react-client-sdk icon indicating copy to clipboard operation
react-client-sdk copied to clipboard
verified publisher icon launchdarkly

feat: [SEC-7263] Add dependency-scan GitHub Actions workflow

Open pkaeding opened this issue 4 months ago • 1 comments

Summary

Adds a GitHub Actions workflow to generate Software Bill of Materials (SBOM) for Node.js dependencies and evaluate them against security policies as part of SEC-7263.

Requirements

  • [ ] I have added test coverage for new or changed functionality (N/A - workflow addition)
  • [ ] I have followed the repository's pull request submission guidelines
  • [ ] I have validated my changes against all supported platform versions (will be validated via CI)

Related issues

Part of security initiative SEC-7263 to add dependency scanning workflows across LaunchDarkly npm ecosystem repositories.

Describe the solution you've provided

This PR adds a new GitHub Actions workflow (.github/workflows/dependency-scan.yml) that:

  1. Generates Node.js SBOM using launchdarkly/gh-actions/actions/dependency-scan/generate-sbom@main
  2. Evaluates SBOM against policies using launchdarkly/gh-actions/actions/dependency-scan/evaluate-policy@main
  3. Triggers on pull requests and pushes to main branch
  4. Uses public gh-actions (appropriate for public repositories)

The workflow consists of two sequential jobs:

  • generate-nodejs-sbom: Creates the SBOM artifact
  • evaluate-policy: Evaluates the SBOM against security policies (depends on first job)

Key Review Points

⚠️ Important: This workflow has not been tested locally and needs validation via CI to ensure:

  • The artifact pattern bom-* correctly matches generated SBOM files
  • The workflow runs successfully without configuration issues
  • Policy evaluation completes without violations

Describe alternatives you've considered

  • Using commit-specific versions instead of @main for actions (decided against to follow established org patterns)
  • Different trigger configurations (current setup matches standard LaunchDarkly practices)

Additional context

  • Link to Devin run: https://app.devin.ai/sessions/434bb14b7bac4d81b9979b88965be92b
  • Requested by: @pkaeding
  • Part of systematic rollout across LaunchDarkly npm repositories
  • Uses public gh-actions repository (appropriate for public repos vs private common-actions)

pkaeding avatar Sep 11 '25 16:09 pkaeding