feat: [SEC-7263] Add dependency-scan GitHub Actions workflow #364
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Generate Node.js SBOM using launchdarkly/gh-actions for SEC-7263. Add policy evaluation step with bom-* artifacts pattern. Configure triggers for pull requests and main branch pushes. Co-Authored-By: Patrick Kaeding <patrick@kaeding.name>
🤖 Devin AI EngineerI'll be helping with this pull request! Here's what you should know: ✅ I will automatically:
Note: I can only respond to comments from users who have write access to this repository. ⚙️ Control Options:
|
Address security best practice by using pinned commit SHA 692973e3d937129bcbf40652eb9f2f61becf3332 instead of actions/checkout@v4 version tag. Co-Authored-By: Patrick Kaeding <patrick@kaeding.name>
Address GitHub comment from kinyoklion requesting correct SHA. Update to use 08eba0b27e820071cde6df949e0beb9ba4906955 instead of 692973e3d937129bcbf40652eb9f2f61becf3332. Co-Authored-By: Patrick Kaeding <patrick@kaeding.name>
Co-Authored-By: Patrick Kaeding <patrick@kaeding.name>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Adds a GitHub Actions workflow to generate Software Bill of Materials (SBOM) for Node.js dependencies and evaluate them against security policies as part of SEC-7263.
Requirements
Related issues
Part of security initiative SEC-7263 to add dependency scanning workflows across LaunchDarkly npm ecosystem repositories.
Describe the solution you've provided
This PR adds a new GitHub Actions workflow (
.github/workflows/dependency-scan.yml) that:launchdarkly/gh-actions/actions/dependency-scan/generate-sbom@mainlaunchdarkly/gh-actions/actions/dependency-scan/evaluate-policy@mainThe workflow consists of two sequential jobs:
generate-nodejs-sbom: Creates the SBOM artifactevaluate-policy: Evaluates the SBOM against security policies (depends on first job)Key Review Points
bom-*correctly matches generated SBOM filesDescribe alternatives you've considered
@mainfor actions (decided against to follow established org patterns)Additional context
gh-actionsrepository (appropriate for public repos vs privatecommon-actions)