Skip to content

DashLord scans

DashLord scans #236

Workflow file for this run

name: DashLord scans
on:
workflow_dispatch:
inputs:
url:
description: "Single url to scan or scan all urls"
required: false
default: ""
schedule:
- cron: "0 1 */5 * *" # see https://crontab.guru
push:
branches:
- master
- main
paths:
- 'dashlord.yaml'
- 'dashlord.yml'
- 'urls.txt'
# allow only one concurrent scan action
concurrency:
cancel-in-progress: true
group: scans
jobs:
init:
runs-on: ubuntu-latest
name: Prepare
outputs:
sites: ${{ steps.init.outputs.sites }}
config: ${{ steps.init.outputs.config }}
steps:
- uses: actions/checkout@v2
- id: init
uses: "SocialGouv/dashlord-actions/init@main"
with:
url: ${{ github.event.inputs.url }}
scans:
runs-on: ubuntu-latest
name: Scan
needs: init
continue-on-error: true
strategy:
fail-fast: false
max-parallel: 3
matrix:
sites: ${{ fromJson(needs.init.outputs.sites) }}
steps:
- uses: actions/checkout@v2
- run: |
mkdir scans
- uses: actions/cache@v2
with:
path: "**/node_modules"
key: ${{ runner.os }}-modules-${{ hashFiles('**/yarn.lock') }}
- name: Déclaration a11y
continue-on-error: true
uses: "socialgouv/dashlord-actions/declaration-a11y@v1"
if: ${{ matrix.sites.tools['declaration-a11y'] }}
with:
url: ${{ matrix.sites.url }}
output: scans/declaration-a11y.json
- name: Detect 404s
continue-on-error: true
uses: "socialgouv/detect-404-action@master"
if: ${{ matrix.sites.tools['404'] }}
with:
url: ${{ matrix.sites.url }}
output: scans/404.json
- name: Screenshot Website
uses: swinton/[email protected]
if: ${{ matrix.sites.tools.screenshot }}
timeout-minutes: 10
with:
source: "${{ matrix.sites.url }}"
destination: screenshot.jpeg
- name: Trivy
continue-on-error: true
if: ${{ matrix.sites.tools.trivy && matrix.sites.docker }}
uses: "socialgouv/dashlord-actions/trivy@v1"
with:
images: ${{ join(matrix.sites.docker) }}
output: scans/trivy.json
- name: Stats page
continue-on-error: true
uses: "MTES-MCT/stats-action@main"
if: ${{ matrix.sites.tools.stats }}
with:
url: ${{ matrix.sites.url }}
uri: 'stats'
output: scans/stats.json
- name: Wappalyzer scan
uses: "socialgouv/wappalyzer-action@master"
timeout-minutes: 10
if: ${{ matrix.sites.tools.wappalyzer }}
continue-on-error: true
with:
url: "${{ matrix.sites.url }}"
output: scans/wappalyzer.json
- name: ZAP Scan
uses: zaproxy/[email protected]
timeout-minutes: 10
if: ${{ matrix.sites.tools.zap }}
continue-on-error: true
with:
token: "" # disable issue creation
rules_file_name: "zap-rules.tsv"
docker_name: "owasp/zap2docker-stable"
target: "${{ matrix.sites.url }}"
cmd_options: "-a"
- name: Lighthouse scan
continue-on-error: true
timeout-minutes: 10
uses: treosh/lighthouse-ci-action@v7
if: ${{ matrix.sites.tools.lighthouse }}
with:
urls: "${{ matrix.sites.url }}"
uploadArtifacts: false
temporaryPublicStorage: false
configPath: "./lighthouserc.json"
- name: Mozilla HTTP Observatory
timeout-minutes: 10
if: ${{ matrix.sites.tools.http }}
continue-on-error: true
uses: SocialGouv/httpobs-action@master
with:
url: "${{ matrix.sites.url }}"
output: "scans/http.json"
- name: Third-party scripts scan
timeout-minutes: 10
if: ${{ matrix.sites.tools.thirdparties }}
continue-on-error: true
uses: SocialGouv/thirdparties-action@master
with:
url: "${{ matrix.sites.url }}"
output: "scans/thirdparties.json"
# testssl.sh action needs an hostname to save its output so we build it here
- name: Extract hostname
id: hostname
run: |
HOSTNAME=$(echo "${{ matrix.sites.url }}" | sed -e 's/[^/]*\/\/\([^@]*@\)\?\([^:/]*\).*/\2/')
echo "::set-output name=value::$HOSTNAME"
- name: testssl.sh scan
timeout-minutes: 10
continue-on-error: true
uses: "mbogh/[email protected]"
if: ${{ matrix.sites.tools.testssl }}
with:
host: ${{ steps.hostname.outputs.value }}
output: scans
grade: "F"
options: "--fast"
- name: nmap vulnerabilities scan
if: ${{ matrix.sites.tools.nmap }}
continue-on-error: true
timeout-minutes: 10
uses: "MTES-MCT/nmap-action@main"
with:
host: ${{ steps.hostname.outputs.value }}
outputDir: "scans"
outputFile: "nmapvuln.json"
withVulnerabilities: true
raw: false
- name: Nuclei scan
timeout-minutes: 10
continue-on-error: true
uses: "SocialGouv/dashlord-nuclei-action@master"
if: ${{ matrix.sites.tools.nuclei }}
with:
url: ${{ matrix.sites.url }}
output: "scans/nuclei.log"
- name: Updown.io checks
continue-on-error: true
timeout-minutes: 10
uses: "MTES-MCT/updownio-action@main"
if: ${{ matrix.sites.tools.updownio }}
with:
apiKey: ${{ secrets.UPDOWNIO_API_KEY }}
url: ${{ matrix.sites.url }}
output: scans/updownio.json
- name: Dependabot vulnerabilities alerts
continue-on-error: true
timeout-minutes: 10
uses: "MTES-MCT/dependabotalerts-action@main"
if: ${{ matrix.sites.tools.dependabot && matrix.sites.repositories }}
with:
token: ${{ secrets.DEPENDABOTALERTS_TOKEN }}
repositories: ${{ join(matrix.sites.repositories) }}
output: scans/dependabotalerts.json
- name: Code quality alerts
continue-on-error: true
timeout-minutes: 10
uses: "MTES-MCT/codescanalerts-action@main"
if: ${{ matrix.sites.tools.codescan && matrix.sites.repositories }}
with:
token: ${{ secrets.CODESCANALERTS_TOKEN }}
repositories: ${{ join(matrix.sites.repositories) }}
output: scans/codescanalerts.json
- uses: SocialGouv/dashlord-actions/save@main
with:
url: ${{ matrix.sites.url }}
- uses: EndBug/add-and-commit@v7
with:
add: '["results"]'
author_name: ${{ secrets.SOCIALGROOVYBOT_NAME }}
author_email: ${{ secrets.SOCIALGROOVYBOT_EMAIL }}
message: "update: ${{ matrix.sites.url }}"