrix.sites.tools['declaration-a11y'] }} | |
with: | |
url: ${{ matrix.sites.url }} | |
output: scans/declaration-a11y.json | |
- name: Detect 404s | |
continue-on-error: true | |
uses: "socialgouv/detect-404-action@master" | |
if: ${{ matrix.sites.tools['404'] }} | |
with: | |
url: ${{ matrix.sites.url }} | |
output: scans/404.json | |
- name: Screenshot Website | |
uses: swinton/[email protected] | |
if: ${{ matrix.sites.tools.screenshot }} | |
timeout-minutes: 10 | |
with: | |
source: "${{ matrix.sites.url }}" | |
destination: screenshot.jpeg | |
- name: Trivy | |
continue-on-error: true | |
if: ${{ matrix.sites.tools.trivy && matrix.sites.docker }} | |
uses: "socialgouv/dashlord-actions/trivy@v1" | |
with: | |
images: ${{ join(matrix.sites.docker) }} | |
output: scans/trivy.json | |
- name: Stats page | |
continue-on-error: true | |
uses: "MTES-MCT/stats-action@main" | |
if: ${{ matrix.sites.tools.stats }} | |
with: | |
url: ${{ matrix.sites.url }} | |
uri: 'stats' | |
output: scans/stats.json | |
- name: Wappalyzer scan | |
uses: "socialgouv/wappalyzer-action@master" | |
timeout-minutes: 10 | |
if: ${{ matrix.sites.tools.wappalyzer }} | |
continue-on-error: true | |
with: | |
url: "${{ matrix.sites.url }}" | |
output: scans/wappalyzer.json | |
- name: ZAP Scan | |
uses: zaproxy/[email protected] | |
timeout-minutes: 10 | |
if: ${{ matrix.sites.tools.zap }} | |
continue-on-error: true | |
with: | |
token: "" # disable issue creation | |
rules_file_name: "zap-rules.tsv" | |
docker_name: "owasp/zap2docker-stable" | |
target: "${{ matrix.sites.url }}" | |
cmd_options: "-a" | |
- name: Lighthouse scan | |
continue-on-error: true | |
timeout-minutes: 10 | |
uses: treosh/lighthouse-ci-action@v7 | |
if: ${{ matrix.sites.tools.lighthouse }} | |
with: | |
urls: "${{ matrix.sites.url }}" | |
uploadArtifacts: false | |
temporaryPublicStorage: false | |
configPath: "./lighthouserc.json" | |
- name: Mozilla HTTP Observatory | |
timeout-minutes: 10 | |
if: ${{ matrix.sites.tools.http }} | |
continue-on-error: true | |
uses: SocialGouv/httpobs-action@master | |
with: | |
url: "${{ matrix.sites.url }}" | |
output: "scans/http.json" | |
- name: Third-party scripts scan | |
timeout-minutes: 10 | |
if: ${{ matrix.sites.tools.thirdparties }} | |
continue-on-error: true | |
uses: SocialGouv/thirdparties-action@master | |
with: | |
url: "${{ matrix.sites.url }}" | |
output: "scans/thirdparties.json" | |
# testssl.sh action needs an hostname to save its output so we build it here | |
- name: Extract hostname | |
id: hostname | |
run: | | |
HOSTNAME=$(echo "${{ matrix.sites.url }}" | sed -e 's/[^/]*\/\/\([^@]*@\)\?\([^:/]*\).*/\2/') | |
echo "::set-output name=value::$HOSTNAME" | |
- name: testssl.sh scan | |
timeout-minutes: 10 | |
continue-on-error: true | |
uses: "mbogh/[email protected]" | |
if: ${{ matrix.sites.tools.testssl }} | |
with: | |
host: ${{ steps.hostname.outputs.value }} | |
output: scans | |
grade: "F" | |
options: "--fast" | |
- name: nmap vulnerabilities scan | |
if: ${{ matrix.sites.tools.nmap }} | |
continue-on-error: true | |
timeout-minutes: 10 | |
uses: "MTES-MCT/nmap-action@main" | |
with: | |
host: ${{ steps.hostname.outputs.value }} | |
outputDir: "scans" | |
outputFile: "nmapvuln.json" | |
withVulnerabilities: true | |
raw: false | |
- name: Nuclei scan | |
timeout-minutes: 10 | |
continue-on-error: true | |
uses: "SocialGouv/dashlord-nuclei-action@master" | |
if: ${{ matrix.sites.tools.nuclei }} | |
with: | |
url: ${{ matrix.sites.url }} | |
output: "scans/nuclei.log" | |
- name: Updown.io checks | |
continue-on-error: true | |
timeout-minutes: 10 | |
uses: "MTES-MCT/updownio-action@main" | |
if: ${{ matrix.sites.tools.updownio }} | |
with: | |
apiKey: ${{ secrets.UPDOWNIO_API_KEY }} | |
url: ${{ matrix.sites.url }} | |
output: scans/updownio.json | |
- name: Dependabot vulnerabilities alerts | |
continue-on-error: true | |
timeout-minutes: 10 | |
uses: "MTES-MCT/dependabotalerts-action@main" | |
if: ${{ matrix.sites.tools.dependabot && matrix.sites.repositories }} | |
with: | |
token: ${{ secrets.DEPENDABOTALERTS_TOKEN }} | |
repositories: ${{ join(matrix.sites.repositories) }} | |
output: scans/dependabotalerts.json | |
- name: Code quality alerts | |
continue-on-error: true | |
timeout-minutes: 10 | |
uses: "MTES-MCT/codescanalerts-action@main" | |
if: ${{ matrix.sites.tools.codescan && matrix.sites.repositories }} | |
with: | |
token: ${{ secrets.CODESCANALERTS_TOKEN }} | |
repositories: ${{ join(matrix.sites.repositories) }} | |
output: scans/codescanalerts.json | |
- uses: SocialGouv/dashlord-actions/save@main | |
with: | |
url: ${{ matrix.sites.url }} | |
- uses: EndBug/add-and-commit@v7 | |
with: | |
add: '["results"]' | |
author_name: ${{ secrets.SOCIALGROOVYBOT_NAME }} | |
author_email: ${{ secrets.SOCIALGROOVYBOT_EMAIL }} | |
message: "update: ${{ matrix.sites.url }}" |