Skip to content

chore: [SEC-7263] Add dependency-scan GitHub Actions workflow#364

Merged
kinyoklion merged 5 commits intomainfrom
devin/1757606387-add-dependency-scan-workflow
Mar 2, 2026
Merged

chore: [SEC-7263] Add dependency-scan GitHub Actions workflow#364
kinyoklion merged 5 commits intomainfrom
devin/1757606387-add-dependency-scan-workflow

Conversation

@pkaeding
Copy link
Contributor

@pkaeding pkaeding commented Sep 11, 2025
edited by kinyoklion
Loading

BEGIN_COMMIT_OVERRIDE
chore: Add dependency-scan GitHub Actions workflow
END_COMMIT_OVERRIDE

Summary

Adds a GitHub Actions workflow to generate Software Bill of Materials (SBOM) for Node.js dependencies and evaluate them against security policies as part of SEC-7263.

Requirements

  • I have added test coverage for new or changed functionality (N/A - workflow addition)
  • I have followed the repository's pull request submission guidelines
  • I have validated my changes against all supported platform versions (will be validated via CI)

Related issues

Part of security initiative SEC-7263 to add dependency scanning workflows across LaunchDarkly npm ecosystem repositories.

Describe the solution you've provided

This PR adds a new GitHub Actions workflow (.github/workflows/dependency-scan.yml) that:

  1. Generates Node.js SBOM using launchdarkly/gh-actions/actions/dependency-scan/generate-sbom@main
  2. Evaluates SBOM against policies using launchdarkly/gh-actions/actions/dependency-scan/evaluate-policy@main
  3. Triggers on pull requests and pushes to main branch
  4. Uses public gh-actions (appropriate for public repositories)

The workflow consists of two sequential jobs:

  • generate-nodejs-sbom: Creates the SBOM artifact
  • evaluate-policy: Evaluates the SBOM against security policies (depends on first job)

Key Review Points

⚠️ Important: This workflow has not been tested locally and needs validation via CI to ensure:

  • The artifact pattern bom-* correctly matches generated SBOM files
  • The workflow runs successfully without configuration issues
  • Policy evaluation completes without violations

Describe alternatives you've considered

  • Using commit-specific versions instead of @main for actions (decided against to follow established org patterns)
  • Different trigger configurations (current setup matches standard LaunchDarkly practices)

Additional context

Note

Low Risk
Low risk: adds a new GitHub Actions workflow only, though it may affect CI signal/required checks on PRs and main pushes.

Overview
Introduces a new GitHub Actions workflow, dependency-scan.yml, that runs on pull requests and pushes to main.

The workflow reuses LaunchDarkly’s centralized launchdarkly/gh-actions dependency scan workflow configured for nodejs, inheriting repository secrets.

Written by Cursor Bugbot for commit 24d3d4b. This will update automatically on new commits. Configure here.

@devin-ai-integration @pkaeding
feat: [SEC-7263] Add dependency-scan GitHub Actions workflow
b709028 
Generate Node.js SBOM using launchdarkly/gh-actions for SEC-7263.
Add policy evaluation step with bom-* artifacts pattern.
Configure triggers for pull requests and main branch pushes.

Co-Authored-By: Patrick Kaeding <patrick@kaeding.name>
@pkaeding pkaeding requested a review from a team as a code owner September 11, 2025 16:01
@devin-ai-integration
Copy link
Contributor

devin-ai-integration bot commented Sep 11, 2025

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment and CI monitoring

devin-ai-integration bot and others added 4 commits September 11, 2025 16:10
@devin-ai-integration @pkaeding
fix: use pinned SHA for actions/checkout instead of version tag
bc04fb7 
Address security best practice by using pinned commit SHA 692973e3d937129bcbf40652eb9f2f61becf3332
instead of actions/checkout@v4 version tag.

Co-Authored-By: Patrick Kaeding <patrick@kaeding.name>
@devin-ai-integration @pkaeding
fix: use correct pinned SHA for actions/checkout@v4
68b090c 
Address GitHub comment from kinyoklion requesting correct SHA.
Update to use 08eba0b27e820071cde6df949e0beb9ba4906955 instead of
692973e3d937129bcbf40652eb9f2f61becf3332.

Co-Authored-By: Patrick Kaeding <patrick@kaeding.name>
@devin-ai-integration @pkaeding
chore: standardize to use reusable workflow from gh-actions
aa82112 
Co-Authored-By: Patrick Kaeding <patrick@kaeding.name>
@kinyoklion
Merge branch 'main' into devin/1757606387-add-dependency-scan-workflow
24d3d4b
@kinyoklion kinyoklion merged commit 5f7c979 into main Mar 2, 2026
4 checks passed
@kinyoklion kinyoklion deleted the devin/1757606387-add-dependency-scan-workflow branch March 2, 2026 19:18
@kinyoklion kinyoklion changed the title feat: [SEC-7263] Add dependency-scan GitHub Actions workflow chore: [SEC-7263] Add dependency-scan GitHub Actions workflow Mar 2, 2026
@github-actions github-actions bot mentioned this pull request Mar 2, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kinyoklion kinyoklion kinyoklion approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pkaeding @kinyoklion