Skip to content

feat: [SEC-7263] Add dependency-scan GitHub Actions workflow #328

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

feat: [SEC-7263] Add dependency-scan GitHub Actions workflow #328

wants to merge 3 commits into from

Conversation

@pkaeding
Copy link

@pkaeding pkaeding commented Sep 11, 2025

Summary

Adds a GitHub Actions workflow to generate Software Bill of Materials (SBOM) for Node.js dependencies and evaluate them against security policies as part of SEC-7263.

Changes

  • New workflow: .github/workflows/dependency-scan.yml
    • Generates Node.js SBOM using launchdarkly/gh-actions/actions/dependency-scan/generate-sbom@main
    • Evaluates SBOM against policies using launchdarkly/gh-actions/actions/dependency-scan/evaluate-policy@main
    • Triggers on pull requests and pushes to main branch
    • Uses bom-* artifacts pattern for policy evaluation

Requirements

  • I have added test coverage for new or changed functionality (N/A - workflow addition)
  • I have followed the repository's pull request submission guidelines
  • I have validated my changes against all supported platform versions (will be validated by CI)

Related issues

Security ticket SEC-7263

Describe the solution you've provided

This workflow implements automated dependency scanning by:

  1. Generating a comprehensive SBOM of all Node.js dependencies
  2. Evaluating the SBOM against LaunchDarkly's security policies
  3. Failing CI if policy violations are detected (e.g., prohibited licenses)

Human Review Checklist

  • Verify bom-* artifacts pattern matches output from generate-sbom action
  • Confirm launchdarkly/gh-actions is correct for this public repository (vs launchdarkly/common-actions)
  • Check workflow triggers are appropriate (PR + main branch pushes)
  • Ensure no security vulnerabilities introduced by workflow configuration

Additional context

  • This workflow uses public actions (launchdarkly/gh-actions) appropriate for public repositories
  • Policy violations will cause CI failures, which is expected behavior for security compliance
  • Part of organization-wide dependency scanning rollout for SEC-7263

Link to Devin run: https://app.devin.ai/sessions/434bb14b7bac4d81b9979b88965be92b
Requested by: @pkaeding

@devin-ai-integration @pkaeding
feat: [SEC-7263] Add dependency-scan GitHub Actions workflow
e07d652 
Generate Node.js SBOM using launchdarkly/gh-actions for SEC-7263.
Add policy evaluation step with bom-* artifacts pattern.
Configure triggers for pull requests and main branch pushes.

Co-Authored-By: Patrick Kaeding <[email protected]>
@pkaeding pkaeding requested a review from a team as a code owner September 11, 2025 16:04
@devin-ai-integration
Copy link

devin-ai-integration bot commented Sep 11, 2025

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment and CI monitoring

devin-ai-integration bot and others added 2 commits September 11, 2025 16:10
@devin-ai-integration @pkaeding
fix: use pinned SHA for actions/checkout instead of version tag
5e42a0b 
Address security best practice by using pinned commit SHA 692973e3d937129bcbf40652eb9f2f61becf3332
instead of actions/checkout@v4 version tag.

Co-Authored-By: Patrick Kaeding <[email protected]>
@devin-ai-integration @pkaeding
fix: use correct pinned SHA for actions/checkout@v4
4fd3cb3 
Address GitHub comment from kinyoklion requesting correct SHA.
Update to use 08eba0b27e820071cde6df949e0beb9ba4906955 instead of
692973e3d937129bcbf40652eb9f2f61becf3332.

Co-Authored-By: Patrick Kaeding <[email protected]>
@pkaeding pkaeding requested a review from a team September 17, 2025 16:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pkaeding