.github/workflows/scans.yml

name: DashLord scans

on:
  workflow_dispatch:
    inputs:
      url:
        description: "Single url to scan or scan all urls"
        required: false
        default: ""
      tool:
        description: "Single tool to run or use all tools"
        type: choice
        default: all
        options:
          - all
          - codescan
          - dependabot
          - ecoindex
          - lighthouse
          - sonarcloud
          - trivy
          - zap
  push:
    branches:
      - master
      - main
    paths:
      - "dashlord.yaml"
      - "dashlord.yml"
      - "urls.txt"
  schedule:
    - cron: "0 0 * * 0" # see https://crontab.guru

# allow only one concurrent scan action
concurrency:
  cancel-in-progress: true
  group: scans

jobs:
  init:
    runs-on: ubuntu-latest
    name: Prepare
    outputs:
      sites: ${{ steps.init.outputs.sites }}
      config: ${{ steps.init.outputs.config }}
    steps:
      - uses: actions/checkout@v3
      - id: init
        uses: "edelagnier/dashlord-actions/init@v1"
        with:
          url: ${{ github.event.inputs.url }}
          tool: ${{ github.event.inputs.tool }}

  scans:
    runs-on: ubuntu-latest
    name: Scan
    needs: init
    continue-on-error: true
    strategy:
      fail-fast: false
      max-parallel: 3
      matrix:
        sites: ${{ fromJson(needs.init.outputs.sites) }}
    steps:
      - uses: actions/checkout@v3
        with:
          ref: ${{ github.ref }}

      - run: |
          mkdir scans

      - uses: actions/cache@v2
        with:
          path: "**/node_modules"
          key: ${{ runner.os }}-modules-${{ hashFiles('**/yarn.lock') }}

      - name: sonarcloud scan
        if: ${{ matrix.sites.tools.sonarcloud }}
        id: sonarcloud
        continue-on-error: true
        timeout-minutes: 10
        uses: edelagnier/dashlord-actions/sonarcloud@v1
        with:
          repos: ${{ join(matrix.sites.repositories) }}
          output: "scans/sonarcloud.json"

      - name: Third-party scripts scan
        if: ${{ matrix.sites.tools.thirdparties }}
        id: thirdparties
        continue-on-error: true
        timeout-minutes: 10
        uses: SocialGouv/thirdparties-action@master
        with:
          url: "${{ matrix.sites.url }}"
          output: "scans/thirdparties.json"

      - name: Déclaration a11y
        timeout-minutes: 10
        uses: "edelagnier/dashlord-actions/declaration-a11y@v1"
        if: ${{ matrix.sites.tools['declaration-a11y'] }}
        with:
          url: ${{ matrix.sites.url }}
          output: scans/declaration-a11y.json

      - name: eco-index
        continue-on-error: true
        timeout-minutes: 10
        uses: "edelagnier/dashlord-actions/ecoindex@v1"
        if: ${{ matrix.sites.tools.ecoindex }}
        with:
          url: ${{ matrix.sites.url }}
          output: scans/ecoindex.json

      - name: Déclaration RGPD
        timeout-minutes: 10
        uses: edelagnier/dashlord-actions/declaration-rgpd@v1
        if: ${{ matrix.sites.tools['declaration-rgpd'] }}
        with:
          thirdparties: ${{ steps.thirdparties.outputs.json }}
          url: ${{ matrix.sites.url }}
          output: scans/declaration-rgpd.json

      - name: Trivy
        continue-on-error: true
        timeout-minutes: 20
        if: ${{ matrix.sites.tools.trivy && matrix.sites.docker }}
        uses: "edelagnier/dashlord-actions/trivy@v1"
        with:
          images: ${{ join(matrix.sites.docker) }}
          output: scans/trivy.json

      - name: Detect 404s
        continue-on-error: true
        timeout-minutes: 10
        uses: "socialgouv/detect-404-action@master"
        if: ${{ matrix.sites.tools['404'] }}
        with:
          url: ${{ matrix.sites.url }}
          output: scans/404.json

      - name: Betagouv API scan
        if: ${{ matrix.sites.tools.betagouv }}
        continue-on-error: true
        timeout-minutes: 10
        id: betagouv
        uses: betagouv/dashlord-startup-action@main
        with:
          id: "${{ matrix.sites.betaId }}"
          output: "scans/betagouv.json"

      - name: Stats page
        timeout-minutes: 10
        uses: "betagouv/check-url-action@main"
        if: ${{ matrix.sites.tools.stats }}
        with:
          url: ${{ steps.betagouv.outputs.stats_url || format('{0}/stats', matrix.sites.url) }}
          output: scans/stats.json
          minExpectedRegex: ^stat
          exactExpectedRegex: ^stats$

      - name: Screenshot Website
        uses: swinton/screenshot-website@v1.x
        if: ${{ matrix.sites.tools.screenshot }}
        timeout-minutes: 5
        continue-on-error: true
        with:
          source: "${{ matrix.sites.url }}"
          type: jpeg
          destination: screenshot.jpeg
          width: 1280
          scaleFactor: 0.5

