Skip to content

Commit 94354c4

Browse files
joker23claude
andcommitted
fix(ci): enable corepack in dependency-scan so cdxgen produces a real SBOM
The dependency-scan workflow has been silently broken since it was added (SEC-7263). cdxgen internally runs `yarn install` but corepack was never enabled, so it fell back to system yarn 1.x, failed silently, and produced a 0-component BOM. OPA then evaluated the empty BOM and vacuously passed. - Enable corepack and install deps before the shared generate-sbom action - Add a non-zero component guard so empty scans fail loudly - Document that this workflow checks license compliance, not CVEs Fixes: SDK-2170 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1 parent ef79eac commit 94354c4

1 file changed

Lines changed: 37 additions & 0 deletions

File tree

.github/workflows/dependency-scan.yml

Lines changed: 37 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,12 @@
1+
# Dependency Scan — License Compliance
2+
#
3+
# Generates a CycloneDX SBOM via cdxgen and evaluates it against an OPA/Rego
4+
# license policy. This checks for disallowed licenses (e.g. GPL in a
5+
# proprietary SDK) — it does NOT check for CVEs or security vulnerabilities.
6+
# Vulnerability scanning is handled separately by dependency-review-action.
7+
#
8+
# See: SDK-2170, SEC-7263
9+
110
name: Dependency Scan
211

312
on:
@@ -12,6 +21,22 @@ jobs:
1221
steps:
1322
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
1423

24+
# The shared generate-sbom action runs cdxgen, which internally invokes
25+
# `yarn install` to resolve the dependency tree. This repo uses Yarn 3.x
26+
# via corepack (packageManager field in package.json), so corepack must
27+
# be enabled before cdxgen runs. Without this, cdxgen falls back to
28+
# system yarn (1.x), fails silently, and produces a 0-component BOM.
29+
- name: Setup Node with corepack
30+
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
31+
with:
32+
node-version: 20.x
33+
34+
- name: Enable corepack
35+
run: corepack enable
36+
37+
- name: Install dependencies
38+
run: yarn install
39+
1540
- name: Generate SBOM
1641
uses: launchdarkly/gh-actions/actions/dependency-scan/generate-sbom@0a54234f88a428df4163234dbb23ddb7fee8b8ec # main
1742
with:
@@ -28,3 +53,15 @@ jobs:
2853
uses: launchdarkly/gh-actions/actions/dependency-scan/evaluate-policy@0a54234f88a428df4163234dbb23ddb7fee8b8ec # main
2954
with:
3055
artifacts-pattern: bom-*
56+
57+
# Guard against silent regression: if cdxgen fails to resolve
58+
# dependencies (e.g. corepack not enabled), the BOM will contain
59+
# 0 components and the policy evaluation vacuously passes.
60+
- name: Verify SBOM contains components
61+
run: |
62+
COMPONENT_COUNT=$(jq '.components | length' bom.json)
63+
echo "SBOM contains $COMPONENT_COUNT components"
64+
if [ "$COMPONENT_COUNT" -eq 0 ]; then
65+
echo "::error::SBOM contains 0 components — the scan produced nothing. Check that corepack is enabled and dependencies are installed."
66+
exit 1
67+
fi

0 commit comments

Comments
 (0)