.github/workflows/scans.yml

name: DashLord scans

on:
  workflow_dispatch:
    inputs:
      url:
        description: "Single url to scan or scan all urls"
        required: false
        default: ""
  schedule:
    - cron: "0 0 * * 0" # see https://crontab.guru
  push:
    branches:
      - master
      - main
    paths:
      - 'dashlord.yaml'
      - 'dashlord.yml'
      - 'urls.txt'

# allow only one concurrent scan action
concurrency:
  cancel-in-progress: true
  group: scans
  
jobs:
  init:
    runs-on: ubuntu-latest
    name: Prepare
    outputs:
      sites: ${{ steps.init.outputs.sites }}
      config: ${{ steps.init.outputs.config }}
    steps:
      - uses: actions/checkout@v2
      - id: init
        uses: "SocialGouv/dashlord-actions/init@main"
        with:
          url: ${{ github.event.inputs.url }}

  scans:
    runs-on: ubuntu-latest
    name: Scan
    needs: init
    continue-on-error: true
    strategy:
      fail-fast: false
      max-parallel: 3
      matrix:
        sites: ${{ fromJson(needs.init.outputs.sites) }}
    steps:
      - uses: actions/checkout@v2

      - run: |
          mkdir scans

      - uses: actions/cache@v2
        with:
          path: "**/node_modules"
          key: ${{ runner.os }}-modules-${{ hashFiles('**/yarn.lock') }}

      - name: Detect 404s
        continue-on-error: true
        uses: "socialgouv/detect-404-action@master"
        if: ${{ matrix.sites.tools['404'] }}
        with:
          url: ${{ matrix.sites.url }}
          output: scans/404.json

      - name: Screenshot Website
        uses: swinton/screenshot-website@v1.x
        if: ${{ matrix.sites.tools.screenshot }}
        timeout-minutes: 10
        with:
          source: "${{ matrix.sites.url }}"
          destination: screenshot.jpeg

      - name: Stats page
        continue-on-error: true
        uses: "MTES-MCT/stats-action@main"
        if: ${{ matrix.sites.tools.stats }}
        with:
          url: ${{ matrix.sites.url }}
          uri: 'stats'
          output: scans/stats.json

      - name: Wappalyzer scan
        uses: "socialgouv/wappalyzer-action@master"
        timeout-minutes: 10
        if: ${{ matrix.sites.tools.wappalyzer }}
        continue-on-error: true
        with:
          url: "${{ matrix.sites.url }}"
          output: scans/wappalyzer.json

      - name: ZAP Scan
        uses: zaproxy/action-baseline@v0.4.0
        timeout-minutes: 10
        if: ${{ matrix.sites.tools.zap }}
        continue-on-error: true
        with:
          token: "" # disable issue creation
          rules_file_name: "zap-rules.tsv"
          docker_name: "owasp/zap2docker-stable"
          target: "${{ matrix.sites.url }}"
          cmd_options: "-a"

      - name: Lighthouse scan
        continue-on-error: true
        timeout-minutes: 10
        uses: treosh/lighthouse-ci-action@v7
        if: ${{ matrix.sites.tools.lighthouse }}
        with:
          urls: "${{ matrix.sites.url }}"
          uploadArtifacts: false
          temporaryPublicStorage: false
          configPath: "./lighthouserc.json"

      - name: Mozilla HTTP Observatory
        timeout-minutes: 10
        if: ${{ matrix.sites.tools.http }}
        continue-on-error: true
        uses: SocialGouv/httpobs-action@master
        with:
          url: "${{ matrix.sites.url }}"
          output: "scans/http.json"

      - name: Third-party scripts scan
        timeout-minutes: 10
        if: ${{ matrix.sites.tools.thirdparties }}
        continue-on-error: true
        uses: SocialGouv/thirdparties-action@master
        with:
          url: "${{ matrix.sites.url }}"
          output: "scans/thirdparties.json"

      # testssl.sh action needs an hostname to save its output so we build it here
      - name: Extract hostname
        id: hostname
        run: |
          HOSTNAME=$(echo "${{ matrix.sites.url }}" | sed -e 's/[^/]*\/\/\([^@]*@\)\?\([^:/]*\).*/\2/')
          echo "::set-output name=value::$HOSTNAME"

      - name: testssl.sh scan
        timeout-minutes: 10
        continue-on-error: true
        uses: "mbogh/test-ssl-action@v1.1"
        if: ${{ matrix.sites.tools.testssl }}
        with:
          host: ${{ steps.hostname.outputs.value }}
          output: scans
          grade: "F"
          options: "--fast"
          
      - name: nmap vulnerabilities scan
        if: ${{ matrix.sites.tools.nmap }}
        continue-on-error: true
        timeout-minutes: 10
        uses: "MTES-MCT/nmap-action@main"
        with:
          host: ${{ steps.hostname.outputs.value }}
          outputDir: "scans"
          outputFile: "nmapvuln.json"
          withVulnerabilities: true
          raw: false

      - name: Nuclei scan
        timeout-minutes: 10
        continue-on-error: true
        uses: "SocialGouv/dashlord-nuclei-action@master"
        if: ${{ matrix.sites.tools.nuclei }}
        with:
          url: ${{ matrix.sites.url }}
          output: "scans/nuclei.log"

      - name: Updown.io checks
        continue-on-error: true
        timeout-minutes: 10
        uses: "MTES-MCT/updownio-action@main"
        if: ${{ matrix.sites.tools.updownio }}
        with:
          apiKey: ${{ secrets.UPDOWNIO_API_KEY }}
          url: ${{ matrix.sites.url }}
          output: scans/updownio.json

      - name: Dependabot vulnerabilities alerts
        continue-on-error: true
        timeout-minutes: 10
        uses: "MTES-MCT/dependabotalerts-action@main"
        if: ${{ matrix.sites.tools.dependabot && matrix.sites.repositories }}
        with:
          token: ${{ secrets.DEPENDABOTALERTS_TOKEN }}
          repositories: ${{ join(matrix.sites.repositories) }}
          output: scans/dependabotalerts.json
          
      - name: Code quality alerts
        continue-on-error: true
        timeout-minutes: 10
        uses: "MTES-MCT/codescanalerts-action@main"
        if: ${{ matrix.sites.tools.codescan && matrix.sites.repositories }}
        with:
          token: ${{ secrets.CODESCANALERTS_TOKEN }}
          repositories: ${{ join(matrix.sites.repositories) }}
          output: scans/codescanalerts.json

      - uses: SocialGouv/dashlord-actions/save@main
        with:
          url: ${{ matrix.sites.url }}

      - uses: EndBug/add-and-commit@v7
        with:
          add: '["results"]'
          author_name: ${{ secrets.SOCIALGROOVYBOT_NAME }}
          author_email: ${{ secrets.SOCIALGROOVYBOT_EMAIL }}
          message: "update: ${{ matrix.sites.url }}"