DashLord scans #91

Workflow file for this run

	name: DashLord scans

	on:
	workflow_dispatch:
	inputs:
	url:
	description: "Single url to scan or scan all urls"
	required: false
	default: ""
	tool:
	description: "Single tool to run or use all tools"
	type: choice
	default: all
	options:
	- all
	- codescan
	- dependabot
	- ecoindex
	- lighthouse
	- sonarcloud
	- trivy
	- zap
	- dsfr
	- ecoindex
	push:
	branches:
	- main
	paths:
	- "dashlord.yaml"
	- "dashlord.yml"
	- "urls.txt"
	schedule:
	- cron: "0 0 * * 0" # see https://crontab.guru

	# allow only one concurrent scan action
	concurrency:
	cancel-in-progress: true
	group: scans

	jobs:
	init:
	runs-on: ubuntu-latest
	name: Prepare
	outputs:
	sites: ${{ steps.init.outputs.sites }}
	config: ${{ steps.init.outputs.config }}
	steps:
	- uses: actions/checkout@v4
	- id: init
	uses: "SocialGouv/dashlord-actions/init@v1"
	with:
	url: ${{ github.event.inputs.url }}
	tool: ${{ github.event.inputs.tool }}
	- id: updown-init
	uses: "SocialGouv/dashlord-actions/updown-init@v1"
	env:
	UPDOWNIO_API_KEY: ${{ secrets.UPDOWNIO_API_KEY }}

	scans:
	runs-on: ubuntu-latest
	name: Scan
	needs: init
	continue-on-error: true
	strategy:
	fail-fast: false
	max-parallel: 3
	matrix:
	sites: ${{ fromJson(needs.init.outputs.sites) }}
	steps:
	- uses: actions/checkout@v4

	- run: \|
	mkdir scans

	- uses: actions/cache@v4
	with:
	path: "**/node_modules"
	key: ${{ runner.os }}-modules-${{ hashFiles('**/yarn.lock') }}

	- name: dsfr
	continue-on-error: true
	timeout-minutes: 10
	uses: "socialgouv/dashlord-actions/dsfr@v1"
	if: ${{ matrix.sites.tools.dsfr }}
	with:
	url: ${{ matrix.sites.url }}
	output: scans/dsfr.json

	- name: Trivy
	continue-on-error: true
	timeout-minutes: 20
	if: ${{ matrix.sites.tools.trivy && matrix.sites.docker }}
	uses: "SocialGouv/dashlord-actions/trivy@v1"
	with:
	images: ${{ join(matrix.sites.docker) }}
	output: scans/trivy.json

	- name: Nuclei scan
	if: ${{ matrix.sites.tools.nuclei }}
	timeout-minutes: 10
	continue-on-error: true
	uses: "SocialGouv/dashlord-nuclei-action@master"
	with:
	url: ${{ matrix.sites.url }}
	output: "scans/nuclei.log"

	- name: Betagouv API scan
	if: ${{ matrix.sites.tools.betagouv }}
	continue-on-error: true
	timeout-minutes: 10
	id: betagouv
	uses: betagouv/dashlord-startup-action@main
	with:
	id: "${{ matrix.sites.betaId }}"
	output: "scans/betagouv.json"

	- name: ZAP Scan
	if: ${{ matrix.sites.tools.zap }}
	uses: zaproxy/action-baseline@v0.9.0
	timeout-minutes: 30
	with:
	token: "" # disable issue creation
	rules_file_name: "zap-rules.tsv"
	target: "${{ matrix.sites.url }}"
	cmd_options: "-a"
	allow_issue_writing: false

	- name: sonarcloud scan
	if: ${{ matrix.sites.tools.sonarcloud }}
	id: sonarcloud
	continue-on-error: true
	timeout-minutes: 10
	uses: SocialGouv/dashlord-actions/sonarcloud@v1
	with:
	repos: ${{ join(matrix.sites.repositories) }}
	output: "scans/sonarcloud.json"

	- name: Third-party scripts scan
	if: ${{ matrix.sites.tools.thirdparties }}
	id: thirdparties
	continue-on-error: true
	timeout-minutes: 10
	uses: SocialGouv/thirdparties-action@master
	with:
	url: "${{ matrix.sites.url }}"
	output: "scans/thirdparties.json"

	- name: Déclaration a11y
	timeout-minutes: 10
	uses: "socialgouv/dashlord-actions/declaration-a11y@v1"
	if: ${{ matrix.sites.tools['declaration-a11y'] }}
	with:
	url: ${{ matrix.sites.url }}
	output: scans/declaration-a11y.json

	- name: eco-index
	continue-on-error: true
	timeout-minutes: 10
	uses: "socialgouv/dashlord-actions/ecoindex@v1"
	if: ${{ matrix.sites.tools.ecoindex }}
	with:
	url: ${{ matrix.sites.url }}
	output: scans/ecoindex.json

	- name: Déclaration RGPD
	timeout-minutes: 10
	uses: SocialGouv/dashlord-actions/declaration-rgpd@v1
	if: ${{ matrix.sites.tools['declaration-rgpd'] }}
	with:
	thirdparties: ${{ steps.thirdparties.outputs.json }}
	url: ${{ matrix.sites.url }}
	output: scans/declaration-rgpd.json

	- name: Detect 404s
	continue-on-error: true
	timeout-minutes: 10
	uses: "socialgouv/detect-404-action@master"
	if: ${{ matrix.sites.tools['404'] }}
	with:
	url: ${{ matrix.sites.url }}
	output: scans/404.json

