Commit 5f7c979
feat: [SEC-7263] Add dependency-scan GitHub Actions workflow (#364)
## Summary
Adds a GitHub Actions workflow to generate Software Bill of Materials
(SBOM) for Node.js dependencies and evaluate them against security
policies as part of SEC-7263.
**Requirements**
- [ ] I have added test coverage for new or changed functionality (N/A -
workflow addition)
- [ ] I have followed the repository's [pull request submission
guidelines](../blob/main/CONTRIBUTING.md#submitting-pull-requests)
- [ ] I have validated my changes against all supported platform
versions (will be validated via CI)
**Related issues**
Part of security initiative SEC-7263 to add dependency scanning
workflows across LaunchDarkly npm ecosystem repositories.
**Describe the solution you've provided**
This PR adds a new GitHub Actions workflow
(`.github/workflows/dependency-scan.yml`) that:
1. **Generates Node.js SBOM** using
`launchdarkly/gh-actions/actions/dependency-scan/generate-sbom@main`
2. **Evaluates SBOM against policies** using
`launchdarkly/gh-actions/actions/dependency-scan/evaluate-policy@main`
3. **Triggers on pull requests and pushes to main branch**
4. **Uses public gh-actions** (appropriate for public repositories)
The workflow consists of two sequential jobs:
- `generate-nodejs-sbom`: Creates the SBOM artifact
- `evaluate-policy`: Evaluates the SBOM against security policies
(depends on first job)
**Key Review Points**
1 parent 47891af commit 5f7c979
1 file changed
Lines changed: 14 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
| 1 | + | |
| 2 | + | |
| 3 | + | |
| 4 | + | |
| 5 | + | |
| 6 | + | |
| 7 | + | |
| 8 | + | |
| 9 | + | |
| 10 | + | |
| 11 | + | |
| 12 | + | |
| 13 | + | |
| 14 | + | |
0 commit comments