Skip to content

feat: [SEC-7263] Add dependency-scan GitHub Actions workflow #924

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

feat: [SEC-7263] Add dependency-scan GitHub Actions workflow #924

wants to merge 3 commits into from
+30 −0

Conversation

pkaeding
Copy link

Summary

Adds a GitHub Actions workflow to generate Software Bill of Materials (SBOM) for Node.js dependencies and evaluate them against security policies as part of SEC-7263.

Changes

  • New workflow: .github/workflows/dependency-scan.yml
    • Generates Node.js SBOM using launchdarkly/gh-actions/actions/dependency-scan/generate-sbom@main
    • Evaluates SBOM against policies using launchdarkly/gh-actions/actions/dependency-scan/evaluate-policy@main
    • Triggers on pull requests and pushes to main branch

Requirements

  • I have added test coverage for new or changed functionality (N/A - workflow addition)
  • I have followed the repository's pull request submission guidelines
  • I have validated my changes against all supported platform versions (will be validated by CI)

Related issues

Security ticket: SEC-7263

Describe the solution you've provided

This implements a two-stage dependency scanning workflow:

  1. Generate SBOM: Creates a software bill of materials for all Node.js dependencies
  2. Evaluate Policy: Analyzes the SBOM against LaunchDarkly's security policies to identify license violations or security issues

The workflow uses LaunchDarkly's public GitHub Actions (gh-actions) since this is a public repository.

Human Review Checklist

Please verify:

  • Action references (launchdarkly/gh-actions/actions/dependency-scan/*@main) are correct and accessible
  • Artifact pattern bom-* matches what the generate-sbom action produces
  • Workflow configuration is appropriate for this monorepo structure
  • No additional permissions or configurations are needed for this repository

Additional context

  • Part of organization-wide initiative to add dependency scanning to all npm ecosystem repositories
  • This workflow will help identify license compliance issues and security vulnerabilities in dependencies
  • Uses public gh-actions repository since js-core is a public repository

Link to Devin run: https://app.devin.ai/sessions/434bb14b7bac4d81b9979b88965be92b
Requested by: @pkaeding

@devin-ai-integration @pkaeding
feat: [SEC-7263] Add dependency-scan GitHub Actions workflow
967fa04 
Generate Node.js SBOM using launchdarkly/gh-actions for SEC-7263.
Add policy evaluation step with bom-* artifacts pattern.
Configure triggers for pull requests and main branch pushes.

Co-Authored-By: Patrick Kaeding <[email protected]>
@pkaeding pkaeding requested a review from a team as a code owner September 11, 2025 15:59
@devin-ai-integration Devin.ai Integration
Copy link

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment and CI monitoring

@github-actions GitHub Actions
Copy link
Contributor

@launchdarkly/browser size report
This is the brotli compressed size of the ESM build.
Compressed size: 169118 bytes
Compressed size limit: 200000
Uncompressed size: 789399 bytes

@github-actions GitHub Actions
Copy link
Contributor

@launchdarkly/js-sdk-common size report
This is the brotli compressed size of the ESM build.
Compressed size: 24988 bytes
Compressed size limit: 26000
Uncompressed size: 122411 bytes

cursor[bot]

This comment was marked as outdated.

Sign in to view

@github-actions GitHub Actions
Copy link
Contributor

@launchdarkly/js-client-sdk-common size report
This is the brotli compressed size of the ESM build.
Compressed size: 17636 bytes
Compressed size limit: 20000
Uncompressed size: 90259 bytes

@github-actions GitHub Actions
Copy link
Contributor

@launchdarkly/js-client-sdk size report
This is the brotli compressed size of the ESM build.
Compressed size: 21721 bytes
Compressed size limit: 25000
Uncompressed size: 74698 bytes

devin-ai-integration bot and others added 2 commits September 11, 2025 16:11
@devin-ai-integration @pkaeding
fix: use pinned SHA for actions/checkout instead of version tag
05788ef 
Address security best practice by using pinned commit SHA 692973e3d937129bcbf40652eb9f2f61becf3332
instead of actions/checkout@v4 version tag.

Co-Authored-By: Patrick Kaeding <[email protected]>
@devin-ai-integration @pkaeding
fix: use correct pinned SHA for actions/checkout@v4
74f8ae8 
Address GitHub comment from kinyoklion requesting correct SHA.
Update to use 08eba0b27e820071cde6df949e0beb9ba4906955 instead of
692973e3d937129bcbf40652eb9f2f61becf3332.

Co-Authored-By: Patrick Kaeding <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cursor cursor[bot] cursor[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@pkaeding