	- name: Stats page from beta
	continue-on-error: true
	timeout-minutes: 10
	uses: "betagouv/check-url-action@main"
	if: ${{ matrix.sites.tools.stats }}
	id: stats
	with:
	url: ${{ steps.betagouv.outputs.stats_url }}
	output: scans/stats.json
	minExpectedRegex: ^stat
	exactExpectedRegex: ^stats$

	- name: Stats page retry on url
	continue-on-error: true
	timeout-minutes: 10
	uses: "betagouv/check-url-action@main"
	if: ${{ steps.stats.outcome=='failure' }}
	with:
	url: ${{ format('{0}/stats', matrix.sites.url) }}
	output: scans/stats.json
	minExpectedRegex: ^stat
	exactExpectedRegex: ^stats$

	- name: Budget page from beta
	continue-on-error: true
	timeout-minutes: 10
	uses: "betagouv/check-url-action@main"
	if: ${{ matrix.sites.tools.budget_page }}
	id: budget_page
	with:
	url: ${{ steps.betagouv.outputs.budget_url }}
	output: scans/budget_page.json
	exactExpectedRegex: ^budget$

	- name: Budget page retry on url
	continue-on-error: true
	timeout-minutes: 10
	uses: "betagouv/check-url-action@main"
	if: ${{ steps.budget_page.outcome=='failure' }}
	with:
	url: ${{ format('{0}/budget', matrix.sites.url) }}
	output: scans/budget_page.json
	exactExpectedRegex: ^budget$

	- name: Open Github repository
	continue-on-error: true
	timeout-minutes: 10
	uses: "betagouv/check-url-action@main"
	if: ${{ matrix.sites.tools.betagouv }}
	with:
	url: ${{ steps.betagouv.outputs.github_repository }}
	output: scans/github_repository.json

	- name: Screenshot Website
	uses: swinton/screenshot-website@v1.x
	if: ${{ matrix.sites.tools.screenshot }}
	timeout-minutes: 5
	continue-on-error: true
	with:
	source: "${{ matrix.sites.url }}"
	type: jpeg
	destination: screenshot.jpeg
	width: 1280
	scaleFactor: 0.5

	- name: Wappalyzer scan
	if: ${{ matrix.sites.tools.wappalyzer }}
	uses: "socialgouv/wappalyzer-action@master"
	timeout-minutes: 10
	continue-on-error: true
	with:
	url: "${{ matrix.sites.url }}"
	output: scans/wappalyzer.json

	# https://github.com/treosh/lighthouse-ci-action#inputs
	- name: Lighthouse scan
	if: ${{ matrix.sites.tools.lighthouse }}
	timeout-minutes: 10
	uses: socialgouv/dashlord-actions/lhci@v1
	with:
	url: "${{ join(matrix.sites.subpages, ',') }}"

	- name: Mozilla HTTP Observatory
	if: ${{ matrix.sites.tools.http }}
	timeout-minutes: 10
	id: http
	continue-on-error: true
	uses: SocialGouv/httpobs-action@master
	with:
	url: "${{ matrix.sites.url }}"
	output: "scans/http.json"

	- name: Mozilla HTTP Observatory retry
	if: steps.http.outcome=='failure'
	continue-on-error: true
	timeout-minutes: 10
	uses: SocialGouv/httpobs-action@master
	with:
	url: "${{ matrix.sites.url }}"
	output: "scans/http.json"

	# testssl.sh action needs an hostname to save its output so we build it here
	- name: Extract hostname
	id: hostname
	run: \|
	HOSTNAME=$(echo "${{ matrix.sites.url }}" \| sed -e 's/[^/]\/\/$[^@]@$\?$[^:/]$./\2/')
	echo "::set-output name=value::$HOSTNAME"

	- name: testssl.sh scan
	if: ${{ matrix.sites.tools.testssl }}
	timeout-minutes: 10
	continue-on-error: true
	uses: "mbogh/test-ssl-action@v1.1"
	with:
	host: ${{ steps.hostname.outputs.value }}
	output: scans
	grade: "F"
	options: "--fast"

	- name: Updown.io checks
	if: ${{ matrix.sites.tools.updownio }}
	continue-on-error: true
	uses: "MTES-MCT/updownio-action@main"
	with:
	apiKey: ${{ secrets.UPDOWNIO_API_KEY }}
	url: ${{ matrix.sites.url }}
	output: scans/updownio.json

	- name: Dependabot vulnerabilities alerts
	if: ${{ matrix.sites.tools.dependabot && matrix.sites.repositories }}
	continue-on-error: true
	uses: "MTES-MCT/dependabotalerts-action@main"
	with:
	token: ${{ secrets.DEPENDABOTALERTS_TOKEN }}
	repositories: ${{ join(matrix.sites.repositories) }}
	output: scans/dependabotalerts.json
	maxAlerts: 100
	states: "OPEN"

	- name: Code quality alerts
	if: ${{ matrix.sites.tools.codescan && matrix.sites.repositories }}
	continue-on-error: true
	uses: "MTES-MCT/codescanalerts-action@main"
	with:
	token: ${{ secrets.CODESCANALERTS_TOKEN }}
	repositories: ${{ join(matrix.sites.repositories) }}
	output: scans/codescanalerts.json
	state: open

	- uses: SocialGouv/dashlord-actions/save@v1
	with:
	url: ${{ matrix.sites.url }}
	# only clean up previous stats when all tools runned
	cleanup: ${{ github.event.inputs.tool == 'all' && true \|\| false }}

	- uses: EndBug/add-and-commit@v9
	with:
	add: "results"
	author_name: "incubateur-ademe-admin"
	author_email: "accelerateurdelatransitionecologique@ademe.fr"
	message: "update: ${{ matrix.sites.url }}"
	pull: "--rebase --autostash"

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

DashLord scans #91

Workflow file

DashLord scans #91

Jobs

Run details

Workflow file for this run