.github/workflows/scans.yml

name: DashLord scans

on:
  workflow_dispatch:
    inputs:
      url:
        description: "Single url to scan or scan all urls"
        required: false
        default: ""
      tool:
        description: "Single tool to run or use all tools"
        type: choice
        default: all
        options:
          - all
          - codescan
          - dependabot
          - ecoindex
          - lighthouse
          - sonarcloud
          - trivy
          - zap
          - ecoindex
          - dsfr
          - declaration-a11y
          - declaration-rgpd
  schedule:
    - cron: "0 0 * * 0" # At 00:00 on Sunday

jobs:
  init:
    runs-on: ubuntu-latest
    name: Prepare
    outputs:
      sites: ${{ steps.init.outputs.sites }}
      config: ${{ steps.init.outputs.config }}
    steps:
      - uses: actions/checkout@v4
      - id: init
        uses: "SocialGouv/dashlord-actions/init@v1"
        with:
          url: ${{ github.event.inputs.url }}
          tool: ${{ github.event.inputs.tool }}
      - id: updown-init
        uses: "SocialGouv/dashlord-actions/updown-init@v1"
        env:
          UPDOWNIO_API_KEY: ${{ secrets.UPDOWNIO_API_KEY }}
  scans:
    runs-on: ubuntu-latest
    name: Scan
    needs: init
    continue-on-error: true
    strategy:
      fail-fast: false
      max-parallel: 3
      matrix:
        sites: ${{ fromJson(needs.init.outputs.sites) }}
    steps:
      - uses: actions/checkout@v4

      - run: |
          mkdir scans

      - uses: actions/cache@v4
        with:
          path: "**/node_modules"
          key: ${{ runner.os }}-modules-${{ hashFiles('**/yarn.lock') }}

      - name: dsfr
        continue-on-error: true
        timeout-minutes: 10
        uses: "socialgouv/dashlord-actions/dsfr@v1"
        if: ${{ matrix.sites.tools.dsfr }}
        with:
          url: ${{ matrix.sites.url }}
          output: scans/dsfr.json

      - name: eco-index
        continue-on-error: true
        timeout-minutes: 10
        uses: "socialgouv/dashlord-actions/ecoindex@v1"
        if: ${{ matrix.sites.tools.ecoindex }}
        with:
          url: ${{ matrix.sites.url }}
          output: scans/ecoindex.json

      - name: Screenshot Website
        if: ${{ matrix.sites.tools.screenshot }}
        uses: swinton/screenshot-website@v1.x
        continue-on-error: true
        timeout-minutes: 10
        with:
          source: "${{ matrix.sites.url }}"
          type: jpeg
          destination: screenshot.jpeg
          width: 1280
          scaleFactor: 0.5

      - name: Déclaration a11y
        continue-on-error: true
        timeout-minutes: 10
        uses: "socialgouv/dashlord-actions/declaration-a11y@v1"
        if: ${{ matrix.sites.tools['declaration-a11y'] }}
        with:
          url: ${{ matrix.sites.url }}
          output: scans/declaration-a11y.json

      - name: Wappalyzer scan
        if: ${{ matrix.sites.tools.wappalyzer }}
        uses: "socialgouv/wappalyzer-action@master"
        continue-on-error: true
        timeout-minutes: 10
        with:
          url: "${{ matrix.sites.url }}"
          output: scans/wappalyzer.json

      - name: ZAP Scan
        if: ${{ matrix.sites.tools.zap }}
        uses: zaproxy/action-baseline@v0.4.0
        continue-on-error: true
        timeout-minutes: 10
        with:
          token: "" # disable issue creation
          rules_file_name: "zap-rules.tsv"
          docker_name: "owasp/zap2docker-stable"
          target: "${{ matrix.sites.url }}"
          cmd_options: "-a"

      - name: Lighthouse scan
        if: ${{ matrix.sites.tools.lighthouse }}
        continue-on-error: true
        timeout-minutes: 20
        uses: SocialGouv/dashlord-actions/lhci@v1
        with:
          url: "${{ join(matrix.sites.subpages, ',') }}"

      - name: Mozilla HTTP Observatory
        if: ${{ matrix.sites.tools.http }}
        continue-on-error: true
        id: http
        timeout-minutes: 10
        uses: SocialGouv/httpobs-action@master
        with:
          url: "${{ matrix.sites.url }}"
          output: "scans/http.json"

      - name: Mozilla HTTP Observatory retry
        if: steps.http.outcome=='failure'
        continue-on-error: true
        timeout-minutes: 10
        uses: SocialGouv/httpobs-action@master
        with:
          url: "${{ matrix.sites.url }}"
          output: "scans/http.json"

      - name: Third-party scripts scan
        if: ${{ matrix.sites.tools.thirdparties }}
        continue-on-error: true
        timeout-minutes: 10
        uses: SocialGouv/thirdparties-action@master
        id: thirdparties
        with:
          url: "${{ matrix.sites.url }}"
          output: "scans/thirdparties.json"