      - name: Wappalyzer scan
        if: ${{ matrix.sites.tools.wappalyzer }}
        uses: "socialgouv/wappalyzer-action@master"
        timeout-minutes: 10
        continue-on-error: true
        with:
          url: "${{ matrix.sites.url }}"
          output: scans/wappalyzer.json

      - name: ZAP Scan
        if: ${{ matrix.sites.tools.zap }}
        uses: zaproxy/action-baseline@v0.6.1
        timeout-minutes: 10
        with:
          token: "" # disable issue creation
          rules_file_name: "zap-rules.tsv"
          docker_name: "owasp/zap2docker-stable"
          target: "${{ matrix.sites.url }}"
          cmd_options: "-a"
          allow_issue_writing: false

        # https://github.com/treosh/lighthouse-ci-action#inputs
      - name: Lighthouse scan
        if: ${{ matrix.sites.tools.lighthouse }}
        timeout-minutes: 10
        uses: edelagnier/dashlord-actions/lhci@v1
        with:
          url: "${{ join(matrix.sites.subpages, ',') }}"

      - name: Mozilla HTTP Observatory
        if: ${{ matrix.sites.tools.http }}
        timeout-minutes: 10
        id: http
        continue-on-error: true
        uses: SocialGouv/httpobs-action@master
        with:
          url: "${{ matrix.sites.url }}"
          output: "scans/http.json"

      - name: Mozilla HTTP Observatory retry
        if: steps.http.outcome=='failure'
        continue-on-error: true
        timeout-minutes: 10
        uses: SocialGouv/httpobs-action@master
        with:
          url: "${{ matrix.sites.url }}"
          output: "scans/http.json"

      # testssl.sh action needs an hostname to save its output so we build it here
      - name: Extract hostname
        id: hostname
        run: |
          HOSTNAME=$(echo "${{ matrix.sites.url }}" | sed -e 's/[^/]*\/\/\([^@]*@\)\?\([^:/]*\).*/\2/')
          echo "::set-output name=value::$HOSTNAME"

      - name: testssl.sh scan
        if: ${{ matrix.sites.tools.testssl }}
        timeout-minutes: 10
        continue-on-error: true
        uses: "mbogh/test-ssl-action@v1.1"
        with:
          host: ${{ steps.hostname.outputs.value }}
          output: scans
          grade: "F"
          options: "--fast"

      - name: Nuclei scan
        if: ${{ matrix.sites.tools.nuclei }}
        timeout-minutes: 10
        continue-on-error: true
        uses: "SocialGouv/dashlord-nuclei-action@master"
        with:
          url: ${{ matrix.sites.url }}
          output: "scans/nuclei.log"

      - name: Updown.io checks
        if: ${{ matrix.sites.tools.updownio }}
        continue-on-error: true
        uses: "MTES-MCT/updownio-action@main"
        with:
          apiKey: ${{ secrets.UPDOWNIO_API_KEY }}
          url: ${{ matrix.sites.url }}
          output: scans/updownio.json

      - name: Dependabot vulnerabilities alerts
        if: ${{ matrix.sites.tools.dependabot && matrix.sites.repositories }}
        continue-on-error: true
        uses: "MTES-MCT/dependabotalerts-action@main"
        with:
          token: ${{ secrets.DEPENDABOTALERTS_TOKEN }}
          repositories: ${{ join(matrix.sites.repositories) }}
          output: scans/dependabotalerts.json

      - name: Code quality alerts
        if: ${{ matrix.sites.tools.codescan && matrix.sites.repositories }}
        continue-on-error: true
        uses: "MTES-MCT/codescanalerts-action@main"
        with:
          token: ${{ secrets.CODESCANALERTS_TOKEN }}
          repositories: ${{ join(matrix.sites.repositories) }}
          output: scans/codescanalerts.json

      - uses: edelagnier/dashlord-actions/save@v1
        with:
          url: ${{ matrix.sites.url }}
          # only clean up previous stats when all tools runned
          cleanup: ${{ github.event.inputs.tool == 'all' && true || false }}

      - name: "Commit"
        id: commit1
        continue-on-error: true
        run: |
          git config --global user.email 41898282+github-actions[bot]@users.noreply.github.com
          git config --global user.name GitHub
          git add "results"
          git commit -m "update: ${{ matrix.sites.url }}"
          git pull --rebase --no-ff origin ${{ github.ref }}
          git push

      - name: "Commit retry"
        if: steps.commit1.outcome=='failure'
        id: commit2
        continue-on-error: true
        run: |
          git config --global user.email 41898282+github-actions[bot]@users.noreply.github.com
          git config --global user.name GitHub
          git add "results"
          git commit -m "update: ${{ matrix.sites.url }}"
          git pull --rebase --no-ff origin ${{ github.ref }}
          git push

      - name: "Commit retry 2"
        if: steps.commit2.outcome=='failure'
        run: |
          git config --global user.email 41898282+github-actions[bot]@users.noreply.github.com
          git config --global user.name GitHub
          git add "results"
          git commit -m "update: ${{ matrix.sites.url }}"
          git pull --rebase --no-ff origin ${{ github.ref }}
          git push