Skip to content

[SEC-7263] Add dependency-scan GitHub Actions workflow #18

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[SEC-7263] Add dependency-scan GitHub Actions workflow #18

wants to merge 1 commit into from

Conversation

pkaeding
Copy link

@pkaeding pkaeding commented Sep 11, 2025
edited by atlassian bot
Loading

SEC-7263 Add dependency-scan GitHub Actions workflow

Summary

Adds a new GitHub Actions workflow to generate Software Bill of Materials (SBOM) for Node.js dependencies and evaluate them against LaunchDarkly's license policies. This workflow is part of security initiative SEC-7263 to implement dependency scanning across all LaunchDarkly npm ecosystem repositories.

The workflow includes two jobs:

  • generate-nodejs-sbom: Creates SBOM using launchdarkly/gh-actions
  • evaluate-policy: Evaluates generated SBOM against defined license policies

Review & Testing Checklist for Human

  • Test workflow execution: Create a test PR to verify the workflow runs successfully without errors
  • Verify SBOM generation: Confirm the workflow generates valid SBOM artifacts for this repository's minimal dependency set (@launchdarkly/node-server-sdk)
  • Check policy evaluation: Ensure policy evaluation doesn't block legitimate dependencies or flag false positives
  • Validate CI integration: Confirm the new workflow doesn't interfere with existing CI processes or cause build failures

Notes

  • This workflow uses the public launchdarkly/gh-actions repo (appropriate for public repositories)
  • Policy evaluation may detect legitimate license violations - this is expected behavior, not a bug
  • Similar workflows have been implemented across ~16 other LaunchDarkly npm repositories as part of this initiative
  • Requested by: @pkaeding
  • Link to Devin session: https://app.devin.ai/sessions/434bb14b7bac4d81b9979b88965be92b

@devin-ai-integration @pkaeding
chore: [SEC-7263] Add dependency-scan GitHub Actions workflow
5235b05 
Generate Node.js SBOM using launchdarkly/gh-actions for SEC-7263.
Add policy evaluation step with bom-* artifacts pattern.
Configure triggers for pull requests and main branch pushes.

Co-Authored-By: Patrick Kaeding <[email protected]>
@pkaeding pkaeding requested a review from a team as a code owner September 11, 2025 16:24
@devin-ai-integration Devin.ai Integration
Copy link

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment and CI monitoring

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@pkaeding