DashLord scans #154
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: DashLord scans | |
on: | |
workflow_dispatch: | |
inputs: | |
url: | |
description: "Single url to scan or scan all urls" | |
required: false | |
default: "" | |
schedule: | |
- cron: "0 0 * * 0" # see https://crontab.guru | |
push: | |
branches: | |
- master | |
- main | |
paths: | |
- 'dashlord.yaml' | |
- 'dashlord.yml' | |
- 'urls.txt' | |
# allow only one concurrent scan action | |
concurrency: | |
cancel-in-progress: true | |
group: scans | |
jobs: | |
init: | |
runs-on: ubuntu-latest | |
name: Prepare | |
outputs: | |
sites: ${{ steps.init.outputs.sites }} | |
config: ${{ steps.init.outputs.config }} | |
steps: | |
- uses: actions/checkout@v2 | |
- id: init | |
uses: "SocialGouv/dashlord-actions/init@main" | |
with: | |
url: ${{ github.event.inputs.url }} | |
scans: | |
runs-on: ubuntu-latest | |
name: Scan | |
needs: init | |
continue-on-error: true | |
strategy: | |
fail-fast: false | |
max-parallel: 3 | |
matrix: | |
sites: ${{ fromJson(needs.init.outputs.sites) }} | |
steps: | |
- uses: actions/checkout@v2 | |
- run: | | |
mkdir scans | |
- uses: actions/cache@v2 | |
with: | |
path: "**/node_modules" | |
key: ${{ runner.os }}-modules-${{ hashFiles('**/yarn.lock') }} | |
- name: Detect 404s | |
continue-on-error: true | |
uses: "socialgouv/detect-404-action@master" | |
if: ${{ matrix.sites.tools['404'] }} | |
with: | |
url: ${{ matrix.sites.url }} | |
output: scans/404.json | |
- name: Screenshot Website | |
uses: swinton/screenshot-website@v1.x | |
if: ${{ matrix.sites.tools.screenshot }} | |
timeout-minutes: 10 | |
with: | |
source: "${{ matrix.sites.url }}" | |
destination: screenshot.jpeg | |
- name: Stats page | |
continue-on-error: true | |
uses: "MTES-MCT/stats-action@main" | |
if: ${{ matrix.sites.tools.stats }} | |
with: | |
url: ${{ matrix.sites.url }} | |
uri: 'stats' | |
output: scans/stats.json | |
- name: Wappalyzer scan | |
uses: "socialgouv/wappalyzer-action@master" | |
timeout-minutes: 10 | |
if: ${{ matrix.sites.tools.wappalyzer }} | |
continue-on-error: true | |
with: | |
url: "${{ matrix.sites.url }}" | |
output: scans/wappalyzer.json | |
- name: ZAP Scan | |
uses: zaproxy/action-baseline@v0.4.0 | |
timeout-minutes: 10 | |
if: ${{ matrix.sites.tools.zap }} | |
continue-on-error: true | |
with: | |
token: "" # disable issue creation | |
rules_file_name: "zap-rules.tsv" | |
docker_name: "owasp/zap2docker-stable" | |
target: "${{ matrix.sites.url }}" | |
cmd_options: "-a" | |
- name: Lighthouse scan | |
continue-on-error: true | |
timeout-minutes: 10 | |
uses: treosh/lighthouse-ci-action@v7 | |
if: ${{ matrix.sites.tools.lighthouse }} | |
with: | |
urls: "${{ matrix.sites.url }}" | |
uploadArtifacts: false | |
temporaryPublicStorage: false | |
configPath: "./lighthouserc.json" | |
- name: Mozilla HTTP Observatory | |
timeout-minutes: 10 | |
if: ${{ matrix.sites.tools.http }} | |
continue-on-error: true | |
uses: SocialGouv/httpobs-action@master | |
with: | |
url: "${{ matrix.sites.url }}" | |
output: "scans/http.json" | |
- name: Third-party scripts scan | |
timeout-minutes: 10 | |
if: ${{ matrix.sites.tools.thirdparties }} | |
continue-on-error: true | |
uses: SocialGouv/thirdparties-action@master | |
with: | |
url: "${{ matrix.sites.url }}" | |
output: "scans/thirdparties.json" | |
# testssl.sh action needs an hostname to save its output so we build it here | |
- name: Extract hostname | |
id: hostname | |
run: | | |
HOSTNAME=$(echo "${{ matrix.sites.url }}" | sed -e 's/[^/]*\/\/\([^@]*@\)\?\([^:/]*\).*/\2/') | |
echo "::set-output name=value::$HOSTNAME" | |
- name: testssl.sh scan | |
timeout-minutes: 10 | |
continue-on-error: true | |
uses: "mbogh/test-ssl-action@v1.1" | |
if: ${{ matrix.sites.tools.testssl }} | |
with: | |
host: ${{ steps.hostname.outputs.value }} | |
output: scans | |
grade: "F" | |
options: "--fast" | |
- name: nmap vulnerabilities scan | |
if: ${{ matrix.sites.tools.nmap }} | |
continue-on-error: true | |
timeout-minutes: 10 | |
uses: "MTES-MCT/nmap-action@main" | |
with: | |
host: ${{ steps.hostname.outputs.value }} | |
outputDir: "scans" | |
outputFile: "nmapvuln.json" | |
withVulnerabilities: true | |
raw: false | |
- name: Nuclei scan | |
timeout-minutes: 10 | |
continue-on-error: true | |
uses: "SocialGouv/dashlord-nuclei-action@master" | |
if: ${{ matrix.sites.tools.nuclei }} | |
with: | |
url: ${{ matrix.sites.url }} | |
output: "scans/nuclei.log" | |
- name: Updown.io checks | |
continue-on-error: true | |
timeout-minutes: 10 | |
uses: "MTES-MCT/updownio-action@main" | |
if: ${{ matrix.sites.tools.updownio }} | |
with: | |
apiKey: ${{ secrets.UPDOWNIO_API_KEY }} | |
url: ${{ matrix.sites.url }} | |
output: scans/updownio.json | |
- name: Dependabot vulnerabilities alerts | |
continue-on-error: true | |
timeout-minutes: 10 | |
uses: "MTES-MCT/dependabotalerts-action@main" | |
if: ${{ matrix.sites.tools.dependabot && matrix.sites.repositories }} | |
with: | |
token: ${{ secrets.DEPENDABOTALERTS_TOKEN }} | |
repositories: ${{ join(matrix.sites.repositories) }} | |
output: scans/dependabotalerts.json | |
- name: Code quality alerts | |
continue-on-error: true | |
timeout-minutes: 10 | |
uses: "MTES-MCT/codescanalerts-action@main" | |
if: ${{ matrix.sites.tools.codescan && matrix.sites.repositories }} | |
with: | |
token: ${{ secrets.CODESCANALERTS_TOKEN }} | |
repositories: ${{ join(matrix.sites.repositories) }} | |
output: scans/codescanalerts.json | |
- uses: SocialGouv/dashlord-actions/save@main | |
with: | |
url: ${{ matrix.sites.url }} | |
- uses: EndBug/add-and-commit@v7 | |
with: | |
add: '["results"]' | |
author_name: ${{ secrets.SOCIALGROOVYBOT_NAME }} | |
author_email: ${{ secrets.SOCIALGROOVYBOT_EMAIL }} | |
message: "update: ${{ matrix.sites.url }}" |