Skip to content

[SEC-7263] Add dependency-scan GitHub Actions workflow #54

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[SEC-7263] Add dependency-scan GitHub Actions workflow #54

wants to merge 1 commit into from

Conversation

pkaeding
Copy link

Summary

Adds dependency-scan GitHub Actions workflow to generate Software Bill of Materials (SBOM) and evaluate license policies for Node.js dependencies as part of security initiative SEC-7263.

Changes

  • New workflow file: .github/workflows/dependency-scan.yml
  • Two jobs:
    1. generate-nodejs-sbom - Generates SBOM for Node.js dependencies
    2. evaluate-policy - Evaluates SBOM against LaunchDarkly license policies
  • Triggers: Pull requests and pushes to main branch
  • Uses pinned SHA for actions/checkout@v4 following security best practices

Requirements

  • I have added test coverage for new or changed functionality (N/A - workflow file)
  • I have followed the repository's pull request submission guidelines
  • I have validated my changes against all supported platform versions (Will be validated by CI)

Related issues

Part of security initiative SEC-7263 for adding dependency scanning across LaunchDarkly npm ecosystem repositories.

Human Review Checklist

Critical items to verify:

  • Workflow syntax is correct and jobs have proper dependencies
  • Artifact pattern bom-* in evaluate-policy job matches what generate-sbom produces
  • Uses correct launchdarkly/gh-actions repository (public actions for public repo)
  • Pinned SHA 08eba0b27e820071cde6df949e0beb9ba4906955 is correct for actions/checkout@v4
  • Workflow follows LaunchDarkly security standards

Expected behavior:

  • Workflow should run on PRs and main branch pushes
  • First job generates SBOM file for Node.js dependencies
  • Second job evaluates SBOM against license policies
  • May detect legitimate license policy violations (expected behavior)

Additional context

  • This is part of systematic rollout across LaunchDarkly npm ecosystem repositories
  • Similar workflows already successfully deployed to other repositories in the organization
  • The workflow may detect license policy violations - this is expected behavior, not a failure

Link to Devin run: https://app.devin.ai/sessions/434bb14b7bac4d81b9979b88965be92b
Requested by: @pkaeding

@devin-ai-integration @pkaeding
feat: [SEC-7263] Add dependency-scan GitHub Actions workflow
a9cecf6 
Generate Node.js SBOM using launchdarkly/gh-actions for SEC-7263.
Add policy evaluation step with bom-* artifacts pattern.
Configure triggers for pull requests and main branch pushes.

Co-Authored-By: Patrick Kaeding <[email protected]>
@pkaeding pkaeding requested a review from a team as a code owner September 11, 2025 16:21
@devin-ai-integration
Copy link

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment and CI monitoring

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@pkaeding