feat: [SEC-7263] Add dependency-scan GitHub Actions workflow #135
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Generate Node.js SBOM using launchdarkly/gh-actions for SEC-7263. Add policy evaluation step with bom-* artifacts pattern. Configure triggers for pull requests and main branch pushes. Co-Authored-By: Patrick Kaeding <[email protected]>
🤖 Devin AI EngineerI'll be helping with this pull request! Here's what you should know: ✅ I will automatically:
Note: I can only respond to comments from users who have write access to this repository. ⚙️ Control Options:
|
Address security best practice by using pinned commit SHA 692973e3d937129bcbf40652eb9f2f61becf3332 instead of actions/checkout@v4 version tag. Co-Authored-By: Patrick Kaeding <[email protected]>
Address GitHub comment from kinyoklion requesting correct SHA. Update to use 08eba0b27e820071cde6df949e0beb9ba4906955 instead of 692973e3d937129bcbf40652eb9f2f61becf3332. Co-Authored-By: Patrick Kaeding <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Adds a GitHub Actions workflow to generate Software Bill of Materials (SBOM) for Node.js dependencies and evaluate them against security policies as part of SEC-7263.
Requirements
Related issues
Security ticket: SEC-7263
Describe the solution you've provided
This PR adds a new GitHub Actions workflow (
.github/workflows/dependency-scan.yml) that:launchdarkly/gh-actions/actions/dependency-scan/generate-sbom@mainto create a Software Bill of Materials for all Node.js dependencieslaunchdarkly/gh-actions/actions/dependency-scan/evaluate-policy@mainto check the generated SBOM against LaunchDarkly's security policiesThe workflow follows a two-job pattern where SBOM generation runs first, then policy evaluation depends on the generated artifacts.
Critical items for review
artifacts-pattern: bom-*in the evaluate-policy job correctly matches the artifacts generated by the SBOM generation step@maininstead of pinned versions - confirm this aligns with security practiceslaunchdarkly/gh-actionsis the correct action repository for this public repo (vslaunchdarkly/common-actionsfor private repos)Additional context
This change was implemented as part of a systematic rollout of dependency scanning across LaunchDarkly's npm ecosystem repositories. The workflow uses public GitHub Actions (
launchdarkly/gh-actions) since this is a public repository.Link to Devin run: https://app.devin.ai/sessions/434bb14b7bac4d81b9979b88965be92b
Requested by: @pkaeding