      - name: Déclaration RGPD
        continue-on-error: true
        uses: SocialGouv/dashlord-actions/declaration-rgpd@v1
        if: ${{ matrix.sites.tools['declaration-rgpd'] }}
        with:
          thirdparties: ${{ steps.thirdparties.outputs.json }}
          url: ${{ matrix.sites.url }}
          output: scans/declaration-rgpd.json

      # testssl.sh action needs an hostname to save its output so we build it here
      - name: Extract hostname
        id: hostname
        run: |
          HOSTNAME=$(echo "${{ matrix.sites.url }}" | sed -e 's/[^/]*\/\/\([^@]*@\)\?\([^:/]*\).*/\2/')
          echo "::set-output name=value::$HOSTNAME"

      - name: testssl.sh scan
        if: ${{ matrix.sites.tools.testssl }}
        continue-on-error: true
        timeout-minutes: 10
        uses: "mbogh/test-ssl-action@v1.1"
        with:
          host: ${{ steps.hostname.outputs.value }}
          output: scans
          grade: "F"
          options: "--fast"

      - name: nmap vulnerabilities scan
        if: ${{ matrix.sites.tools.nmap }}
        continue-on-error: true
        timeout-minutes: 10
        uses: "MTES-MCT/nmap-action@main"
        with:
          host: ${{ steps.hostname.outputs.value }}
          outputDir: "scans"
          outputFile: "nmapvuln.json"
          withVulnerabilities: true
          raw: false

      - name: Nuclei scan
        if: ${{ matrix.sites.tools.nuclei }}
        continue-on-error: true
        timeout-minutes: 10
        uses: "SocialGouv/dashlord-nuclei-action@master"
        with:
          url: ${{ matrix.sites.url }}
          output: "scans/nuclei.log"

      - name: Updown.io checks
        if: ${{ matrix.sites.tools.updownio }}
        continue-on-error: true
        timeout-minutes: 10
        uses: "MTES-MCT/updownio-action@main"
        with:
          apiKey: ${{ secrets.UPDOWNIO_API_KEY }}
          url: ${{ matrix.sites.url }}
          output: scans/updownio.json

      - name: Betagouv API scan
        if: ${{ matrix.sites.tools.betagouv }}
        continue-on-error: true
        timeout-minutes: 10
        id: betagouv
        uses: betagouv/dashlord-startup-action@main
        with:
          id: "${{ matrix.sites.betaId }}"
          output: "scans/betagouv.json"

      - name: Stats page
        continue-on-error: true
        timeout-minutes: 10
        uses: "SocialGouv/dashlord-actions/check-url@v1"
        if: ${{ matrix.sites.tools.stats }}
        with:
          url: ${{ steps.betagouv.outputs.stats_url }}
          output: scans/stats.json

      - name: Budget page
        continue-on-error: true
        timeout-minutes: 10
        uses: "SocialGouv/dashlord-actions/check-url@v1"
        if: ${{ matrix.sites.tools.budget_page }}
        with:
          url: ${{ steps.betagouv.outputs.budget_url }}
          output: scans/budget_page.json

      - name: Open Github repository
        continue-on-error: true
        timeout-minutes: 10
        uses: "SocialGouv/dashlord-actions/check-url@v1"
        if: ${{ matrix.sites.tools.betagouv }}
        with:
          url: ${{ steps.betagouv.outputs.github_repository }}
          output: scans/github_repository.json

      - name: Dependabot vulnerabilities alerts
        continue-on-error: true
        timeout-minutes: 10
        if: ${{ matrix.sites.tools.dependabot && matrix.sites.repositories }}
        uses: "MTES-MCT/dependabotalerts-action@main"
        with:
          token: ${{ secrets.DEPENDABOTALERTS_TOKEN }}
          repositories: ${{ join(matrix.sites.repositories) }}
          output: scans/dependabotalerts.json

      - name: Code quality alerts
        if: ${{ matrix.sites.tools.codescan && matrix.sites.repositories }}
        continue-on-error: true
        timeout-minutes: 10
        uses: "MTES-MCT/codescanalerts-action@main"
        with:
          token: ${{ secrets.CODESCANALERTS_TOKEN }}
          repositories: ${{ join(matrix.sites.repositories) }}
          output: scans/codescanalerts.json

      - uses: SocialGouv/dashlord-actions/save@v1
        with:
          url: ${{ matrix.sites.url }}
          # only clean up previous stats when all tools runned
          cleanup: ${{ github.event.inputs.tool == 'all' && true || false }}

      - uses: EndBug/add-and-commit@v9
        with:
          add: "results"
          author_name: "DashlordBetaGouvBot"
          author_email: "DashlordBetaGouvBot@incubateur.net"
          message: "update: ${{ matrix.sites.url }}"
          pull: "--rebase --autostash"