From 967fa04392ea2b4a63f83174adf20be70fa8801d Mon Sep 17 00:00:00 2001 From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Date: Thu, 11 Sep 2025 15:58:45 +0000 Subject: [PATCH 1/3] feat: [SEC-7263] Add dependency-scan GitHub Actions workflow Generate Node.js SBOM using launchdarkly/gh-actions for SEC-7263. Add policy evaluation step with bom-* artifacts pattern. Configure triggers for pull requests and main branch pushes. Co-Authored-By: Patrick Kaeding --- .github/workflows/dependency-scan.yml | 30 +++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 .github/workflows/dependency-scan.yml diff --git a/.github/workflows/dependency-scan.yml b/.github/workflows/dependency-scan.yml new file mode 100644 index 000000000..2f15b3868 --- /dev/null +++ b/.github/workflows/dependency-scan.yml @@ -0,0 +1,30 @@ +name: Dependency Scan + +on: + pull_request: + push: + branches: + - main + +jobs: + generate-nodejs-sbom: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Generate SBOM + uses: launchdarkly/gh-actions/actions/dependency-scan/generate-sbom@main + with: + types: 'nodejs' + + evaluate-policy: + runs-on: ubuntu-latest + needs: + - generate-nodejs-sbom + steps: + - uses: actions/checkout@v4 + + - name: Evaluate SBOM Policy + uses: launchdarkly/gh-actions/actions/dependency-scan/evaluate-policy@main + with: + artifacts-pattern: bom-* From 05788efc6108ec331e709e6e9399c1da855e7445 Mon Sep 17 00:00:00 2001 From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Date: Thu, 11 Sep 2025 16:11:29 +0000 Subject: [PATCH 2/3] fix: use pinned SHA for actions/checkout instead of version tag Address security best practice by using pinned commit SHA 692973e3d937129bcbf40652eb9f2f61becf3332 instead of actions/checkout@v4 version tag. Co-Authored-By: Patrick Kaeding --- .github/workflows/dependency-scan.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/dependency-scan.yml b/.github/workflows/dependency-scan.yml index 2f15b3868..3e24cd10e 100644 --- a/.github/workflows/dependency-scan.yml +++ b/.github/workflows/dependency-scan.yml @@ -10,7 +10,7 @@ jobs: generate-nodejs-sbom: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - name: Generate SBOM uses: launchdarkly/gh-actions/actions/dependency-scan/generate-sbom@main @@ -22,7 +22,7 @@ jobs: needs: - generate-nodejs-sbom steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - name: Evaluate SBOM Policy uses: launchdarkly/gh-actions/actions/dependency-scan/evaluate-policy@main From 74f8ae88d68f4d88215b2b5dc85e211c057052a9 Mon Sep 17 00:00:00 2001 From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Date: Thu, 11 Sep 2025 16:15:32 +0000 Subject: [PATCH 3/3] fix: use correct pinned SHA for actions/checkout@v4 Address GitHub comment from kinyoklion requesting correct SHA. Update to use 08eba0b27e820071cde6df949e0beb9ba4906955 instead of 692973e3d937129bcbf40652eb9f2f61becf3332. Co-Authored-By: Patrick Kaeding --- .github/workflows/dependency-scan.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/dependency-scan.yml b/.github/workflows/dependency-scan.yml index 3e24cd10e..76cec2cb1 100644 --- a/.github/workflows/dependency-scan.yml +++ b/.github/workflows/dependency-scan.yml @@ -10,7 +10,7 @@ jobs: generate-nodejs-sbom: runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4 - name: Generate SBOM uses: launchdarkly/gh-actions/actions/dependency-scan/generate-sbom@main @@ -22,7 +22,7 @@ jobs: needs: - generate-nodejs-sbom steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4 - name: Evaluate SBOM Policy uses: launchdarkly/gh-actions/actions/dependency-scan/evaluate-policy@main