Skip to content
DashLord scans

DashLord scans #144

Sign in to view logs

DashLord scans

DashLord scans #144

Workflow file for this run

.github/workflows/scans.yml at bb6d49e
name: DashLord scans
on:
workflow_dispatch:
inputs:
url:
description: "Single url to scan or scan all urls"
required: false
default: ""
push:
branches:
- master
- main
paths:
- "dashlord.yaml"
- "dashlord.yml"
- "urls.txt"
schedule:
- cron: "0 0 * * 0" # see https://crontab.guru
jobs:
init:
runs-on: ubuntu-latest
name: Prepare
outputs:
sites: ${{ steps.init.outputs.sites }}
config: ${{ steps.init.outputs.config }}
steps:
- uses: actions/checkout@v2
- id: init
uses: "SocialGouv/dashlord-actions/init@v1"
with:
url: ${{ github.event.inputs.url }}
scans:
runs-on: ubuntu-latest
name: Scan
needs: init
continue-on-error: true
strategy:
fail-fast: false
max-parallel: 3
matrix:
sites: ${{ fromJson(needs.init.outputs.sites) }}
steps:
- uses: actions/checkout@v2
- run: |
mkdir scans
- uses: actions/cache@v2
with:
path: "**/node_modules"
key: ${{ runner.os }}-modules-${{ hashFiles('**/yarn.lock') }}
- name: Déclaration a11y
continue-on-error: true
uses: "socialgouv/dashlord-actions/declaration-a11y@v1"
if: ${{ matrix.sites.tools['declaration-a11y'] }}
with:
url: ${{ matrix.sites.url }}
output: scans/declaration-a11y.json
- name: Trivy GHCR
continue-on-error: true
uses: "socialgouv/dashlord-actions/trivy-ghcr@v1"
if: ${{ matrix.sites.tools['trivy'] && matrix.sites.repositories }}
with:
repos: ${{ join(matrix.sites.repositories) }}
output: scans/trivy.json
- name: Detect 404s
continue-on-error: true
uses: "socialgouv/detect-404-action@master"
if: ${{ matrix.sites.tools['404'] }}
with:
url: ${{ matrix.sites.url }}
output: scans/404.json
- name: Stats page
continue-on-error: true
uses: "MTES-MCT/stats-action@main"
if: ${{ matrix.sites.tools.stats }}
with:
url: ${{ matrix.sites.url }}
uri: "stats"
output: scans/stats.json
- name: Screenshot Website
uses: swinton/[email protected]
if: ${{ matrix.sites.tools.screenshot }}
timeout-minutes: 10
continue-on-error: true
with:
source: "${{ matrix.sites.url }}"
type: jpeg
destination: screenshot.jpeg
width: 1280
scaleFactor: 0.5
- name: Wappalyzer scan
if: ${{ matrix.sites.tools.wappalyzer }}
uses: "socialgouv/wappalyzer-action@master"
continue-on-error: true
with:
url: "${{ matrix.sites.url }}"
output: scans/wappalyzer.json
- name: ZAP Scan
if: ${{ matrix.sites.tools.zap }}
uses: zaproxy/[email protected]
continue-on-error: true
with:
token: "" # disable issue creation
rules_file_name: "zap-rules.tsv"
docker_name: "owasp/zap2docker-stable"
target: "${{ matrix.sites.url }}"
cmd_options: "-a"
allow_issue_writing: false
- name: Lighthouse scan
if: ${{ matrix.sites.tools.lighthouse }}
continue-on-error: true
uses: treosh/lighthouse-ci-action@v8
with:
urls: "${{ matrix.sites.url }}"
uploadArtifacts: false
temporaryPublicStorage: false
configPath: "./lighthouserc.json"
- name: Mozilla HTTP Observatory
if: ${{ matrix.sites.tools.http }}
continue-on-error: true
uses: SocialGouv/httpobs-action@master
with:
url: "${{ matrix.sites.url }}"
output: "scans/http.json"
- name: Third-party scripts scan
if: ${{ matrix.sites.tools.thirdparties }}
continue-on-error: true
uses: SocialGouv/thirdparties-action@master
id: thirdparties
with:
url: "${{ matrix.sites.url }}"
output: "scans/thirdparties.json"
- name: Déclaration RGPD
continue-on-error: true
uses: SocialGouv/dashlord-actions/declaration-rgpd@v1
if: ${{ matrix.sites.tools['declaration-rgpd'] }}
with:
thirdparties: ${{ steps.thirdparties.outputs.json }}
url: ${{ matrix.sites.url }}
output: scans/declaration-rgpd.json
# testssl.sh action needs an hostname to save its output so we build it here
- name: Extract hostname
id: hostname
run: |
HOSTNAME=$(echo "${{ matrix.sites.url }}" | sed -e 's/[^/]*\/\/\([^@]*@\)\?\([^:/]*\).*/\2/')
echo "::set-output name=value::$HOSTNAME"
- name: testssl.sh scan
if: ${{ matrix.sites.tools.testssl }}
continue-on-error: true
uses: "mbogh/[email protected]"
with:
host: ${{ steps.hostname.outputs.value }}
output: scans
grade: "F"
options: "--fast"
- name: Nuclei scan
if: ${{ matrix.sites.tools.nuclei }}
continue-on-error: true
uses: "SocialGouv/dashlord-nuclei-action@master"
with:
url: ${{ matrix.sites.url }}
output: "scans/nuclei.log"
- name: Updown.io checks
if: ${{ matrix.sites.tools.updownio }}
continue-on-error: true
uses: "MTES-MCT/updownio-action@main"
with:
apiKey: ${{ secrets.UPDOWNIO_API_KEY }}
url: ${{ matrix.sites.url }}
output: scans/updownio.json
- name: Dependabot vulnerabilities alerts
if: ${{ matrix.sites.tools.dependabot && matrix.sites.repositories }}
continue-on-error: true
uses: "MTES-MCT/dependabotalerts-action@main"
with:
token: ${{ secrets.DEPENDABOTALERTS_TOKEN }}
repositories: ${{ join(matrix.sites.repositories) }}
output: scans/dependabotalerts.json
- name: Code quality alerts
if: ${{ matrix.sites.tools.codescan && matrix.sites.repositories }}
continue-on-error: true
uses: "MTES-MCT/codescanalerts-action@main"
with:
token: ${{ secrets.CODESCANALERTS_TOKEN }}
repositories: ${{ join(matrix.sites.repositories) }}
output: scans/codescanalerts.json
- uses: SocialGouv/dashlord-actions/save@v1
with:
url: ${{ matrix.sites.url }}
- uses: EndBug/add-and-commit@v7
with:
add: '["results"]'
author_name: ${{ secrets.SOCIALGROOVYBOT_NAME }}
author_email: ${{ secrets.SOCIALGROOVYBOT_EMAIL }}
message: "update: ${{ matrix.sites.url }}"