Skip to content

Commit 5f7c979

Browse files
pkaedingdevin-ai-integration[bot]kinyoklion
authored
feat: [SEC-7263] Add dependency-scan GitHub Actions workflow (#364)
## Summary Adds a GitHub Actions workflow to generate Software Bill of Materials (SBOM) for Node.js dependencies and evaluate them against security policies as part of SEC-7263. **Requirements** - [ ] I have added test coverage for new or changed functionality (N/A - workflow addition) - [ ] I have followed the repository's [pull request submission guidelines](../blob/main/CONTRIBUTING.md#submitting-pull-requests) - [ ] I have validated my changes against all supported platform versions (will be validated via CI) **Related issues** Part of security initiative SEC-7263 to add dependency scanning workflows across LaunchDarkly npm ecosystem repositories. **Describe the solution you've provided** This PR adds a new GitHub Actions workflow (`.github/workflows/dependency-scan.yml`) that: 1. **Generates Node.js SBOM** using `launchdarkly/gh-actions/actions/dependency-scan/generate-sbom@main` 2. **Evaluates SBOM against policies** using `launchdarkly/gh-actions/actions/dependency-scan/evaluate-policy@main` 3. **Triggers on pull requests and pushes to main branch** 4. **Uses public gh-actions** (appropriate for public repositories) The workflow consists of two sequential jobs: - `generate-nodejs-sbom`: Creates the SBOM artifact - `evaluate-policy`: Evaluates the SBOM against security policies (depends on first job) **Key Review Points** ⚠️ **Important**: This workflow has not been tested locally and needs validation via CI to ensure: - The artifact pattern `bom-*` correctly matches generated SBOM files - The workflow runs successfully without configuration issues - Policy evaluation completes without violations **Describe alternatives you've considered** - Using commit-specific versions instead of `@main` for actions (decided against to follow established org patterns) - Different trigger configurations (current setup matches standard LaunchDarkly practices) **Additional context** - Link to Devin run: https://app.devin.ai/sessions/434bb14b7bac4d81b9979b88965be92b - Requested by: @pkaeding - Part of systematic rollout across LaunchDarkly npm repositories - Uses public `gh-actions` repository (appropriate for public repos vs private `common-actions`) <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Low Risk** > Low risk: adds a new GitHub Actions workflow only, though it may affect CI signal/required checks on PRs and main pushes. > > **Overview** > Introduces a new GitHub Actions workflow, `dependency-scan.yml`, that runs on pull requests and pushes to `main`. > > The workflow reuses LaunchDarkly’s centralized `launchdarkly/gh-actions` dependency scan workflow configured for `nodejs`, inheriting repository secrets. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 24d3d4b. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> --------- Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Co-authored-by: Ryan Lamb <4955475+kinyoklion@users.noreply.github.com>
1 parent 47891af commit 5f7c979

1 file changed

Lines changed: 14 additions & 0 deletions

File tree

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,14 @@
1+
name: Dependency Scan
2+
3+
on:
4+
pull_request:
5+
push:
6+
branches:
7+
- main
8+
9+
jobs:
10+
dependency-scan:
11+
uses: launchdarkly/gh-actions/.github/workflows/dependency-scan.yml@main
12+
with:
13+
types: 'nodejs'
14+
secrets: inherit

0 commit comments

Comments
 (0)