Skip to content

feat: [SEC-7263] Add dependency-scan GitHub Actions workflow#328

Open
pkaeding wants to merge 3 commits intomainfrom
devin/1757606517-add-dependency-scan-workflow
Open

feat: [SEC-7263] Add dependency-scan GitHub Actions workflow#328
pkaeding wants to merge 3 commits intomainfrom
devin/1757606517-add-dependency-scan-workflow

Conversation

@pkaeding
Copy link

@pkaeding pkaeding commented Sep 11, 2025

Summary

Adds a GitHub Actions workflow to generate Software Bill of Materials (SBOM) for Node.js dependencies and evaluate them against security policies as part of SEC-7263.

Changes

  • New workflow: .github/workflows/dependency-scan.yml
    • Generates Node.js SBOM using launchdarkly/gh-actions/actions/dependency-scan/generate-sbom@main
    • Evaluates SBOM against policies using launchdarkly/gh-actions/actions/dependency-scan/evaluate-policy@main
    • Triggers on pull requests and pushes to main branch
    • Uses bom-* artifacts pattern for policy evaluation

Requirements

  • I have added test coverage for new or changed functionality (N/A - workflow addition)
  • I have followed the repository's pull request submission guidelines
  • I have validated my changes against all supported platform versions (will be validated by CI)

Related issues

Security ticket SEC-7263

Describe the solution you've provided

This workflow implements automated dependency scanning by:

  1. Generating a comprehensive SBOM of all Node.js dependencies
  2. Evaluating the SBOM against LaunchDarkly's security policies
  3. Failing CI if policy violations are detected (e.g., prohibited licenses)

Human Review Checklist

  • Verify bom-* artifacts pattern matches output from generate-sbom action
  • Confirm launchdarkly/gh-actions is correct for this public repository (vs launchdarkly/common-actions)
  • Check workflow triggers are appropriate (PR + main branch pushes)
  • Ensure no security vulnerabilities introduced by workflow configuration

Additional context

  • This workflow uses public actions (launchdarkly/gh-actions) appropriate for public repositories
  • Policy violations will cause CI failures, which is expected behavior for security compliance
  • Part of organization-wide dependency scanning rollout for SEC-7263

Link to Devin run: https://app.devin.ai/sessions/434bb14b7bac4d81b9979b88965be92b
Requested by: @pkaeding

@devin-ai-integration @pkaeding
feat: [SEC-7263] Add dependency-scan GitHub Actions workflow
e07d652 
Generate Node.js SBOM using launchdarkly/gh-actions for SEC-7263.
Add policy evaluation step with bom-* artifacts pattern.
Configure triggers for pull requests and main branch pushes.

Co-Authored-By: Patrick Kaeding <patrick@kaeding.name>
@pkaeding pkaeding requested a review from a team as a code owner September 11, 2025 16:04
@devin-ai-integration
Copy link

devin-ai-integration bot commented Sep 11, 2025

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment and CI monitoring

devin-ai-integration bot and others added 2 commits September 11, 2025 16:10
@devin-ai-integration @pkaeding
fix: use pinned SHA for actions/checkout instead of version tag
5e42a0b 
Address security best practice by using pinned commit SHA 692973e3d937129bcbf40652eb9f2f61becf3332
instead of actions/checkout@v4 version tag.

Co-Authored-By: Patrick Kaeding <patrick@kaeding.name>
@devin-ai-integration @pkaeding
fix: use correct pinned SHA for actions/checkout@v4
4fd3cb3 
Address GitHub comment from kinyoklion requesting correct SHA.
Update to use 08eba0b27e820071cde6df949e0beb9ba4906955 instead of
692973e3d937129bcbf40652eb9f2f61becf3332.

Co-Authored-By: Patrick Kaeding <patrick@kaeding.name>
@pkaeding pkaeding requested a review from a team September 17, 2025 16:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kparkinson-ld kparkinson-ld kparkinson-ld approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pkaeding @kparkinson-ld